Netizen Threat Brief: 23 May 2018 Edition
Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:
- DNS-Hijacking Malware
- Mirai Botnet Evolved
- Misconfigured Reverse Proxy Servers
- Layered Backup Security to Combat Ransomware
1. DNS-Hijacking Malware
A new DNS-hijacking malware known as Roaming Mantis is being utilized to target Android devices, as well as iOS devices. The malware was initially found to hijack internet routers to distribute banking malware that would steal a user’s login credentials as well as the secret code used for multifactor authentication (MFA). In addition to Android targets, Roaming Mantis has begun phishing attacks for iOS devices and a cryptocurrency mining script for PC users.
The DNS-hijacking takes place when the hacker changes the DNS settings of the wireless routers to redirect traffic to malicious websites that are controlled by the hackers themselves. These malicious websites possess:
- Fake apps infected with banking malware to Android users,
- Phishing sites to iOS users,
- Sites with cryptocurrency mining scripts to desktop users
We recommend the following strategies to mitigate or prevent a breach:
- Ensure that your router is operating at its latest firmware version and protected with a strong and complex password.
- If at all possible, disable the router’s ability for remote administration. It would also be useful to hardcode a trusted DNS server into the OS network settings.
- Android users should install apps from official stores and disable the installation of applications from unknown sources.
- Perform routinely scheduled DNS settings checks of the DNS server address. If the DNS address does not match one you have specifically set or one from your provider, change it back to the appropriate one and change all account passwords immediately.
Kerberoasting is an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This method is especially effective to those that employ poor passwords. The attack itself is geared towards tricking a popular authentication protocol used on Windows known as Kerberos.
There are several different types of Kerberos attacks ranging from recon (SPN Scanning), to offline service account password cracking (Kerberoast), to persistence (Silver & Golden Tickets). The vulnerability surfaces due to Microsoft’s legacy support in Active Directory for older systems and protocols (Windows NT, RC4 Kerberos, etc.).
Here are the most popular AD Kerberos attacks:
- SPN Scanning – finding services by requesting service principal names of a specific SPN class/type.
- Silver Ticket – forged Kerberos TGS service ticket
- Golden Ticket – forged Kerberos TGT authentication ticket
- MS14-068 Forged PAC Exploit – exploitation of the Kerberos vulnerability on Domain Controllers.
- Diamond PAC – blended attack type using elements of the Golden Ticket and the MS14-068 forged PAC.
- Skeleton Key In-memory Malware – malware “patches” the LSASS authentication process in-memory on Domain Controllers to enable a second, valid “skeleton key” password with which can be used to authenticate any domain account.
To protect yourself from being Kerberoasted, we recommend the following:
- Enforce strong passwords. Poor passwords are the root cause for Kerberoasting. Strong passwords should especially be enforced for service accounts associated with SPN’s.
- Utilize Microsoft’s “Managed Service accounts”. These types of accounts will automatically change passwords at determined intervals, lowering the usefulness of any cracked passwords.
- Employ endpoint protection in addition to having an up to date antivirus agent.
- Implement network monitoring for Kerberoasting attacks, such as scheduled vulnerability scanning.
3. Mirai Botnet Evolved
The Mirai Botnet, initially utilized to launch massive Distributed Denial of Service (DDoS) attacks, has since had its code modified to attack unpatched Internet of Things (IoT) devices; turning them into cryptocurrency miners and proxy servers for delivering malware.
Internet of Things is the networking of physical devices, appliances, and other items that have electronics, software, or sensors embedded within them that enables the connection of these objects to exchange data. Notable industries that possess this technology are healthcare and manufacturing. IoT devices continue to be a popular target for hackers as they often lack built-in security features and are most often installed and forgotten about.
Solutions for IoT devices are not always the easiest to implement—however there are actions that an organization can take to better protect their healthcare equipment and people:
- Identify all IoT devices on the network, no matter how long it has been there. You cannot protect what you don’t know is there.
- Data flows should be documented to ascertain what is needed and what is unnecessary and does not add value. With this knowledge, the network can be segmented appropriately—firewalling off any unneeded traffic.
- Control the acquisition and implementation process—smart tv’s, fridges, etc. could open subtle channels for attackers to use to gain entry inside of the network. This happened in the well-known Target breach several years ago where a smart refrigerator was used to inject malware into the network and steal credit card numbers.
- Perform regular vulnerability assessments on internal and external networks to reveal any hidden weaknesses or openings into environment. These risks should then be reviewed at regular intervals, implementing mitigation strategies as feasible.
- Have a structured plan for the organization. Identify key stakeholders, establish security objectives, and coordinate actions to implement controls across the IoT spectrum.
4. Misconfigured Reverse Proxy Servers
A proof of concept (PoC) attack has been discovered to allow unauthenticated users to extract user credentials from misconfigured reverse proxy servers in order to delete, manipulate, or extract data from websites and applications. Targets of the PoC attack include major cloud service providers (CSP) such as Amazon Web Services (AWS) MS Azure, and Google Cloud.
The PoC attack targets APIs that provide access to the metadata associated with identity services (AWS Identity and Access Management (IAM), MS Azure Managed Service Identity (MSI), and Google’s Cloud IAM).
When dealing with Cloud Service Providers, we offer a few recommendations to make sure your data is secure in the hands of someone else:
- Research your cloud solution. Vet the CSP and make sure they take the proper measures when it comes to securing customer data.
- Implement end-to-end encryption for your cloud storage. Typically uploaded and downloaded data is encrypted, however encrypted cloud storage is often overlooked.
- Perform routine patches and updates to in-house software. Unpatched systems can leave a wide opening for hackers to access information.
- Scrutinize your cloud configuration. Disable items not needed, or that are known vulnerabilities.
5. Layered Backup Security to Combat Ransomware
Ransomware attacks continue to make news. In just the last couple of months, high-profile victims included the city of Allentown and a school district in Massachusetts. Many attacks, though, go unreported or unmentioned to the media.
Ensuring your company is prepared for Disaster Recovery, whether it involves data hijacking or natural disasters, is crucial to all business planning. Organizations as a whole should continue to follow the standard “3-2-1” backup plan:
- three different copies of data
- using two different media types
- one of which is off-site or offline.
How can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.