InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Security researchers have discovered a vulnerability (CVE-2023-48795) in the SSH cryptographic network protocol that could allow an attacker to downgrade the connection’s security by truncating the extension negotiation message.
The Terrapin attack
Terrapin is a prefix truncation attack targeting the SSH protocol.
“By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it,” researchers Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk of Ruhr-Universität Bochum have found.
Aside from downgrading the SSH connection’s security by forcing it to use less secure client authentication algorithms, the attack can also be used to exploit vulnerabilites in SSH implementations.
“For example, we found several weaknesses [CVE-2023-46445, CVE-2023-46446] in the AsyncSSH servers’ state machine, allowing an attacker to sign a victim’s client into another account without the victim noticing. Hence, it will enable strong phishing attacks and may grant the attacker Man-in-the-Middle (MitM) capabilities within the encrypted session.”
To pull of a Terrapin attack, though, the attacker must already be able to intercept and modify the data sent from the client or server to the remote peer, they pointed out, making it more feasible to be performed on the local network.
“Besides that, we also require the use of a vulnerable encryption mode. Encrypt-then-MAC and ChaCha20-Poly1305 have been introduced by OpenSSH over 10 years ago. Both have become the default for many years and as such spread across the SSH ecosystem. Our scan indicated that at least 77% of SSH servers on the internet supported at least one mode that can be exploited in practice.”
More details about their findings can be found in their paper and on a dedicated website.
Patches released or incoming
The researchers have contacted nearly 30 providers of various SSH implementations and shared their research so they may provide fixes before publication.
“Many vendors have updated their SSH implementation to support an optional strict key exchange. Strict key exchange is a backwards-incompatible change to the SSH handshake which introduces sequence number resets and takes away an attacker’s capability to inject packets during the initial, unencrypted handshake,” they shared.
But it will take a while for all clients and servers out there to be updated – and both “parties” must be for the connection to be secure against the Terrapin attack.
Vendors/maintainers of affected implementations, applications and Linux distros have been pushing out fixes: AsyncSSH, LibSSH, OpenSSH, PuTTY, Transmit, SUSE, and others.
Administrators can also use the Terrapin Vulnerability Scanner to determine whether an SSH client or server is vulnerable.
“The scanner connects to your SSH server (or listens for an incoming client connection) to detect whether vulnerable encryption modes are offered and if the strict key exchange countermeasure is supported. It does not perform a fully-fledged handshake, nor does it actually perform the attack,” they explained.
The 8220 hacker group, which was first identified in 2017 by Cisco Talos, is exploiting both Windows and Linux web servers with crypto-jacking malware. One of their recent activities involved the exploitation of Oracle WebLogic vulnerability (CVE-2017-3506) and Log4Shell (CVE-2021-44228).
However, the history of this threat group had several exploited vulnerabilities such as Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2 applications. Their TTPs are evolved with different publicly released exploits.
8220 Hacker Group
In addition to this, the group was also discovered to be exploiting (CVE-2020-14883), a Remote code execution vulnerability in Oracle WebLogic Server. This exploitation chain is combined with another authentication bypass vulnerability (CVE-2020-14882) in the Oracle WebLogic server.
The exploitation methods of these two vulnerabilities are publicly available, making it relatively easy for the threat actor to modify and exploit them for malicious purposes.
Two different exploit chains were discovered, and one of them enables the loading of an XML file used for further phases of execution of commands on the OS, whereas the other one executes Java code without the use of an XML file.
Infection Chains
The first infection chain uses different XML files that depend on the target OS. In the case of Linux, the downloading of other files is performed via cURL, wget, lwp-download, and python urllib along with a custom bash function that encodes it to base64.
Custom bash function (Source: Imperva)
The method injects a Java code which also initially evaluates the OS and executes the same command strings executed in the first method. Once the download and execution process takes place, the compromised hosts are infected with AgentTesla, rhajk, and nasqa malware variants.
A complete report has been published, which provides detailed information about the exploitation, command used, encoding, and other information.
CVE-2023-35628 is a critical remote code execution (RCE) vulnerability affecting the Microsoft Windows MSHTML platform, with a Common Vulnerability Scoring System (CVSS) score of 8.1, indicating a high level of risk. This flaw is particularly concerning because it can be exploited without any interaction from the user. The vulnerability can be triggered when Microsoft Outlook retrieves and processes a specially crafted email, even before the email is viewed in the Outlook Preview Pane. This makes it a particularly insidious threat, as users may be unaware of the lurking danger.
The nature of CVE-2023-35628 allows a remote, unauthenticated attacker to execute arbitrary code on the victim’s system. The exploit can be initiated by sending a specially crafted email, and it has been noted that ransomware gangs and other malicious entities are likely to find this vulnerability an attractive target. Although the exploit code maturity for CVE-2023-35628 is currently unproven, which means there might not yet be a reliable method for exploiting this vulnerability in the wild, the potential for remote code execution makes it a critical issue for all Windows users.
MSHTML PLATFORM
The vulnerability in the MSHTML platform, specifically CVE-2023-35628, can be attributed to several factors that are commonly found in software vulnerabilities:
Parsing and Rendering of HTML Content: MSHTML, being a component used for parsing and rendering HTML content in applications like Microsoft Outlook, processes a large amount of untrusted input. This input, which often includes complex HTML and scripting content, can contain flaws or unexpected sequences that are not properly handled by the software.
Memory Management Issues: Vulnerabilities often arise due to memory management issues such as buffer overflows, use-after-free errors, or other similar problems. These issues can occur when the software does not correctly allocate, manage, or free memory when processing HTML content. Attackers can exploit these weaknesses to execute arbitrary code.
Insufficient Input Validation: Software vulnerabilities can also stem from insufficient input validation. If MSHTML does not properly validate or sanitize the HTML content it processes, malicious input could be used to trigger an exploit. This could include specially crafted scripts or malformed HTML structures designed to take advantage of the parser’s weaknesses.
Complexity of Web Standards: The complexity of modern web standards can also contribute to vulnerabilities. As standards evolve and become more complex, it becomes increasingly challenging to ensure that every aspect of the parsing and rendering process is secure against all potential attack vectors.
Integration with Email Clients: The integration of MSHTML with email clients like Outlook adds another layer of complexity. Emails are a common vector for delivering malicious content, and the automatic processing of emails (including the rendering of HTML content) can make it easier for attackers to exploit vulnerabilities without direct interaction from the user.
THE NO-CLICK EXPLOIT
An exploit for the CVE-2023-35628 vulnerability in the Windows MSHTML platform would typically involve a few key steps, tailored to leverage the specific nature of this flaw. Here’s a generalized overview of how such an exploit could work:
Crafting a Malicious Email: The attacker starts by creating a specially crafted email. This email would contain malicious code or a payload designed to exploit the vulnerability in the MSHTML platform. The precise nature of this code depends on the specifics of the vulnerability and would be tailored to trigger the flaw in MSHTML.
Email Delivery and Automatic Processing: The crafted email is then sent to the target. In the case of CVE-2023-35628, the critical aspect is that the vulnerability is triggered when Microsoft Outlook retrieves and processes the email. This processing happens automatically, often before the email is even displayed in the Outlook Preview Pane.
Remote Code Execution: Upon processing the malicious email, the exploit code is executed. This code execution occurs within the context of the MSHTML platform, which is a key component used by Outlook for rendering HTML content in emails.
Taking Control or Damaging the System: Once the code is executed, it can perform various malicious activities. This could range from taking control of the user’s system, stealing sensitive information, installing malware, or performing other harmful actions. The extent of the damage or control depends on the nature of the payload and the permissions available to the MSHTML process.
Memory shaping is an advanced exploitation technique often used in sophisticated cyber attacks, particularly those involving complex software systems and secure environments. It’s a method used by attackers to manipulate the layout or state of memory in a target application to facilitate the exploitation of vulnerabilities. Memory shaping can be a part of exploiting vulnerabilities like buffer overflows, use-after-free errors, or other memory corruption issues.
