Author: raxis-sys-admin

  • LDAP Passback and Why We Harp on Passwords

    Hackers are like anyone else in that they would rather work smarter, not harder – picking the low-hanging fruit first. Oftentimes, we find companies who put it in front of them without even knowing it.

    In today’s video, I demonstrate how to conduct a Lightweight Directory Access Protocol (LDAP) passback attack, essentially using third-party hardware or software as an access point to a company network. I’ll show you three different ways to conduct the attack and offer some helpful tips on how to defend against it. 

    What I believe is important to add here is the common thread that links all of them: access to a password. If you want to know why our discussions seem to always circle back to that concept, it’s because an improperly protected password is a master key for hackers, whether their hats are white or black. 

    One is usually all we need to get inside your network. From there, the possibilities are limited only by our imaginations (and our scope of work). As I discuss at the outset of the video, too many of our customers make it easy by leaving devices like printers set to their default passwords or even null passwords, meaning they never created a password to begin with.

    Once we control the device, capturing legitimate passwords is easy. The Raxis team has conducted several internal network tests where discovering an admin interface with default or null credentials got us full domain admin access to the network. In one case, a vendor told the company that the default password was okay to use for a few weeks until things were all set up. On another, we found a password file on a sensitive file share that was set up without a password while the IT staff moved it to a new server. And still another company had no clue a system had a default password. They said it had always been that way. 

    LDAP passback attacks can be prevented, but it takes companies implementing robust security protocols for everything with an IP address on your network – including printers and other devices. 

    Remember, if it’s connected, it must be protected. 

    Make sure all your devices are locked down with a strong password — no matter how innocuous the device may seem. It’s a hacker’s job to find their way in. It’s Raxis’ job to identify these vulnerabilities so that you can correct them before that happens. 

    Our team of experts are ready to help you and your organization find its weaknesses and help you strengthen your security. Talk with our team today.

  • SonicWall Patches Three Zero-Day Vulnerabilities

    SonicWall has tested and published patches to mitigate three zero-day vulnerabilities in its email security products this week. Hackers are actively exploiting these vulnerabilities in the wild, and customers should patch them immediately.

    Affected Products

    The vulnerabilities affected the following versions of SonicWall’s email security and hosted email security products:

    • 10.0.1
    • 10.0.2
    • 10.0.3
    • 10.0.4-Present
    The Addressed Vulnerabilities

    The patches released by SonicWall mitigate three CVEs, listed below:

    More details from SonicWall can be found in its company advisory as well as in FireEye’s detail of how the exploits were being used. Here are links to both:

    Remediations

    SonicWall has patched its hosted email security product automatically, but customers will need to upgrade in-house email security products on their own, using the following versions:

    • (Windows) Email Security 10.0.9.6173
    • (Hardware & ESXi Virtual Appliance) Email Security 10.0.9.6173

    SonicWall also provides detailed instructions for upgrading in this advisory article: https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/

     

  • NSA, FBI, CISA Statement on Russian SVR Activity

    What does it mean for your business?

    Summary of the Statement

    Last week, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint statement on five different vulnerabilities that the Foreign Intelligence Service of the Russian Federation (SVR RF) is known to be exploiting currently.

    How does this affect your business?

    Even if your business is not a target of the SVR RF, other threat actors such as ransomware gangs, are taking advantage of the same vulnerabilities. Therefore, if you have been using any of the affected product versions, you should take them offline, upgrade to the most recent version, and begin an incident response process to verify your servers are not compromised. Additionally, Raxis recommends performing the same process on other recently exploited products such as SolarWinds Orion and Microsoft Exchange Server.

    Affected Product Versions & Associated CVEs

    Fortinet FortiGate VPN

    • Version: Fortinet FortiOS6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
    • CVE: CVE-2018-13379

    Synacor Zimbra Collaboration Suite

    • Version: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10
    • CVE: CVE-2019-9670

    Pulse Secure Pulse Connect Secure VPN

    • Version: Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
    • CVE: CVE-2019-11510

    Citrix Application Delivery Controller and Gateway

    • Version: CitrixADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b
    • CVE: CVE-2019-19781

    VMware Workspace ONE Access

    • Version: VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 -3.3.3 on Linux, VMware Identity Manager Connector 3.3.1-3.3.3 and 19.03, VMware Cloud Foundation 4.0-4.1, and VMware Vrealize Suite Lifecycle Manager8.x
    • CVE: CVE-2020-4006

