Netizen Threat Brief: 28 March 2018


Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:
1. Mabna Intrusion
2. Leaky etcd Servers
3. Atlanta City Government Breached

1. Mabna Intrusion


Malicious cyber actors have been detected from the Iran-based Mabna Institute. These threat actors were conducting numerous password spray attacks against organizations worldwide, including the United States. Password spray attacks work much like brute force attacks in that they bombard logins with different passwords, trying for one that works. Brute forcing can be halted, somewhat, but lockout functionalities; spray attacks circumvent this lockout functionality by trying only a few of the most common passwords against multiple user accounts.Common symptoms among victims included a lack of multi-factor authentication (MFA), missing preventative network activity alerts, and the permitted use of easy-to-guess passwords.

The Mabna threat actors mainly targeted organizations utilizing single sign-on (SSO) capabilities and cloud-based applications that use federated authentication protocols (Secure Shell, SSL/TLS, HTTPS, Kerberos). The malicious efforts seemed largely focused on Microsoft Office 365 (O365). Once a victim has been compromised, the threat actors would then use inbox synchronization to obtain unauthorized access to the organization’s email directly from the cloud; this would then allow them to download user mail to locally stored email files. Mabna could then also implement inbox rules for the forwarding of sent and received messages in email clients like MS Outlook.


Mabna targets SSO simply because there is a single point of compromise, letting them access large amounts of intellectual property. A good sign that is indicative of a password spray attack would be a massive spike in attempted logons to the company portal or other web-based applications; also, employee logins from IP addresses that resolve out to locations that are inconsistent with their normal locations. We recommend the following:

  • Enable and utilize MFA capabilities as an added layer of security.
  • Review password policies to ensure the complexity of employee passwords. They should not be dubbed “easy-to-guess”.
  • Review IT Helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT Helpdesk password procedures may not align to company policy, creating a security gap Mabna can exploit.
  • Employ end-user awareness and training. The more that employees are versed in basic cyber-security principles, the safer the organization will be.

2. Leaky etcd Servers


Thousands of etcd servers have been leaking near 750mb worth of passwords and keys; etcd servers are types of databases that computing clusters and other types of networks use to store and distribute passwords and configuration settings needed by various servers and applications. Thousands of these servers, which are operated and utilized by various businesses and organizations, now have been discovered to be openly sharing credentials. These openly shared credentials may allow anyone on the Internet to log in, read, or modify potentially sensitive data stored online.

Etcd (or /etc distributed) servers contain an interface that responds to simple queries that, by default, return administrative login credentials without first prompting authentication. The passwords, encryption keys, and other credentials can be used to access MySQL and PostgreSQL databases, content management systems (CMS) such as WordPress, as well as other production servers. One of the biggest concerns would be a threat actor gaining root access to one of these databases or systems.


Data retrieved from these numerous servers included:

  • 8,781 passwords. For obvious reasons, this is incredibly bad for threat actors to obtain. This is especially true if the only thing protecting the etcd server is a simple password.
  • 650 Amazon Web services access keys. An end-user needs these access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
  • 23 secret keys. Secret keys are pieces of information, or parameters, that are used to encrypt and decrypt messages in either symmetric or secret-key encryption.
  • 8 private keys. Private keys are used to decrypt a public key encrypted message. A stolen private key could be used to decrypt intercepted data.

Many of the servers were also found with very poor security practices, including simple easy-to-guess passwords. The following recommendations should be considered with etcd servers:

  • Use MFA when possible to prevent credentials from being used on their own to gain access to the servers they protect.
  • Whenever possible, etcd servers should not be exposed to the Internet.
  • Admins should change their default settings so that the servers pass credentials only when users authenticate themselves.
  • Anyone maintaining an etcd server should consider changing the default behavior to require authentication. Making authentication optional and turning it off by default is never a good idea, however, users will often deploy systems with default settings.
  • Configure a firewall rule to avoid unauthorized individuals from querying the etcd server.
  • Perform security reviews and checks for all externally facing infrastructure.

3. Atlanta City Government Breach


The Atlanta City Government has been breached with a large-scale ransomware attack that has since locked down and encrypted several departmental systems containing sensitive data. Ransomware is a type of malware that encrypts a victim’s files on their computer. Upon discovery of the locked down files, a message appears demanding a ransom be paid (typically in the form of bitcoin) in which the files will then be decrypted. In this Atlanta case, the threat actors demanded a ransom of $6800 dollars per unit or $51,000 to unlock the entire system; again, all in bitcoin. Officials are still assessing the scope and entirety of the attack.

This most recent exploitation was launched in the wake of the similar Allentown City Government breach. In February, Emotet, a banking trojan malware, was used to steal financial information by injecting computer code into the shared folders and drives of connected computers on the Allentown City network. While it is not certain if the attacks are linked, both would have required a considerable amount of skill from an organized group and have similar methods of attack and operation.


To prevent a ransomware attack, we recommend:

  • Implement MFA (Multi-Factor authentication).
  • Employ account lockout policies and user permission/restriction rules to create a resistance to Brute Force Attacks.
  • Utilize encryption channels to help prevent attackers from snooping on remote connections.
  • Back up your files/data offsite in a secure location. Should you fall victim to ransomware, you will at least have a backup. It is also good security practice to verify the integrity of that backup process.
  • Audit logs for all remote connection protocols.
  • Audit logs to ensure all new accounts were intentionally created.
  • Scan for open or listening ports, and mediate.
  • Update and patch systems regularly.
  • To prevent ransomware by way of social engineering, conduct regular meetings to inform and educate employees on proper cyber-hygiene (how to spot a phishing email, using complex passwords, lock your computer when leaving the workstation).

If already infected:

  • Disconnect from the internet, so as not to infect other machines.
  • Report to law enforcement.
  • Seek help from a technology professional who specializes in data recovery to see what options you have.
  • Do not pay the ransom. It is not guaranteed that you will get your data back, as these people are criminals, and your funds to the threat actors will only supplement their illegal activities.

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.