Here’s a simplified example to illustrate how memory shaping and its exploitation might work:
Identifying a Vulnerability: First, the attacker finds a vulnerability in the target application that can be exploited to corrupt memory. For instance, this could be a buffer overflow, where the application fails to check the length of input, allowing an attacker to write more data to a buffer than it can hold.
Analyzing Memory Layout: The attacker then studies the application’s memory layout to understand how data is stored and managed. This involves identifying where in memory different types of data are located and how they are accessed by the application.
Memory Shaping: Once the attacker has a good understanding of the memory layout, they begin the process of memory shaping. This involves crafting inputs or actions that modify the application’s memory in a controlled way. For example, they might allocate and free memory in a specific pattern to arrange chunks of memory in a desired layout.
Exploiting the Vulnerability: With the memory shaped to their advantage, the attacker then exploits the identified vulnerability. Using the buffer overflow example, they might overflow a buffer with data that includes malicious code (the payload) and carefully calculated addresses or commands that redirect the application’s execution flow to the payload.
Executing Arbitrary Code: If successful, the exploit allows the attacker’s code to be executed with the privileges of the target application. This could lead to various malicious outcomes, such as data theft, installation of malware, or gaining control over the system.
It’s important to note that memory shaping is a complex and technical process that requires in-depth knowledge of both the target application and general exploitation techniques. It’s typically used in scenarios where standard exploitation methods are not effective, often due to security measures like Address Space Layout Randomization (ASLR) or other protections.
Due to the complexity and potential for misuse, specific exploit code or detailed methodologies for memory shaping are not shared publicly. The goal of cybersecurity research in this area is to understand and mitigate such advanced threats, ensuring software and systems are secure against potential attacks.
It’s important to note that the complexity of the exploit for CVE-2023-35628 is considered high. It requires specific knowledge and techniques, particularly related to memory shaping, to successfully exploit the vulnerability. This complexity might limit the exploitation to more skilled attackers.
The attack complexity is considered high due to the reliance on complex memory-shaping techniques to successfully exploit the vulnerability. Despite this complexity, the high impact of the vulnerability necessitates prompt attention and action. Microsoft has addressed this flaw in their December 2023 Patch Tuesday updates, recommending users to update their systems as a preventative measure.
It’s important to note that CVE-2023-35628 is just one of several vulnerabilities addressed in the December 2023 Patch Tuesday updates. Other notable vulnerabilities include CVE-2023-35630 and CVE-2023-35641, which are remote code execution vulnerabilities affecting Microsoft Internet Connection Sharing (ICS) with a CVSS score of 8.8, and a critical spoofing vulnerability in Microsoft Power Platform Connector (CVE-2023-36019) with a CVSS score of 9.6.
The CVE-2023-35628 vulnerability, which is a critical remote code execution flaw in the Windows MSHTML platform, affects a range of Microsoft products, including Office 365 and on-premises versions. This vulnerability is significant due to its potential to allow exploitation as soon as Outlook retrieves and processes a specially crafted malicious email, even before the user interacts with the email. This means that exploitation could occur without any action from the user, not even requiring the Preview Pane in Outlook.
In terms of impact on Office 365 and on-premises environments, it’s important to note that the MSHTML proprietary browser engine, which is the component affected by this vulnerability, is used by Outlook among other applications to render HTML content. The fact that this engine remains installed within Windows, regardless of the status of Internet Explorer 11, means that systems where Internet Explorer 11 has been fully disabled are still vulnerable until patched.
For addressing this vulnerability, Microsoft released patches as part of their December 2023 Patch Tuesday. These patches are essential for mitigating the risk posed by this vulnerability and are available for various versions of Windows and related software components. Given the critical nature of this vulnerability and its potential impact on confidentiality, integrity, and availability, it’s strongly recommended for users and administrators of both Office 365 and on-premises environments to apply these updates promptly.
The December 2023 Patch Tuesday from Microsoft addressed a total of 34 vulnerabilities, including this critical RCE vulnerability in MSHTML. It’s noteworthy that there were no security patches for Exchange, SharePoint, Visual Studio/.NET, or SQL Server in this particular update cycle.
The details about the patches and the specific versions they apply to can be found in Microsoft’s security bulletins and support documentation. For users and administrators, it is crucial to review these resources and ensure that all applicable security updates are applied to protect against potential exploits of this vulnerability
Given the severity and the ease with which this vulnerability can be exploited, it is crucial for Windows users, particularly those using Microsoft Outlook, to ensure their systems are updated with the latest security patches provided by Microsoft. Regular review of patching strategies and overall cybersecurity methods is advisable to maintain a robust security posture.
New findings in cybersecurity research have brought to light a severe vulnerability affecting more than 1,450 pfSense servers. This flaw puts them at risk of potential remote code execution (RCE) attacks, resulting from a combination of command injection and cross-site scripting weaknesses. This poses a substantial threat to the security of these extensively utilized network appliances.
Vulnerabilities in pfSense CE: The vulnerabilities were identified in pfSense CE (Community Edition) version 2.7.0. Researchers discovered two critical flaws that, when exploited in tandem, could lead to remote code execution attacks, allowing attackers to gain control over the affected systems.
Dual Vulnerabilities Identified: (CVE-2023-42325)(CVE-2023-42327)The research uncovered two distinct but related vulnerabilities in pfSense CE 2.7.0. These include a command injection flaw and a cross-site scripting (XSS) vulnerability. When exploited in combination, these vulnerabilities can lead to remote code execution (RCE) attacks.
Command Injection Flaw(CVE-2023-42326):: The command injection vulnerability allows an attacker to execute arbitrary commands on the system. This type of vulnerability is particularly dangerous as it can give attackers the same level of access to the system as the user running the vulnerable service.
Cross-Site Scripting (XSS) Vulnerability: The XSS vulnerability in pfSense CE can be exploited to run malicious scripts in the context of the user’s browser session. This can lead to a variety of malicious activities, including stealing session cookies, which can compromise the user’s session.
Remote Code Execution (RCE) Risk: The combination of these vulnerabilities creates a pathway for remote code execution. This means an attacker could potentially take full control of the pfSense device, leading to severe security breaches, including data theft, unauthorized network access, and disruption of services.
Exploitation Potential: The ease of exploitation of these vulnerabilities adds to the severity of the issue. Attackers with knowledge of these vulnerabilities can exploit them without needing sophisticated skills, making it a pressing concern for all pfSense CE users.
Patch Availability: Netgate, the company behind pfSense, has released patches to address these vulnerabilities. It is crucial for users and administrators to apply these updates as soon as possible to mitigate the risks associated with these security flaws.
Widespread Impact: Given the popularity of pfSense as a firewall and router solution, especially among small to medium-sized enterprises, the impact of these vulnerabilities is potentially widespread, affecting a large number of users and networks.
Exposure of pfSense Instances: Investigations have revealed that around 1,450 pfSense instances, accessible online, are vulnerable to the identified security flaws. This number indicates a substantial portion of the pfSense user base that could be at risk. The fact that these pfSense instances are exposed online exacerbates the risk. Being accessible over the internet makes them potential targets for remote attackers who can exploit the vulnerabilities without needing physical access to the network. The combination of command injection and cross-site scripting vulnerabilities in these instances creates a potential for remote code execution (RCE). This means that an attacker could remotely execute arbitrary code on the affected pfSense device, leading to complete system compromise.
Nature of the Security Flaws: The vulnerabilities involve dangerous command injection and cross-site scripting (XSS) flaws. These types of vulnerabilities are particularly alarming because they can be exploited to run malicious scripts or commands, leading to a full compromise of the server.
Patch Management Lag: Despite the availability of patches released by Netgate, the company behind pfSense, a significant number of instances remain unpatched and vulnerable. This delay in applying critical updates leaves these systems exposed to potential cyber attacks.