    Remediation

    If your business is running any of the aforementioned product versions, upgrade immediately to the most recent versions following the guides for each product below:

    Fortinet FortiGate VPN

    Synacor Zimbra Collaboration Suite

    Pulse Secure Pulse Connect Secure VPN

    Citrix Application Delivery Controller and Gateway

    VMware Workspace ONE Access

    Solarwinds Orion

    Microsoft Exchange

    Additionally, Raxis recommends beginning an incident response process on any servers exposed to the internet that are running these product versions, as they are actively being exploited in the wild.

    Associated Links

    NSA, FBI & CISA Statement: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/

    CVE Links:

  • New Metasploit Module: Microsoft Remote Desktop Web Access Authentication Timing Attack

    Editor’s note: Congratulations to Raxis Lead Penetration Tester Matt Dunn for discovering the following exploit and publishing it as a Metasploit Module. This is a tremendous professional milestone for Matt and for Raxis.

    “RD Web Access is susceptible to an anonymous authentication timing attack that can validate usernames within an Active Directory domain. Furthermore, RD Web Access exposes the connected domain name if the Remote Procedure Call (RPC) endpoint is accessible on the target server.”

    Raxis Lead Penetration Tester, Matt Dunn

    Microsoft’s Remote Desktop Web Access application (RD Web Access) is a popular web-based remote desktop client. It allows an organizations’ users to access their remote desktop services through a web browser. Recently, I discovered that RD Web Access is susceptible to an anonymous authentication timing attack that can validate usernames within an Active Directory domain. Furthermore, RD Web Access exposes the connected domain name if the Remote Procedure Call (RPC) endpoint is accessible on the target server. An anonymous attacker can exploit this behavior to gather intelligence about an organization’s Active Directory environment and build a list of valid domain users for use in secondary attacks.

    Description

    A similar timing-based authentication vulnerability exists for the Outlook Web Application (OWA), that reveals valid usernames based on comparing the response times between authentication attempts using both valid and invalid usernames. Valid usernames are likewise identified by the RD Web Access application by the differences in these response times. An example of an incorrect username authentication attempt with a response time of over 4 seconds can be seen here:

    Long Response Time with Invalid Username Authentication Attempt

    However, when authenticating with a valid domain and username pair but an incorrect password, the response time is much shorter (232 milliseconds), as seen here:

    Quick Response Time with Valid Domain and Username Authentication Attempt

    By analyzing how quickly the target server responds to these requests, we can determine that login attempts with valid usernames have significantly shorter response times than login attempts with invalid usernames. The timing difference is significant enough that we can use it to determine username validity.

    Note that knowing the target’s Active Directory domain is a prerequisite for this attack. However, if RPC is accessible, retrieving this information from the server is trivial. After issuing a specially crafted NTLM challenge, the encoded response will reveal the target’s Active Directory domain, as seen here:

    Active Directory Domain Revealed in Response

    With the Active Directory domain in hand, we can now fully enumerate the valid usernames for the domain.

    Affected Versions

    Raxis has confirmed the following Windows Server versions running the Remote Desktop Web Access application are vulnerable to this attack:

    • Windows Server 2016
    • Windows Server 2019
    Metasploit Module

    The original OWA/CAS timing authentication vulnerability was disclosed in 2014, and published tools are available to enumerate usernames and discover the domain from servers hosting the OWA. However, my research found that there were no readily available tools to exploit this vulnerability against a hosted RD Web Access instance. I took this opportunity to create a Metasploit module to automate and streamline the attack workflow. The module provides options for domain discovery, username enumeration, and password login attempts. The full module configuration options are shown below:

    Module Configurations for rdp_web_login Auxiliary Module

    After performing the enumeration, the module stores the discovered credentials in the database. An example of this Metasploit module successfully being used to enumerate valid usernames and passwords is shown below:

    rdp_web_login Metasploit Module in Use Against a Test Environment

    The new auxiliary module (auxiliary/scanner/http/rdp_web_login) has been approved by Rapid7 and merged to their master branch. The following links provide details to the module, its documentation, and the original pull request:

