Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In December, the team discussed novel tactics, notable vulnerabilities, current trends, and data leaks.
Novel Tactics
To kick off the webinar, the Director of Incident Response discussed several novel tactics recently used by threat actors including:
- Supply chain attack. The incident response team uncovered a new supply chain attack related to CCTV updates. Ransomware actor LockBit developed a novel backdoor, C-sharp executable that allows it to hide at the network level and avoid detection as PowerShell communicates outbound. The exploit involves scanning en masse, enumerating the active directory, performing loud network-level scans, exfiltrating data, and encrypting the network.
- Citrix Bleed. Threat actors are using session hijacking to garner the session and establish persistence in the environment. From there, they install a backdoor and move laterally from the Citrix server to the domain controllers to the sequel servers.
- Confluence. Companies that use the Atlassian Confluence server experienced a mass exploitation in November. The threat actor moved laterally through the environment, exported data on the server, and encrypted it for extortion purposes.
- Single sign-on bypass. A recent bypass occurred through Okta as an employee’s account had a master password that was a local sign-on. The team stresses that local logins on administrator accounts, especially at a software-as-a-server level, are an easy entry point.
- Business email compromise (BEC) and ransomware. The team saw two times the normal volume of BEC and ransomware in November and December, and it expects to see a ramp-up during the holidays and into January, particularly involving the Citrix vulnerability and novel techniques.
Vulnerabilities
The Vulnerability Management Team Lead looked at vulnerabilities from November. As many as 2,200 vulnerabilities were disclosed, and 13 of those vulnerabilities were high risk. Of those 13, seven were zero-day vulnerabilities. The zero days included products from:
- Apple iOS – Two remote code execution vulnerabilities occurred, and updates were pushed to iPhone and iPad devices.
- Google Chrome – The vulnerability, tied to the Scia 2D graphics engine, impacted Chrome-based browsers, Chromebook, Chrome OS, and Android phones. The zero day required updates to devices as well as updates to Microsoft Edge, FireFox, and other lesser-known browsers.
- Microsoft – Three zero-day vulnerabilities occurred on Microsoft products, and all required a patch.
- SysAid IT on-premises software – The IT service management vulnerability, similar to the MOVEit vulnerability from June, targeted a wide range of industries and sectors.
The team took an in-depth look at the ownCloud information disclosure vulnerability. OwnCloud is a backup or file sharing cloud-based solution located in Google Drive or Microsoft OneDrive. The vulnerability CVE-2023-49103 occurs in the GraphAPI extension of the software, and the installation is through Docker. The vulnerability affected roughly 12,000 victims in the United States and a few European countries, leaking data such as administrative passwords, mail server credentials, license keys, and server configuration information.
The vulnerability can be resolved in two ways. One option is to update GraphAPI with a patch, version 0.2.1 or 0.3.1. Disabling the GraphAPI extension is not a viable option because exploitation is still possible when the extension is disabled. The second (and probably better) option is to upgrade ownCloud to at least 10.13.1 and make patches for CVE-2023-41904 and CVE-2023-41905. The upgrade also patches a few application bypass vulnerabilities. The team suggested that companies need to know if the software running in their environment is accessible over the internet and which versions of software are running.
The team also saw new critical vulnerabilities in scans in November. The fixes for the vulnerabilities are software patches, such as Apache Tomcat (9.0.0.M1 through 9.0.83) and security updates for Microsoft .NET Framework and KB5032196.
SOC Trends
The Director of SOC Operations talked about upward and downward trends that the security operations center (SOC) team has observed.
Phishing is trending up and remains the primary vector for attacks. The main reasons for the attacks are social engineering, credential harvesting, and malware delivery. In December, the SOC team saw three primary trends in phishing. First, PDFs are being used, containing the javascript or link to a malicious website. Second, threat actors are using password-protected documents and zip files to get past email filters. Ransomware and information stealer malware are commonly associated with this activity. Third, threat actors are using screensaver files to drop malware inside the user’s home directory. Endpoint detection and response solutions should catch this activity, but companies with their own internal threat hunting programs should look for it.
Cryptomining is still active but on the downtrend, possibly due to the downward market swing in cryptocurrency as a result of the FTX collapse. However, with financial services companies pushing to establish bitcoin exchange-traded funds and a recent surge in the bitcoin market, the team expects to see more cryptomining in the near future.
The team also has seen a recent trend in the creation of auto-forward rules on Microsoft Office 365 accounts. Pondurance has detection for such rules, and the social engineering tactic can be prevented by employing multifactor authentication and user awareness training.
SOC Engineering
The SOC Engineering Lead discussed the informative (and sometimes dark) topic of data leaks. The data may be used by governments, advertisers, third parties, or others for legitimate or nefarious reasons. A person can experience data leaks in a multitude of ways including:
- Smart devices. Phones, texts, TVs, doorbell cameras, and security cameras can gather information and even spy on individuals while at home, at work, in the car, or taking a walk.
- Listening devices. Home assistant devices like Alexa and even internet-connected baby monitors can become listening devices for threat actors. Also, Comcast systems in boardrooms can be used to eavesdrop on conversations.
- Apps. People use apps to start the car, listen to music, make travel plans, and more, and third parties will pay money for the information contained in those apps. Most Americans also have social media apps on their phones but don’t know how much data the apps are collecting. TikTok, for example, collects every setting on a phone, including access to messages, contacts, and web browsing history. In addition, Apple and Google recently revealed that foreign governments are monitoring their push notifications to spy on individuals, and the companies have no leverage to stop the governments from asking for notifications if they want to do business in those countries.
- Proximity. Data leaks can happen when in close proximity to a retail store. Beacons, or small tech devices that send signals to smartphones, are installed to track where consumers walk inside a store. That way, if a consumer is spending time in the laundry detergent aisle, he or she may get a digital ad for Tide. There are even ultrasonic beacons that emit sounds that people can’t hear, but smartphones can. Using these beacons, advertisers can develop individual profiles on consumers based on the data they collect, such as where they shop, what they buy, and which apps they use.
- Tracking. Loyalty cards, credit cards, and even license plates can leak data. And, of course, a person’s exact location can be identified using apps, GPS location, and satellite triangulation. Also, dust and scratches on a camera lens can be matched to an individual’s phone, and Facebook has a patent for technology that can determine whose camera took a particular photo based on the dark spots or pixelation within the image.
- Work issues. Every code, app, and device added to a network can potentially open a new avenue of exploitation. The team encouraged users to learn more about free services like VirusTotal and Word Cloud before using them. Also, the team stressed the pitfalls of renting a car and syncing a company phone to it, warning that the car will retain a copy of what’s on the phone including emails, images, and contacts.
To protect against data leaks, the team recommends removing administrative rights from users, managing web browsers through active directory and Azure, and installing ad blocking software and extensions.
Next Month
The Pondurance team will host another webinar in January to discuss new cybersecurity activity. Check back next month to read the summary.