The Criticality of Timely Updates: This situation highlights the crucial importance of regular system updates and patch management in the realm of cybersecurity. Systems running outdated or unpatched software are often prime targets for cybercriminals looking to exploit known vulnerabilities.
Potential Impact of Exploitation: If these vulnerabilities are exploited, the consequences could be severe. They range from unauthorized access to sensitive data and disruption of network services to the potential for widespread malware infection.
Urgent Call to Action: Administrators and users of pfSense servers are strongly advised to update their systems to the latest version immediately. This action is necessary to mitigate these vulnerabilities and protect against potential exploitation by malicious actors.
The revelation of these vulnerabilities in pfSense servers serves as a stark reminder of the ever-present and evolving nature of cybersecurity threats. It underscores the need for constant vigilance, regular system updates, and robust security protocols to safeguard digital infrastructures.
How well are organizations implementing cybersecurity controls within the Minimum Viable Secure Product (MVSP) framework? A recent examination conducted by Bitsight and Google indicates a mix of positive and negative outcomes, highlighting areas where enhancement is needed.
What is MVSP?
Minimum Viable Secure Product (MVSP) is a baseline security checklist for B2B software and business process outsourcing suppliers, consisting of 25 controls across four key areas – Business, Application Design, Application Implementation, and Operational.
For the “Cybersecurity Control Insights: An Analysis of Organizational Performance” study, Bitsight and Google collaborated to create a methodology to measure organizational cybersecurity performance using Bitsight analytics across the MVSP framework.
The study analyzed the cybersecurity performance of nearly 100,000 organizations around the world across nine industries. Bitsight mapped its risk vectors to 16 of the MVSP controls and reported performance in 2023 and over time (most recently March 2023). Google validated the statistical approach employed in this analysis.
Are organizations meeting cybersecurity performance standards?
The study found that while every industry in 2023 has a high Pass rate for 10 of the 16 MVSP controls studied, many organizations are still failing on controls critical to protecting themselves against cyber incidents.
The findings indicate that organizations across all industries have several areas in which they must improve their vulnerability management program to reduce exposure to potential breaches.
Notably, 2023 Computer Software industry Fail rates for Dependency Patching and Time to Fix Vulnerabilities — which map to Bitsight analytics correlating to the likelihood of a breach — did not improve from 2020 rates as much as the macro average, leaving other industries vulnerable to third-party risk given their reliance on computer software.
But, organizations did have near-100% Pass rates for the following areas:
Data handling
Incident handling
Logging
Logical access
They also had high Pass rates for Customer training (contributing to a safer third-party digital ecosystem) and Training (organizations are taking training efforts seriously as human error can have serious consequences).
Organizations across all industries are struggling with controls critical to the health of an organization’s vulnerability management program, Bitsight found.
Eight MVSP controls that are important for vulnerability management – External Testing, Self-assessment, Vulnerability Prevention, Encryption, HTTPS-only, Security Headers, Dependency Patching, Time to Fix Vulnerabilities – have either high 2023 Fail rates, low Pass rates, or both, across all industries.
Finally, there has been a decline in use of security headers, including in the computer software industry.
“We expected CS to outperform in most respects but that is not what we observed. CS’s stagnation — and at times underperformance — may be attributed to many factors, including workforce challenges, rising asset inventories, lacking cybersecurity tools, and more,” the analysts noted.
Keeping up with threats
Business leaders around the world need to understand where their companies’ vulnerabilities lie and how they match up with others to better manage increasingly complex cyber risks and stakeholder demands. By understanding the pass and fail rates of MVSP controls organizations will be better armed with the knowledge to benchmark their security performance and improve their cybersecurity strategies to mitigate and reduce vulnerability.
“It is more important than ever for business leaders to be fully aware of the organization’s application security risk, and how they are performing compared to their peers,” said Chris John Riley, Staff Security Engineer, Google.
“If organizations want to build and maintain a mature security posture in today’s turbulent and fast moving environment, they need leaders that prioritize security management and a culture of constant improvement. Using frameworks like the MVSP, organizations can take the initial necessary steps to develop a strong security culture within their organizations.”
In the ever-evolving landscape of cybersecurity, researchers are continually uncovering new methods that challenge existing defense mechanisms. A recent study by SafeBreach, a leader in cybersecurity research, has brought to light a novel process injection technique that exploits Windows thread pools, revealing vulnerabilities in current Endpoint Detection and Response (EDR) solutions. This groundbreaking research not only demonstrates the sophistication of potential cyber threats but also underscores the need for advanced defensive strategies in the digital world. Thread pool exploitation is challenging for EDRs to detect because it uses legitimate system mechanisms for malicious purposes. EDRs often look for known patterns of malicious activity, but when malware hijacks legitimate processes or injects code via expected system behaviors, such as those involving thread pools, it can blend in without raising alarms. Essentially, these techniques don’t leave the typical traces that EDRs are programmed to identify, allowing them to operate under the radar.
UNDERSTANDING PROCESS INJECTION:
Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.
THE ROLE OF WINDOWS THREAD POOLS:
Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.
SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:
Inserting Malicious Work Items:
Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
Hijacking Worker Threads:
An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
Exploiting Timer Queues:
Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
Manipulating I/O Completion Callbacks:
Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
Abusing Asynchronous Procedure Calls (APCs):
While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
Worker Factory Manipulation:
The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
Remote TP_TIMER Work Item Insertion:
This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
Queue Manipulation:
Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.
These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:
Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.
These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.
Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:
Enhanced Detection Algorithms:
Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
Deep System Monitoring:
Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
Regular Security Audits:
Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
Advanced Threat Intelligence:
Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
Employee Training and Awareness:
Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
Behavioral Analysis and Heuristics:
Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
Zero Trust Architecture:
Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
Regular Software Updates:
Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
Isolation of Sensitive Processes:
Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
Incident Response Planning:
Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.
By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.
Cyberwar refers to the use of digital technology, including computer systems, networks, and electronic communication, as a means to conduct warfare in the virtual realm. In a cyberwar, conflicting parties leverage cyber capabilities to carry out attacks and defenses in an attempt to achieve strategic, political, or military objectives. These attacks can target a wide range of digital assets, including computer systems, networks, and information systems.
Cyberwarfare encompasses various tactics, techniques, and procedures, such as hacking, malware deployment, denial-of-service attacks, and information warfare. The goals of cyberwarfare can range from disrupting or destroying critical infrastructure to stealing sensitive information, conducting espionage, or influencing public opinion.
Key characteristics of cyberwar include its asymmetric nature, where a smaller, technologically sophisticated actor may pose a significant threat to a larger, conventionally powerful entity. Attribution, or determining the origin of cyber attacks, can be challenging, adding complexity to the dynamics of cyberwarfare.
Governments, military organizations, and other entities invest in cybersecurity measures to defend against cyber threats and protect their critical assets from potential attacks in the digital domain. The landscape of cyberwarfare is continually evolving as technology advances and new vulnerabilities emerge.
“The Cyber War Is Here” simplifies the complex world of cybersecurity, cyber risk, and the crucial relationship between corporate boards and Chief Information Security Officers (CISOs). Written by a distinguished cybersecurity expert and USAF Veteran, it emphasizes the strategic importance of cybersecurity in modern business. Marc highlights the evolving role of CISOs, emphasizing their shift from IT guardians to strategic advisors to the board. The book explores successful board-CISO interactions and the consequences of misalignment, offering a clear blueprint for effective partnership. “The Cyber War Is Here” dives into the national and economic security implications of cyber threats, stressing the critical link between cybersecurity and national defense. The book argues that strengthening digital defenses and fostering public-private sector collaboration is essential for national resilience. Designed for a broad audience, from individuals to boards of directors, CISOs, business executives, and policymakers, this book serves as a call to action for proactive cyber governance. It illuminates the interconnectedness of individual organizational security and national security, providing both a catalog of risks and strategies and a roadmap for action in the global cyber conflict arena. “The Cyber War Is Here” is a call to action for all.