    Remediation

    The remediation for this attack is similar to the remediation for the related OWA authentication timing attack. Raxis recommends any of the following actions to mitigate the threat this attack poses:

    • Protect the Remote Desktop Web Access service from the Internet by requiring a VPN connection to access it.
    • Proxy the Remote Desktop Web Access traffic either through an ISA or Microsoft Federation Service as this mitigates the time-based attack.
    • Enforce Multi-Factor Authentication (MFA) for Remote Desktop Services to prevent unauthorized logins from discovered usernames
    Disclosure Timeline
    • January 6th, 2021 Vulnerability reported to Microsoft
    • January 6th, 2021 – Microsoft begins investigation into report
    • February 4th, 2021 – Microsoft declines to service this vulnerability
    • February 24th, 2021 – Metasploit Module accepted and merged by Rapid7

    Be sure to check back for updates to this post as the status may change.

  • How to Pull Off a Mousejacking Attack

    What’s an easy, effective and potentially devastating cyberattack . . . that’s also named for a rodent?

    If you guessed mousejacking, you are a star student today. 

    A mousejacking attack occurs when an attacker scans for the wireless transmissions sent from your wireless mouse to the USB dongle plugged into your computer. These transmissions from a mouse contain data that describes the mouse’s actions. When an attacker is able to scan and find these transmissions, they may also be able to quickly intercept and, with a few quick keystrokes and clicks, impersonate the mouse and begin sending their own malicious commands through the wireless dongle and into the computer. 

    Users may see a brief pop-up screen with code, but things returns to normal quickly, and many times they don’t think it’s significant enough to notify their security team.

    To add a little insult to injury, an attacker doesn’t even have to be in the building or in close proximity to the workstation to pull this off. They can be in your parking lot or maybe that park across the street.

    Now, there are a lot more technical things that go into it, so take a look at the video above to learn the details.

    So how do you prevent a mousejacking attack? Since this attack only can occur on workstations that are open and running, remember (and remind your colleagues) to always lock your station if you are walking away or not actively working on it. Also, let your colleagues in IT security know about anything suspicious you see. Trust me, they want to know.

    Remember it only takes a few minutes for attackers to get into your network and start causing trouble. 

    Please share this blog and video with your team so they know what to look for and how quickly it can happen, and encourage them to report it immediately. 

    With years of penetration testing and general mischief making behind us, we at Raxis have learned that there is always a way in. And we can find it. Our team of experts are ready to help you and your organization find its weaknesses and help you strengthen your security. Talk with our team today.

  • Sudo Privilege Escalation Vulnerability Discovered

    Summary

    Qualys recently discovered a heap-based buffer overflow in the sudo utility, which is in use on almost-all Unix based operating systems.* This vulnerability (CVE-2021-3156) can be exploited by any user, even if they are not in the sudoers file, and has been present since it was introduced in July 2011.

    Affected Versions

    Any operating system using the following sudo versions are vulnerable:

    • All legacy versions from 1.8.2 to 1.8.31p2
    • All stable versions from 1.9.0 to 1.9.5p1

    This includes most major operating systems such as Ubuntu, RHEL, Debian, Fedora, etc. that have these versions of sudo installed. Qualys was able to develop exploits specifically for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2), but any operating system using the vulnerable versions of sudo should be considered vulnerable.

    Testing for the Vulnerability

    In addition to checking the sudo version, Qualys provided a simple way to test if a system is vulnerable or not. To test on an individual system, perform the following steps:

    1. Login to the system as a non-root user.
    2. Run command sudoedit -s /
    3. If the system is vulnerable, it will respond with an error that starts with sudoedit:
    4. If the system is patched, it will respond with an error that starts with usage:
    Remediation

    Raxis recommends patching any affected operating system using the vulnerable sudo versions. A list of advisories with links to patches that remediate the vulnerability from various operating system vendors is below:

    * https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

  • Cisco Patches Critical Security Vulnerabilities

    Affected Products

    The critical and high-severity vulnerabilities that were patched affect many products across Cisco’s product line including:

    • Cisco SD-WAN
    • Cisco DNA Center Command Runner
    • Cisco DNA Center
    • Cisco Smart Software Manager Satellite Web UI
    • Cisco Data Center Network Manager
    • Cisco Finesse OpenSocial Gadget Editor
    • Cisco Secure Web Appliance
    • Cisco Advanced Malware Protection for Endpoints and Immunet for Windows
    • Cisco Umbrella Dashboard

    For a complete list of affected products, check Cisco’s Security Center.

