Mar 8, 2021

What we can Learn from SolarWind Incident?

Tags: , , ,

Lesson learned from SolarWind incident:

  1. Your risk boundary is not your network boundary.
  2. An attack timeline, from start till release date, can take almost 19 months.
  3. Identity is the new "perimeter".
  4. Behavioral analysis techniques are required to identify an identity compromise.
  5. Network baselining and abnormal behavior analytics are instructive.
  6. Think if you built software using third party library.
  7. Think if you are using products/services from any compromised parties, including open source software. 
  8. Think who you trust and when did you last validate?
  9. Build capability to detects TTP, not IOC.
  10. CTI likes to use different code name to identify malware.

Mar 4, 2021

0-day Attack on Exchange Server (By HAFNIUM)

Tags: , ,

Your organization should have in incident response mode now if there is any OWA server exposed to the Internet between 02/26 ~ 03/03.

Microsoft has detected multiple zero-day exploits being used to attack on-premises Exchange server, and allowed installation of web shell to facilitate long-term access at vulnerable servers.

Vulnerabilities Summary 

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Remediation

Microsoft has provided scripts to check the patch level at Exchange server, and scan the Exchange logs for indication of compromise.

Links:

  • https://arstechnica.com/gadgets/2021/03/tens-of-thousands-of-us-organizations-hit-in-ongoing-microsoft-exchange-hack/
  • https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
  • https://github.com/microsoft/CSS-Exchange

Mar 3, 2021

Public POC released for CVE-2021-24085

Tags: ,

CVE-2020-24085 is a Microsoft Exchange Server spoofing vulnerability released as part of Microsoft’s February Patch Tuesday advisories. The vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft Exchange Server; successful exploitation requires authentication and user interaction (visiting a malicious page). 

A public proof-of-concept exploit is available, at https://github.com/sourceincite/CVE-2021-24085.

Links:

  • https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085

Vulnerability Scanning

Tags:

Have you ever wonder if you have perform all the vulnerability scanning for your company? Or do you know how many types of vulnerability scanning are needed for a comprehensive vulnerability management program?

In general, here are what you should budget in your vulnerability scanning capability:

  1. Network/Host scanning
  2. Web application scanning
  3. Cloud scanning

Network/Host scan:

  • This is the minimum and most common scan.
  • Covering credential and network scans for mostly on-premises infrastructure.
  • Eg: Tenable Nessus, Rapid7 InsightVM, Qualys.

Web Application Scan:

  • Covering the web applications but not a substitution of penetration testing.
  • Scanning methodology includes SAST(white box) and DAST (black box), and need to be configured by subject matter experts. 
  • Eg: HCL (IBM) Appscan, Rapid7 InsightAppSec, Netsparker Enterprise.

Cloud scan:

  • This is very new and cannot be substituted by network/host scan.
  • Scanning vulnerability (or misconfiguration) on public cloud, container, and CI/CD pipeline. 
  • Eg: Prisma Cloud, AquaSec, Netskope Cloud Security, BlackDuck.

Note that, each of these scans are for different purpose, and have a very different classification of vulnerability. I see many have mistakenly use network/host scan to substitute cloud scanning, and give false sense of security. 

The traditional network/host scan focus 80% on CVE (missing patch) and 20% on mis-configuration, while the cloud scan will focus 80% on mis-configuration. In another word, under the shift-left principle, the cloud scan will treat an unpatch CVE as a mis-configuration (due to software defined network and automation).

Mar 2, 2021

Prisma Cloud Monitoring and Securing

Tags: ,

Today, just completed the training on Prisma Cloud Monitoring and Securing (RETIRED), and score at 95% (23/24). 


Subscribe to: Posts (Atom)