ISO 27002, officially named “ISO/IEC 27002 Information Security, Cybersecurity and Privacy Protection – Information Security Controls,” is a widely used and well-known information security standard published by the International Organization for Standardization (ISO). ISO 27002 provides detailed guidelines for the implementation of the controls listed in ISO 27001 Annex A, because ISO 27001 provides only a high-level description of each control. ISO 27002 has become an internationally recognized set of industry best practices that support the implementation of ISO 27001.
The basics
What is the purpose of ISO 27002?
The main purpose of ISO 27002 is to help organizations implement the Annex A controls from ISO 27001, because ISO 27001 does not provide explanations for how these controls should be implemented. ISO 27002 is designed to work in conjunction with ISO 27001, as ISO 27001 describes how to manage security by implementing an Information Security Management System (ISMS).
Why is ISO 27002 important?
ISO 27002 is important because it is the only standard in the ISO 27k series that provides implementation guidance on all 93 controls defined in Annex A of ISO 27001. By using the detailed guidance in ISO 27002, companies can have a much better understanding of the best practices for controls.
ISO 27002 certification – Is it possible?
Certification against ISO 27002 is not possible. ISO 27002 is non-certifiable because, unlike ISO 27001, it is not a management standard. Instead, ISO 27002 is a code of practice (or best practices) for the implementation of security controls that support the ISMS defined in ISO 27001.
How does ISO 27002 support the ISMS?
ISO 27002 supports the ISMS by providing detailed guidance on how to implement the controls necessary to establish and operate an ISMS within a company. For example, ISO 27002 takes a whole page to explain one control, while ISO 27001 dedicates only one sentence to each control. This ensures that organizations have a comprehensive set of guidelines to use as a framework to deploy an effective ISMS in a structured manner.
What is the current version of ISO 27002?
As of the publication date of this article, the current version of ISO 27002 is ISO/IEC 27002:2022. The new 2022 revision of ISO 27002 was published on February 15, 2022.
What is the difference between ISO 27001 and 27002?
As already explained in brief, ISO 27001 is the main standard, and companies can get certified against it; companies cannot certify against ISO 27002:2022 because it is only a supporting standard.
In its Annex A, ISO 27001 provides a list of security controls and what must be achieved with those controls, but it does not explain how they can be implemented. ISO 27002 lists those very same controls and provides guidance on how they could be implemented; however, this guidance in ISO 27002 is not mandatory, i.e., companies can decide whether to use those guidelines or not.
Requirements & security controls
What are the requirements for ISO 27002?
ISO 27002 does not contain explicit requirements for companies to follow — for requirements, you should see ISO 27001. However, ISO 27002 does provide guidance on information security controls that can be applied in an organization.
What are the sections of ISO 27002?
The structure of ISO 27002 is listed and briefly explained below:
Clause 5: Organizational controls – This section contains all controls related to various organizational issues, comprising 37 controls.
Clause 6: People controls – This section focuses on controls related to human resources security, comprising 8 controls.
Clause 7: Physical controls — This section focuses on controls related to the physical environment and equipment, comprising 14 controls.
Clause 8: Technological controls — This section focuses on controls related to technological solutions, comprising 34 controls.
Annex A: Using attributes — This annex provides a matrix of all the new controls, it compares their attributes, and provides suggestions on how to use the controls according to their attributes.
Annex B: Correspondence with ISO/IEC 27002:2013 — This annex provides a mapping between controls from the 2022 revision and the controls from the previous 2013 version.
What is a security control?
ISO 27002 defines a control as “a measure that modifies and/or maintains risk.” Put simply, a control (or a safeguard) is a practice that can be implemented to reduce a risk to an acceptable level. Some examples of security controls include an Access control policy (5.15), Configuration management (8.9), and Secure coding (8.28).
How many controls are there in ISO 27002?
The 2022 revision of ISO 27002 has reduced the number of controls from 114 to 93. Some of the reasons for this reduction in the number of controls include technological advancements and an improvement in the understanding of how to apply security practices.
What are control attributes?
Control attributes provide a standardized way to sort and filter controls against different views to address the needs of different groups.
Attributes options for each control are as follows:
Control types: Preventive, Detective, and Corrective
Information security properties: Confidentiality, Integrity, and Availability
Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
Operational capabilities: Governance, Asset management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance
Security domains: Governance and Ecosystem, Protection, Defense, and Resilience
These attributes will ease the integration of ISO 27002:2022 controls with other similar security frameworks, like NIST Risk Management Framework. You can read more about the differences between the 2013 and 2022 versions of ISO 27002 in the last section of this article.
How are the controls structured?
The layout for each ISO control in ISO 27002 consists of the following elements:
Control title: The short name of the control
Attribute table: A table that shows the value(s) of each attribute for the given control
Control: A brief description of the control
Purpose: An explanation of why the control should be implemented
Guidance: Instructions for how the control should be implemented
Other information: Additional explanatory text, or references to related documents
The layout is designed to provide comprehensive information and guidance for each control, helping organizations understand and implement the necessary security measures.
How to implement ISO 27002 controls
To effectively implement ISO 27002 controls, follow a process that assesses the organization’s needs; identifies the appropriate controls, and customizes them if necessary; implements them using a structured approach; and then monitors, measures, and continuously improves them. Once completed, the implemented control should address needs at a combined technological, organizational/process, people, and documentation level.
For example, the implementation of control 8.9 Configuration management will address the following aspects:
Technology. The technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.
Organization/processes. You should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations.
People. Make employees aware of why strict control of security configurations is needed, and train them to define and implement security configurations.
Documentation. ISO 27001 requires this control to be documented. If you are a small company, you can document the configuration rules in your security operating procedures. Larger companies will typically have a separate procedure that defines the configuration process.
Download ISO27000 family of information security standards today!
Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.
Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.
Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.
AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.
The technologies aren’t perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. They’ll get better next year, and even better the year after that. We are about to enter the era of mass spying.
Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).
Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.
There’s so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.
This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and “Hey Google” are already always listening; the conversations just aren’t being saved yet.
Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.
Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets—it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.
In the early days of Gmail, Google talked about using people’s Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poor—and therefore not useful for marketing purposes. That will soon change. Maybe Google won’t be the first to spy on its users’ conversations, but once others start, they won’t be able to resist. Their true customers—their advertisers—will demand it.
We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?
In an increasingly connected digital landscape, the security of your organization’s data and publicly facing assets is more critical than ever. According to the CrowdStrike 2023 Threat Hunting Report, more than 20% of all interactive intrusions are associated with the exploitation of public-facing applications. As an organization’s attack surface expands and cyberthreats proliferate, it is imperative IT and security teams take a proactive approach to safeguarding their digital footprint. This starts with implementing a strong exposure management program across the entire enterprise that drastically reduces all attack surface risks.
Do You Really Know Your Organization’s Attack Surface?
To stop an attack before it begins, you must first understand where critical exposures exist. You can think of your organization’s external attack surface as all of the doorways through which an attacker might attempt to sneak in. This includes anything from domain names, SSL certificates and protocols to operating systems, IoT devices and network services. These assets are scattered across on-premises environments, cloud environments, subsidiaries and third-party vendors, and they represent many of the easiest entry points to internal networks and the sensitive data they contain.
Building a Successful Exposure Management Strategy with EASM
Our EASM technology, as part of Falcon Exposure Management, uses a proprietary engine to continuously scan the entire internet, enabling organizations to see their attack surface from an adversary’s perspective. The digital footprint of an organization is simple to generate, using only a company’s root domain. Once generated, it gives security teams a complete view of all of their internet-facing assets, including those on-premises and in the cloud. All exposed assets are automatically classified, analyzed and rated with a contextualized risk score, allowing teams to fix first what matters most.
Reducing the size of your attack surface can minimize the risk of a breach. By following the five tips below, organizations can reduce the number of opportunities an adversary has, strengthen their cybersecurity posture and proactively protect valuable assets from malicious actors.