    The Vulnerabilities Addressed

    The patches addressed numerous critical vulnerabilities and exposures (CVEs), including serious threats such as command injections, SQL injections, DLL hijacking, cross-site request forgery attacks, directory traversals, and more. Some of the most critical, such as a buffer overflow in SD-Wan, allow for unauthenticated, remote code execution as the root user and should be patched immediately. Cisco does not believe these were actively being used in the wild, but they should nonetheless be treated seriously and patched immediately. 

    Remediation

    Cisco recommends patching all affected products as soon as possible as there are no current workarounds to the newly released critical vulnerabilities. A full list of Cisco’s recent security advisories is also available from the company’s security center.

    Does your company have a vulnerability management plan in place? Take a look at this video as Raxis’ CTO Brian Tant explains why you should.

  • SolarWinds Supply Chain Attack – Updated 12/18/2020

    On December 8, 2020, FireEye disclosed that it had been breached by a sophisticated threat actor that had accessed some of its internally developed red team tools. On December 12, FireEye disclosed that this access, and access to many other companies, was accomplished through a supply chain attack against SolarWinds, a monitoring product that is deployed across a myriad of other organizations in the public and private sectors.

    What we know: SolarWinds’ Orion Platform versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020, were affected by the supply chain attack. At present, we believe other versions are not affected.

    Who was affected: In addition to FireEye, anyone running these SolarWinds versions should assume they have been compromised and should take immediate action to mitigate this exposure.

    What to do:
    • Power down any SolarWinds Orion products that are running or have run versions 2019.4 HF 5 through 2020.2.1.
    • Upgrade to the SolarWinds Orion Platform version 2020.2.1 HF 1 immediately.
    • On Tuesday December 15, 2020, upgrade to SolarWinds Orion Platform version 2020.2.1 HF 2. This is a critical release that addresses the exposure.
    • If your company has used the affected versions, assume that the network has been breached and implement applicable incident response processes.
    • This was a far-reaching attack perpetrated by highly skilled threat actors. Evidence of the attack may be hard to detect, and Indications of Compromise (IOCs) may change over time as more information becomes available.
    How did this happen:

    SolarWinds was the victim of a sophisticated supply chain attack. Supply chain attacks target components that are trusted by their users in order to gain a foothold within an organization, product, or other target. This can happen to in-house software components, third-party libraries, or even in the manufacturing of devices. How the attack was deployed via the SolarWinds platform remains unclear, but multiple payloads were delivered via digitally signed updates from SolarWinds from March to May 2020 through the SolarWinds.Orion.Core.BusinessLayer.dll.

    Technical Details:
    • The trojan placed on the system lays dormant for up to two weeks before making a DNS request to avsvmcloud[.]com to get the details of a Command and Control (C2) server.
    • Further communications with the C2 server masquerade as SolarWinds API traffic.
    • The trojan downloads multiple types of payloads, including a memory-only dropper that FireEye has named, “TEARDROP.” A Cobalt Strike Beacon payload has also been detected.
    • After gaining a foothold, the attacker used remote access and conducted lateral movement using legitimate account credentials to establish persistence and levy ongoing attacks.
    • The attack prioritizes stealth and persistence, only using hostnames enumerated within the target environment and restricting traffic to mostly IP addresses from the target’s country.
    • The attacker modifies files and scheduled tasks to drive remote execution and later reverts them back to their original contents in order to evade detection.

    FireEye has released countermeasures for these threats, including Snort and Yara rules. For more specific details on the delivered malware, how it avoided detection, and other threat signatures, see the FireEye blog post detailing the attack.

    Updates

    December 18, 2020

    Who was affected:

    In addition to FireEye, Microsoft confirmed their systems were affected by the SolarWinds breach and have helped identify an additional 40+ customers of their own that have been affected. [1]

    Additionally, RedDrip7 and Bambenek have put forth research into DNS records and other Indicators of Compromise to help people determine whether they have been compromised. [2]

    However, anyone running these SolarWinds versions should still assume they have been compromised and should take immediate action to mitigate this exposure.

