Every month, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity. In February, the team discussed notable vulnerabilities and trends, took a deep dive into domain controller synchronization (DCSync) attacks, reviewed threat hunting trends, and offered security operations center (SOC) engineering insights.
Notable Vulnerabilities and Trends
The Vulnerability Management Program Team Lead reviewed vulnerabilities from January. As many as 2,500 new vulnerabilities were disclosed, and 27 of those vulnerabilities were high risk. Of those 27, eight were known to be exploited in the wild on products including Atlassian Confluence, Jenkins, Citrix NetScaler, Apple, and Ivanti Connect Secure VPN.
There were no significant new vulnerabilities seen in vulnerability scans in January. Most new vulnerabilities were the result of version checks, such as PHP and Apache versions. The team also saw missing Microsoft security updates in authenticated internal scans and recommends running authenticated internal scans to gain visibility to the file systems, where it can view running applications and get access to the Windows registry.
In addition, the team observed issues with network configurations where external scans were being blocked, but the exact reason for the issue is not clear. The team also detected internal scan activity where the networking equipment has security functions that are detecting scanning traffic and may shut down the route or impact the network in other ways. An organization that experiences missing assets or subnets or has any issue during scanning should inform the team members so they can troubleshoot the problem.
In early February, the team sent a mass announcement to clients about the Fortinet FortiOS zero-day vulnerability that impacts an operating system running on Fortigate SSL VPNs. The vulnerability (CVE-2024-21762) is an out-of-bounds write issue that allows a threat actor to execute arbitrary code or commands. Virtual private network (VPN) devices are attractive targets for attackers, and three such attacks occurred in 2022 and 2023. Fortiguard updated its initial advisory about the incident to include a second product, FortiProxy, a security product intended to protect end users from internet-based threats.
DSync Attacks
The Senior Manager of Incident Response talked in detail about DCSync attacks, explaining what they are, how they are executed, and ways to detect them.
A DCSync attack starts when a threat actor impersonates a Windows domain controller (DC) and tricks other DCs into providing a replica of sensitive information found in the active directory, including password hashes. The attack requires the threat actor to obtain elevated privileges. In the active directory, the threat actor also needs “replicating directory changes” and “replicating directory changes all” permissions to perform the attack.
The attack allows a threat actor to obtain the password hashes for any account without having to log in to the DC and manually copy the entire active directory database. Then, the threat actor can authenticate and initiate the request. If the password hash was stored with reversible encryption, the threat actor can immediately view the text password of the account and use those new credentials to move around the environment. As another option, the threat actor can use “pass the hash,” a technique used to bypass the need for text credentials.
From there, the threat actor can obtain a “golden ticket.” In a golden ticket attack, a threat actor can obtain the password hash of the KRBTGT account — the account responsible for handing out and authenticating users and accounts in an active directory — allowing the threat actor to forge Kerberos tickets to request access to any resource in the domain.
To detect a DCSync attack, the team suggests an audit of Windows event ID 4662, an event generated when an operation is performed on an active directory object. The team warned that these events are verbose and can overwhelm a SIEM or SOC, so when looking in these logs, organizations should look for a request involving the globally unique identifiers for the “DS replication get changes” and “DS replication get changes all” functions. Also, look for any non-machine accounts — accounts that do not end with a dollar sign — in the subjectusername field of the event.
In addition, the team recommends that organizations pay special attention to any application that interacts with the active directory in any way. And when determining a strategy to detect a DCSync attack, it’s important to understand the baseline because each organization has a unique implementation of its various applications that may generate false positives.
Threat Hunting Review
The Director of SOC Operations discussed upward and downward trends in cyberattacks observed by the SOC team.
Ransomware. The most prevalent malware threat is ransomware.
Credential harvesting via phishing emails. This type of attack is trending up with the use of artificial intelligence (AI) services like ChatGPT. Use of AI services is making it more difficult to identify phishing emails, as many of the easy catches such as poorly worded emails and bad grammar are being corrected. The team suggests using multifactor authentication for all user accounts and continuing with user awareness training. The team also sees a trend toward credential harvesting attacks that involve the creation of auto-forward rules. But, never fear, Pondurance can detect those rules.
Malware delivery via phishing emails. This attack method is trending up as well. Most importantly, password-protected documents and zip files often associated with ransomware and Infostealers are increasing in frequency. The team recommends that organizations block password-protected documents and zip files on email gateways, if appropriate. Also, the team sees an increase in the use of screensaver files to drop malware in the user’s home directory, which is not uncommon, but threat actors are using files that would not be out of place in a user’s home directory in the hope of bypassing or avoiding detection. In addition, threat actors are using commonly allowed, legitimate domains, such as blogspot.com, for hosting malicious components. To stay safe, the team recommends that organizations know their environments, know their users, and keep an eye on trends.
Malware delivery via drive-by websites. This attack method is trending way down, though threat actors are still using exploit kits.
SOC Engineering Insights
The Senior Manager, SOC Engineer, discussed Adload, a malicious malware stream that targets macOS. With roughly 1,500 hits per day at peak times, Adload is one of the more prevalent adware softwares that the team sees in its beacon streams and across the intel stream. The malware impersonates popular video players and widely used applications, forcing victims to visit malicious websites.
Adload has evolved its tactics, techniques, and procedures (TTPs) over time, using platform languages such as Go, employing living-off-the-land binaries common to macOS, and calling out to legitimate projects on GitHub, where users mistake it for a benign software. In addition, Adload uses a number of other TTPs common to malware, including:
- Using code signing certificated to look legitimate
- Hijacking browser sessions
- Using two exploits to bypass security features inside macOS, allowing it to persist and be installed
- Delivering malvertising ads through malware droppers such as UpdateAgent
The team encourages organizations to provide information distinct to their specific networks, such as hosts, VIP lists, honeytokens, and noisy guest networks, so the team can properly tune their event stacks.
Next Month
The Pondurance team will host another webinar in March to discuss new cybersecurity activity. Check back next month to read the summary.