Top Tips to Reduce External Attack Surface Exposures
Do not allow Remote Desktop Protocol (RDP) connections from outside your organization’s networks
There are plenty of products and open source solutions offering remote access to company resources. When RDP is opened to the internet, it is often not monitored and is susceptible to attacks.
How:
Stand up a server that sits outside of your network perimeter
Install nmap or any other network scanner you’re comfortable with
Grab a list of your IP ranges
Set up a cron job to scan continuously for port 3389
Grab the logs weekly
Use this list to figure out the person inside your organization who owns or is responsible for each host that has responded on port 3389
Clues:
Domain name (if applicable)
IPAM IP range notes
Login banners
For any hosts that MUST have RDP exposed to the internet, enable multifactor authentication (MFA), remove them from your scan script above and continue the process of scanning
Use Network Level Authentication, a Remote Desktop Services feature that requires a user to authenticate before connecting to the server
Avoid allowing directory listing on your web servers
Directory listings expose the server to traversal attacks and a large variety of vulnerabilities. Moreover, the web server may contain files that shouldn’t be exposed through links on the website. Ensure your server does not expose directory listings, and if it must, make sure the directories do not contain sensitive information.
How:
Stand up a server that sits outside of your network perimeter
Install nmap or any other network scanner you are comfortable with
Grab a list of your IP ranges
Set up a cron job to scan continuously for open HTTP
Grab the logs weekly
For every host answering on an HTTP or HTTPS port, use this list as an input for your web app scanning tool of choice (such as nikto or dirsearch)
For any host allowing directory traversal, figure out the person inside your company who owns or is responsible for this website
Clues:
Domain name (if applicable)
IPAM IP range notes
Login banners
Other website info
Place test environments behind a VPN
Ensure none of your development, staging or test environments is exposed to the internet. These environments are often not well-secured and in many cases have access to restricted resources.
How:
Identify all of your production environments:
Have a clear list of domains and IP ranges from IT admin, content delivery network providers and web application firewall providers
Query whois reverse search under your organization name (there are multiple vendors and open source tools for this)
All other environments (domains, subdomains and machines with external-facing IPs) should be protected with a VPN and MFA
Avoid hostile subdomain takeovers
Confirm none of your subdomains is expired or points to third-party pages and accounts that no longer exist, as it might be vulnerable to hostile subdomain takeovers. If you find such subdomains, reconfigure the DNS settings or remove the DNS entry pointing to the external service.
How:
Talk to your IT admin team and get access to your DNS (may be route53, may be self-hosted)
Do a zone transfer on all of the domains your organization owns
Get a list of all of your IP ranges
Parse the IP addresses against your known IP range list
For any IPs that aren’t part of your infrastructure, figure out who they belong to (whois lookup, published list of cloud provider IP ranges)
Determine if they are pointing at anything you know you own
Any unused subdomain should be retired properly:
Use “Null MX” record
Use DMARC configuration to prevent any email from being sent on behalf of the sub/domain
Enforce input validation
Enforce input validation on all internal and external inputs to prevent injection attacks. Input validation best practices include: predefining input size limitation per field and type (str/int if applicable), applying maximum retries for password and user fields, and enforcing backend strict logic to prevent injections (prepared statements with parameterized queries, stored procedures, escaping all user inputs, etc.).
Assume all external user-defined input is an attack surface:
Forms fields
Uniform resource identifiers (URIs)
APIs
Attachments
And more
Bonus Tip: Continuously monitor your attack surface
Securing an expanding attack surface is challenging. The dynamic nature of most modern IT ecosystems means secure assets can suddenly become exposed unknowingly due to an error, misconfiguration or simple oversight. This category of forgotten assets can grow for many reasons: employees with revoked access, engineers with lingering cloud token permissions, or unmaintained databases that should have never been exposed in the first place. Moreover, there are instances of abandoned assets that remain unused or unclassified for extended periods, leaving IT departments without records and, consequently, unable to secure them. Regardless of their origin, these assets present significant security risks.
Having an effective exposure management program enables teams to stay vigilant and proactively monitor and secure entire IT ecosystems, which is essential in safeguarding an entire attack surface. You need to add a scalable way to monitor your internet-facing assets and discover your unknown exposures and risks in real time.
Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets.
Outlook vulnerabilities offer:-
Access to sensitive emails
Access to sensitive information
WinRAR vulnerabilities provide an entry point to manipulate compressed files, potentially executing malicious code on a victim’s system.
Cybersecurity researchers at Proofpoint recently discovered that the TA422 APT Group is actively exploiting the Outlook and WinRAR vulnerabilities to attack organizations.
Exploiting Of Patched Vulnerabilities
Since March 2023, Proofpoint found Russian APT TA422 using patched vulnerabilities to target Europe and North America. The TA422 APT group is linked to the following groups and tied to the Russian GRU by the US Intelligence Community:-
While engaging in typical targeted actions, TA422 showed an unexpected surge in emails exploiting CVE-2023-23397, a Microsoft Outlook vulnerability, sending over 10,000 emails to diverse sectors.
Besides this, the operators of the TA422 APT group also exploited a WinRAR vulnerability, CVE-2023-38831, in their campaigns.
TA422 launched massive campaigns in March 2023, exploiting CVE-2023-23397 against targets in:-
Europe
North America
Earlier, they targeted Ukrainian entities in April 2022 using the same exploit. Proofpoint noticed a significant surge in activity, with over 10,000 attempts to exploit a Microsoft Outlook vulnerability during late summer 2023.
It’s unclear if this was a mistake or a deliberate effort to gather target credentials. TA422 re-targeted higher education and manufacturing users, suggesting these entities are priority targets.
In the late summer campaign, TA422 used an appointment attachment with a fake file extension, leading to an SMB listener on a compromised Ubiquiti router.
This router acted as an NTLM listener, recording inbound credential hashes without extensive network engagement when Outlook processed the attachment.
Late summer 2023 sample of TA422 phishing email. (Source – Proofpoint)
Proofpoint’s tracking of Portugalmail addresses revealed more TA422 activity. In September 2023, TA422 exploited WinRAR vulnerability CVE-2023-32231 in two campaigns, using different Portugalmail addresses and spoofing geopolitical entities.
Emails with BRICS Summit and European Parliament meeting subjects contained RAR attachments dropping a .cmd file.
The file modified proxy settings downloaded a lure document, and connected to an IP-literal Responder server. The server, likely a compromised Fortigate FortiOS Firewall, initiated the NTLM credential exchange.
Lure document from the September 1, 2023 campaign. (Source – Proofpoint)
Between September and November 2023, Proofpoint tracked TA422 campaigns using Portugalmail and Mockbin for redirection.
Targeting government and defense sectors, TA422 employed Mockbin to lead victims to InfinityFree domains. After browser fingerprinting, victims were directed to InfinityFree, initiating a chain of activity.
Despite the exploitation of disclosed vulnerabilities like CVE-2023-23397 and CVE-2023-38831, TA422 persists, likely relying on unpatched systems for continued success.
Between January 2021 and April 2023, CrowdStrike Counter Adversary Operations and the CrowdStrike Falcon® Complete managed detection and response (MDR) team identified multiple incidents in which an internal user either exploited or sought to exploit a known vulnerability, or deploy offensive security tooling against their enterprise environment.
Approximately 55% of the identified insider threat incidents involved unauthorized use or attempted use of privilege escalation exploits.
Approximately 45% of insider threat incidents involved insiders who unwittingly introduced risk to their environment through the unauthorized download of exploits or by downloading other offensive security tools for testing or training purposes.
Given overlaps in vulnerability use and typical actions on objectives, many methods that detect and mitigate targeted intrusion and eCrime activity are also applicable to insider threat activity.
We are well aware of the devastating effect insiders can have when using their legitimate access and knowledge to target their own organization. These incidents can result in significant monetary and reputational damages. Entities small and large, across all sectors, can fall victim to insider threats.