    [1] https://www.bleepingcomputer.com/news/security/microsoft-identifies-40-plus-victims-of-solarwinds-hack-80-percent-from-us/

    [2] https://github.com/bambenek/research/tree/main/sunburst

  • Why you should turn off Cisco Smart Install now

    In this video, I explain how Cisco Smart Install can leave you and your company vulnerable if it is left on. (Helpful hint: Cisco Smart Install is often on by default, so watch this and then go check your network).

    Network admins are surely familiar with Cisco Smart Install – the handy plug-and-play configuration and management feature that offers zero-touch deployments. 

    And though Cisco is known for security, and the Smart Install feature has some great benefits – such as allowing you to easily deploy network switches in a Cisco environment with no assistance from a network admin – it also can be a security risk if you leave it turned on.  Whether by design or default, I find a lot of cases where it’s left on, but none where it’s actually in use at that time. For a penetration tester, that’s a key finding.

    Have you checked your network to see if Cisco Smart Install is on. It was, wasn’t it? And, you did turn it off, right?

    If so, you closed off a simple but often effective door for hackers. 

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. We can help you pinpoint security threats and find ways to remediate them leaving your company more secure than we found it.  

    Ready to find out how secure your network really is? Reach out to us and let’s discuss your needs and how we can help.

  • AttackTek: How to Launch a Broadcast Resolution Poisoning and SMB Relay Attack

    Welcome to our first AttackTek installment, where we’ll go deeper into the tech side of our penetration testing. We’re going to start with a couple of the easiest and most consistent ways we’ve found to get inside corporate networks and gain domain admin rights – sometimes before we finish our coffee on Day 1.

    The first is broadcast name resolution poisoning, known more simply as the broadcast poisoning attack. The second, which we often use in tandem, is the SMB relay attack. 

    For those unfamiliar with these attacks, a broadcast poisoning attack targets users’ credentials as a means to further access corporate networks and data. An SMB relay attack is basically a man-in-the-middle attack in which the malicious actor tries to make the target machine believe that it is the authenticating server.

    These two attack methods work really well together and can be put into motion in a matter of minutes. 

    In this video, I will walk you through an entire attack chain and break down both of these attacks as I’m conducting them.

    Just a friendly heads-up: A lot of the ‘action’ in this video is code on a screen. If you’re a pen tester or a defender, you’ll probably find it very interesting. But if you’re a non-techie and you clicked here after watching your favorite surf video, well . . . enjoy!

    At Raxis, we offer a variety of penetration tests to help you and your company identify vulnerabilities and close the gaps before a cybercriminal finds them. During these tests our team of experienced, professional hackers use every trick in the book – plus some they make up on the fly – to get past your security. 

    If you are ready to explore more penetration testing and assessment options with Raxis, be sure to visit our contact page.

  • Why Worry About Unauthorized Entry?

    We’ve posted several videos recently that demonstrate how easy it can be to defeat some common physical security barriers by cloning badgesmanipulating sensors with air, and  using hidden cameras. In case you’re wondering, it is every bit as fun as it looks, and lots of folks tell us it’s cool to see it demonstrated. 

    Check out this video and watch how quickly a company’s data – and its customers’ data – can be compromised.

    If you think about it, it also raises the so-what question. What’s the worst that can happen if someone gets access to a secure area inside your office? Somebody’s bound to notice before they can cause any real trouble, right? 

    Unfortunately, no. Even if the hacker isn’t also an experienced social engineer (and Raxis team members are), they can still cause untold damage. Once inside, it only takes an intruder seconds to install a network backdoor device on an open network port. At that point, network traffic is being diverted to or through the hacker mother ship. 

    Fortunately, in this scenario, I was the hacker conducting the attack. Although this was only a demonstration, I should point out that I’ve done the same thing in many red team engagements with clients. As you can see, the computer skills necessary are more in line with a 7-year-old’s than 007’s. Oh, and that special equipment I was using? It’s readily available online for $50 to $100. 

    The point here is that you need multiple, effective layers of cybersecurity to protect your network. How do you find out what you’re missing? Simple. You call us.

    Raxis’ team of experts is ready to help your business evaluate and identify solutions to help safeguard sensitive data. Follow us on this blog or social media – FacebookTwitterLinkedIn and YouTube –  and we’ll share more ways that hackers can get in — and how we can help you keep them out.