Insider-led cybersecurity incidents are growing more frequent — and more expensive: Reports report from the Ponemon Institute state the number of insider threat events increased by 44% from 2020 to 2022. The average cost per malicious and non-malicious incident climbed to $648,000 USD and $485,000 USD, respectively.1 These incidents can also result in brand and reputational damages that, while hard to quantify, have a significant impact.
What Is an Insider Threat?
For the purposes of this article, an insider threat is defined as an individual with the potential to wittingly or unwittingly use their access to negatively affect the confidentiality, integrity or availability of their organization’s information or information technology (IT) systems. Within this context, an unauthorized user leveraging a privilege escalation exploit — to gain the permissions necessary to delete network logs or conceal their hands-on-keyboard activity — represents an example of a willing insider threat. Meanwhile, an individual who has permission to use exploits as part of their duties but inadvertently uses the wrong computer/system, or fails to follow the proper safe-handling standard operating procedures, represents an example of an unwitting insider threat.
Since 2021, CrowdStrike Intelligence has observed insider threats achieve their goals through the exploitation of known vulnerabilities. While these activities are hard to detect, not all is doom and gloom. An intelligence-driven review of known cases shows that many defensive actions used to detect and mitigate targeted intrusion and eCrime adversaries are also effective at stopping insider threat activity, given overlaps in vulnerability usage and post-exploitation activity. Falcon Complete can help detect and contain these threats, protecting customers from both insider threats and external adversaries.
Insiders’ Commonly Exploited Vulnerabilities
CrowdStrike Counter Adversary Operations and CrowdStrike Falcon Complete analyzed incidents from January 2021 to April 2023 to deduce the most prevalent vulnerabilities leveraged without authorization by internal users in their enterprise environment. This is a high-confidence qualitative assessment based on observed behaviors consistent with attempted or successful exploitation based on Falcon Complete incident data. These incidents fall into two broad categories:
Unauthorized exploitation to escalate privileges and support follow-on objectives
Unauthorized testing of exploits or downloading of offensive tools for defensive or training purposes
While this article covers specific vulnerabilities, it is not intended to conclusively identify all vulnerabilities potentially related to insider threat activities. Depending on the intended target and objectives, numerous other vulnerabilities with existing public proof-of-concept exploits could accomplish similar objectives.
Unauthorized Exploitation to Escalate Privileges and Support Follow-on Objectives
Privilege escalation is typically the intermediate step between initial access and reaching the actual objective in a cyber intrusion. It is considered a critical stage in the attack chain, since many of the subsequent steps — such as defense evasion and manipulating sensitive programs/systems — require an elevated privilege level. This is especially relevant to insiders who usually possess low-level access to the target environment as part of their duties.
An insider user that escalates privileges without authorization is abusing their access and, at a minimum, attempting to bypass the principle of least privilege (POLP). According to this principle, users and processes are only granted the minimum permissions required to perform their assigned tasks. POLP is widely considered to be one of the most effective practices for strengthening an organization’s cybersecurity posture, and it allows organizations to control and monitor network and data access.2
Fifty-five percent of the insider threat incidents identified by CrowdStrike Counter Adversary Operations involved attempted local privilege escalation (LPE) to support follow-on actions. For example, insiders sought higher privileges to download unauthorized software, remove forensic evidence or troubleshoot IT systems. By attempting to escalate privileges, these internal users wittingly or unwittingly introduced risk to their network, and as a result, these incidents fall under the insider threat umbrella regardless of malicious intent (see Figure 1).
Figure 1. Hypothetical example of an insider threat leveraging a local privilege escalation (LPE)
These incidents leveraged six well-known vulnerabilities that have publicly available exploit proof-of-concept (POC) code on GitHub and are included in the United States Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities (KEV). The broad range of vulnerabilities used highlights the large number of potential attack vectors and the breadth of the attack surface.
CVE Number
CVE Name
Targeted OS
In CISA KEV
CVE-2017-0213
Windows Component Object Model (COM) Elevation of Privilege Vulnerability
Windows
Yes
CVE-2022-0847
Linux Kernel Privilege Escalation Vulnerability (aka DirtyPipe)
Linux
Yes
CVE-2021-4034
Polkit Out-of-Bounds Read and Write Vulnerability (aka PwnKit)
Linux
Yes
CVE-2019-13272
Linux Kernel Improper Privilege Management Vulnerability
Linux
Yes
CVE-2015-1701
Microsoft Win32k Privilege Escalation Vulnerability
Windows
Yes
CVE-2014-4113
Microsoft Win32k Privilege Escalation Vulnerability
Windows
Yes
Table 1. Vulnerabilities observed being leveraged by insiders to escalate privileges
CVE-2017-0213 Incidents
In early April 2023, CrowdStrike Falcon Complete detected and blocked an internal user’s attempt to exploit a Windows Component Object Model (COM) privilege escalation vulnerability (CVE-2017-0213) at a Western Europe-based retail entity. Specifically, the internal user leveraged the WhatsApp messenger application to download an exploit targeting CVE-2017-0213 in an attempt to escalate privileges and install the uTorrent file-sharing application as well as unauthorized games.
Successful exploitation of CVE-2017-0213 allows an authenticated attacker to run arbitrary code with elevated privileges. Since April 2022, CrowdStrike Falcon Complete has detected six other incidents involving internal users attempting to leverage CVE-2017-0213 to conduct unauthorized follow-on activities. Notably, in late July 2022, a terminated employee at a U.S.-based media entity unsuccessfully attempted to leverage this vulnerability to conduct unauthorized activities.
Other Incidents
The remaining incidents involved internal users leveraging five privilege escalation vulnerabilities to gain elevated privileges in order to conduct unauthorized follow-on operations. Notably, in mid-July 2022, an internal user at an Australia-based technology entity attempted to execute an exploit for CVE-2021-4034 (PwnKit) to gain administrative rights and troubleshoot their host machine. Also, in mid-October 2022, an internal user at a U.S.-based technology entity leveraged CVE-2015-1701, a Microsoft Win32k privilege escalation vulnerability, to gain the necessary permissions to bypass internal controls and allow for the unauthorized installation of a Java virtual machine.
How Insider Threats Unintentionally Put Organizations At Risk
Forty-five percent of the insider threat incidents identified by CrowdStrike Counter Adversary Operations involved insiders who unwittingly introduced risk to their environment via the unauthorized download of exploits or by downloading other offensive security tools for testing or training purposes. In these incidents, the insiders, who may be responsible for using exploits and offensive tools as part of their regular duties, unwittingly introduced risk to their environment by not following safe-handling procedures (see Table 2). For example, in some of the incidents, the insider users should have downloaded the exploits in virtual machines or other specific hosts to provide better network segmentation between testing and production environments.
There are several ways this could cause damage. Testing exploits on unauthorized systems could disrupt operations, as some exploits could cause system crashes or other unintended negative actions. Additionally, an adversary with a foothold on the insider threats’ network could leverage these exploits or tools to support their own malicious activity. Finally, downloading unvetted code can introduce backdoors or other malicious artifacts into the internal user’s network.
Below are some of the vulnerabilities involved in cases of insider threats unintentionally putting their organization at risk.
CVE Number
CVE Name
Targeted OS
In CISA KEV
CVE-2021-42013
Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal
Mac
Yes
CVE-2021-4034
Polkit Out-of-Bounds Read and Write Vulnerability (aka PwnKit)
Linux
Yes
CVE-2020-0601
Windows CryptoAPI Spoofing Vulnerability
Windows
Yes
CVE-2016-3309
Windows Kernel Privilege Escalation Vulnerability
Windows
Yes
CVE-2022-21999
Windows Print Spooler Elevation of Privilege Vulnerability
Windows
Yes
N/A
Metasploit Framework
N/A
N/A
N/A
ElevateKit
N/A
N/A
Table 2. Vulnerabilities observed being leveraged by insiders for testing/defensive purposes
CVE-2021-42013 Incident
In October 2022, CrowdStrike Falcon Complete detected and contained a script leveraging CVE-2021-42013 to launch an Apache reverse shell at a U.S.-based technology entity. Successful exploitation of CVE-2021-42013 allows an unauthenticated attacker to execute code remotely. In this incident, the internal user leveraged this vulnerability without permission to exploit a server as part of a Capture-the-Flag (CTF) competition. This incident highlights the importance of properly scoping and communicating any restrictions regarding CTF and similar exercises in corporate networks.
Other Vulnerability Incidents
Other incidents involved internal users exploiting individual vulnerabilities for testing and/or training purposes. While these users — often in security roles — are permitted to test exploits as part of their job duties, they were not authorized to conduct that activity in the specific hosts that triggered the CrowdStrike Falcon® sensor. For example, in February 2023, an internal user at a United States-based technology entity attempted to download an exploit for CVE-2016-3309, a Windows kernel privilege escalation vulnerability, on their corporate computer instead of on the approved system for these types of activities (a separate virtual machine). The Falcon Complete team was able to quickly triage event logs recorded using Falcon’s Endpoint Activity Monitoring (EAM) application to provide additional context surrounding the initial download of the CVE-2016-3309 exploit.
Metasploit Framework
From May 2022 to February 2023, Falcon Complete observed multiple incidents involving the unauthorized deployment of the Metasploit Framework on Windows and Linux hosts by insider users. The Metasploit Framework is a well-known penetration testing framework that can be used for exploitation, enumeration, post-exploitation and other offensive activities. This tool is commonly used by security teams for testing and executing exploits — however, it can also provide insiders a readily available mechanism for conducting pre- and post-exploitation activities. While each incident was assessed to be related to defense-focused testing activity, the unauthorized deployment of the Metasploit Framework by an internal user introduces risks to the enterprise network.
ElevateKit
In December 2022, Falcon Complete observed an incident involving an internal user downloading and staging ElevateKit, a privilege escalation framework commonly leveraged alongside Cobalt Strike. ElevateKit registers modules with the Cobalt Strike Beacon payload to allow for privilege escalation using publicly available exploits.3 In addition to ElevateKit, the user also staged Mimikatz and PowerLurk, two tools also commonly used in penetration testing engagements for credential dumping and establishing persistence via Windows Management Instrumentation (WMI). While this incident was later determined to be related to unauthorized security testing preparation, a threat actor could potentially abuse these previously deployed tools to escalate privileges, move laterally or establish persistence.
Non-Exploit Based Insider Threat Activity
Internal users are not limited to exploiting vulnerabilities to achieve their results. In addition to using their own credentials, insider threats could leverage various other methods to escalate privileges, evade defenses and/or execute arbitrary code. The following is a non-exhaustive list of other potential approaches and methods:
The inherent difficulty in identifying insider threat activity, and the limited sample size, preclude definitive and granular observations. However, a review of the incidents and vulnerabilities associated with insider threats from January 2021 to April 2023 highlights several factors that may aid in preventing and detecting future insider threat activity.
Many of the vulnerabilities described in this article have also been exploited by targeted intrusion and eCrime adversaries. Thus, many of the popular defense-in-depth measures applied by network defenders to detect and mitigate targeted intrusion or eCrime activity will help identify and neutralize insider threats, given similar overlaps in observed tactics, techniques and procedures and desired actions on objective (e.g., data exfiltration, data destruction, etc.).
CrowdStrike Counter Adversary Operations assesses that more than half of the identified insider threat incidents involved internal users unauthorized use or attempted use of privilege escalation exploits to support follow-on objectives. This assessment is made with high confidence based on available forensic data and observed hands-on-keyboard activity. While each user’s individual calculus for selecting specific vulnerabilities to leverage remains unknown, the chosen vulnerabilities have publicly available exploits on GitHub and have been exploited in the wild. As such, restricting or monitoring the download of exploits from GitHub and other online code repositories from personnel who do not require that access as part of their regular duties could mitigate this threat — limiting access to ready-to-use exploits can hinder insider threats from conducting malicious activity.
The use of older vulnerabilities, some disclosed as early as 2015, underscores that vulnerabilities can remain useful to all attackers (internal or external) until patched or mitigated. This is particularly relevant to internal systems that may be under a slower patching cycle than that of internet-exposed systems. Internal users are particularly well positioned to leverage older local privilege escalation vulnerabilities, as they often already possess the low-level privileges and/or credentials needed to successfully run these exploits, have a better understanding of the host environment and can conduct basic reconnaissance commands with lesser risk of discovery than a remote attacker.
Approximately 45% of the insider threat incidents involved insiders ostensibly expected to leverage exploits and offensive tools as part of their regular duties who unwittingly introduced risk to their environment by the unauthorized download of exploits or other offensive security tools. Not following proper procedures related to the handling of exploits and other offensive tooling can cause system crashes or other negative effects to the host environment. Although CrowdStrike Counter Adversary Operations has not observed this so far, a resourceful adversary with a foothold in the internal user’s network could also leverage these offensive tools or exploits for their own operations.
Mitigation Options
Vulnerability Management
It is critical to ensure timely vulnerability patching in order to protect enterprise devices. CrowdStrike Falcon Exposure Management provides real-time, instant visibility into new and emerging vulnerabilities by using scanless vulnerability assessment technology integrated with the CrowdStrike Falcon® sensor. This prioritizes risks based on an advanced AI model and integrates threat intelligence provided by the CrowdStrike Intelligence team to provide insight into trending threats.
Insider threats can also leverage non-exploit based attack vectors, suggesting timely patching is alone insufficient to address the potential threats. This is why it’s essential for organizations to implement multiple layers of defense such as Falcon Complete MDR and CrowdStrike® Falcon OverWatch™ managed threat hunting.
The Falcon Complete team actively monitors for and remediates exploitation and post-exploitation behaviors by analyzing suspicious process characteristics and behaviors, utilizing machine learning to detect malicious payloads, monitoring script execution and more. In addition, the Falcon OverWatch 24/7 threat hunting service provides early indicators of threat actor activity and exploitation attempts. Falcon Overwatch integrates indicators of compromise (IOCs) and threat intelligence provided by CrowdStrike Intelligence to identify, prevent and provide attribution for emerging threats.
User Behavior Analysis to Detect Insider Threat Activity
User behavior analysis is also a key technique that CrowdStrike Falcon® Complete Identity Threat Protection leverages to detect an adversary that may be using stolen credentials of a legitimate user or identify suspicious activity from an insider. By baselining normal behavior for every user based on authentication/historical data (which machines the user typically accesses, for example), utilizing advanced algorithms and machine learning technologies to auto-classify accounts (users and servers) — such as privileged, stealthy, service accounts, server types like VDI, etc. — and correlating with possible AD attack paths and escalation of privileges, we build detailed behavioral profiles for every entity, ultimately helping the analyst (and the detection engine) understand what is considered normal behavior and what is not. Any deviation from this baseline user behavior would set off a detection of an adversary in the environment or an insider with malicious intent, which can trigger automated responses (alert, multifactor authentication or block) based on pre-created policies.
Tailored User Training
Given the unwitting nature of many of the incidents discussed in this article, tailored training — for both new and existing employees) on how to properly download, store and execute exploits and offensive tooling for testing and training purposes could almost certainly reduce these occurrences in the future. Multiple incidents involved new employees that were not well-versed on specific company policies related to exploit handling and use of external/virtual machines for testing purposes, suggesting that it is paramount to ensure new employees — particularly those in cybersecurity roles — receive the necessary training during their onboarding process.
Additionally, many of these incidents occurred at organizations in the technology sector, suggesting more tailored training for tech-savvy employees can also help mitigate future occurrences of these types of incidents. Nonetheless, organizations should ensure new and existing security procedures to prevent these types of incidents are not overly restrictive and cumbersome as to drive internal users to find ways to bypass them.
It is so easy to vacuum up private data from vehicles that Andrea Amico taught his daughter how to extract text messages from her mom’s car when she was only eight years old.
Blue-haired and an engineer by training, Amico has a hacker’s mentality, which has manifested in giving drivers a way to protect their data and beat the system at no cost.
Amico is the founder and CEO of Privacy4Cars, the outfit behind a free app that lets individuals erase the astonishing amount of personal data — including text messages, biometrics and geolocation — that many automakers collect, store and often share with law enforcement, insurers and even data brokers.
Privacy4Cars also allows consumers to pull a full report on exactly what data their own car is scooping up, using nothing but a vehicle identification number.
Amico worked on car data privacy for years on what he called a “passion project” basis. After running a large car inspection business, he came to understand the scale of the problem — and the stakes — and founded Privacy4Cars in 2019.
Consumers can use the app to delete data retroactively, but there is no way to block its collection moving forward so those especially concerned about privacy have to regularly wipe the car’s data, which usually primarily resides in the infotainment system, Amico said.
The process for deletion is unique for most car models and types. Amico says the company has amassed step-by-step delete instructions for tens of thousands of vehicles, whose settings often differ by model, make, year manufactured and even how many extras customers pay for to enhance a given model.
The app typically works for four out of five cars. Wiping data can take as few as three commands, or as many as 50, Amico said. If a car owner has not downloaded a given car’s software updates, that can complicate matters.
Data linked to more than a million cars has been deleted using the app to date, Amico said.
With car data privacy in the spotlight recently, the demand is likely to rise.
Last month a Seattle-based federal judge declined to revive a class action lawsuit alleging four auto manufacturers had broken Washington state privacy laws by gathering and storing customers’ private text messages and mobile phone call logs.
The judge ruled the practice did not meet the threshold for an illegal privacy violation under state law, which requires plaintiffs prove that “his or her business, his or her person, or his or her reputation” has been threatened by the harvesting of private data.
Despite the ruling, car data privacy concerns are growing as more consumers become aware of their exposure, and even some industry figures concede more needs to be done to educate car owners about data practices.
Running the report
Privacy4Cars offers a website feature which allows users to search their vehicle identification number and quickly learn the data their car gathers, pulling and crystallizing information from the small print manufacturers typically disclose in complex, dense and lengthy terms and conditions and privacy disclosures.
A recent search of what Privacy4Cars calls its “Vehicle Privacy Report” showed a variety of automakers disclosing they can or do pull, store and even sell a wide range of data, including:
Personal identifiers, which can include data as granular as a driver’s signature; Social Security number; passport number; insurance policy number; employment history and medical information, among other things
Biometrics, which can identify individuals, including through fingerprint mapping, facial recognition and retina scans
Geolocation data
Data collected and used to create profiles on drivers
Consumer data collected from synced phones like text messages and call logs. Often manufacturers don’t disclose whether they also gather data from drivers’ connected smart devices when third-party apps run on or sync with the infotainment system, the report said.
Many automakers also acknowledge they share data with law enforcement, insurers and data brokers.
While some cars searched on the Privacy4Cars website were silent on whether they collect data from synced phones, Sean McKeever, a senior security researcher at GRIMM, a cybersecurity company with an automotive division, said most cars do gather and store phone data.
“If the vehicle offers phone connectivity, you can assume there is some level of data being stored on the vehicle,” McKeever said via email.
Amico estimated that about two-thirds of U.S. auto manufacturers declare they collect data from synced phones, at least for some models.
“They’re also very quick to say that it’s none of their responsibility and essentially it’s the consumers’ fault if they leave this data behind,” he said in an interview.
To use the Privacy4Cars’ Vehicle Privacy Report search tool, drivers must have their vehicle identification number (VIN). A recent random check of the privacy report’s portal, using VIN numbers linked to used vehicles on Carmax, showed that many cars collect all of the data listed above and more.
Vehicles collecting synced phone data, for example, included a 2018 Vokswagen Atlas, a 2023 Audi Q4, a 2019 Volvo XC90 and a 2020 Honda Civic. All of these vehicles also collect location data and some gather biometric data along with compiling personal identifiers and user profiles.
None of the automakers offered comment except for Volkswagen. A spokesperson said that “when a customer syncs their phone via Bluetooth, the car can access phone data as granted by the customer and all of this data is stored within the vehicle.”
They added that customers can delete this data at any time through a factory reset and noted that “while the car itself will access the data, the car does not transmit this data beyond the car.”
A privacy report for a 2020 Volkswagen Tiguan.
Many of the cars Recorded Future News searched in the Vehicle Privacy Report also allowed data to be collected from Android Auto, Apple Carplay and Amazon Alexa.
Amico said that if your car uses Android Auto, for example: “Guess what? Google collects data from you as well.” Google does not have an Android Auto-specific privacy policy or data disclosure, Amico said. The data can also potentially be sold by Google for targeted advertising. Google did not respond to a request for comment.
Privacy4Cars also takes on data brokers, offering a way for consumers to easily reach them and tell them not to sell their data. An “Assert Your Rights” button on the upper right corner of the company’s homepage takes users to a place to share their information so that Privacy4Cars can submit consumer privacy requests to first-party businesses, data brokers, and third parties on their behalf.
Consumers in the dark
Most drivers have no idea what data their car is collecting because other than through Privacy4Cars it can be very hard to track down and digest the information. The privacy disclosures for the four cars mentioned above involved between nine and 12 unique documents, and each ran between 55,00 and 60,000 words, according to the Privacy4Cars site.
Older cars appear not to be immune. A check for a 2012 Honda Odyssey, for example, revealed the vehicle collects data from synced phones, geolocation information and compiles personal identifiers and user profiles.
Car owners should use the app to wipe data particularly when they buy or sell a used car and return vehicles to car rental agencies or leasing companies, Amico said, although most people don’t know they should do so.
Four out of five used cars contain the data of previous owners since most owners and subsequently car dealers don’t wipe them clean, he said.
In some cases cars even store pieces of code from previous drivers that can allow old owners to access new owners’ data. Most cars’ infotainment systems also store text messages and other unencrypted data.
Amico’s services aren’t foolproof. The FBI, for instance, still might be able to hack into the car’s systems and extract data. But they do make it a “hell of a lot harder” for them or anyone else to do so.
Even those unworried about getting entangled with the FBI have serious reasons to delete their data, he said.
“If you have a navigation system, you have about a 50/50 chance that you can press two buttons and show up inside the house of somebody because you press ‘go home’ and then you pop the garage open,” Amico said.
This is Part 1 of a three-part series on automobile privacy that will run through the month of December.
An American aerospace company has been the target of a commercial cyberespionage campaign dubbed AeroBlade, which appears to be aimed at carrying out both competitive and commercial cyberespionage.
The threat actor employed spear-phishing as the means of distribution mechanism.
A weaponized document that was delivered as an email attachment reportedly has a malicious VBA macro code embedded in it as well as a remote template injection mechanism to provide the next stage of the payload execution, according to the BlackBerry Threat Research and Intelligence team.
AeroBlade Execution Chain
The network infrastructure and weaponization of the attacker appear to have gone active around September 2022, based on the evidence.
Researchers estimate that the attack’s offensive phase took place in July 2023 with medium to high confidence. The network infrastructure stayed the same during that period, but the attacker’s toolset increased, making it stealthier.
There were two campaigns found, and there were a few similarities between them, such as:
Both lure documents were named “[redacted].docx.”
The final payload is a reverse shell.
The command-and-control (C2) server IP address is the same.
There were a few differences between the two campaigns, such as:
The final payload of the attack is stealthier and uses more obfuscation and anti-analysis techniques.
The campaign’s final payload includes an option to list directories from infected victims.
AeroBlade execution chain
A targeted email containing a malicious document attachment with the filename [redacted].docx is the first sign of an infection.
When the document is opened, it shows text in a purposefully jumbled font and a “lure” message requesting that the potential victim click on it to activate the content in Microsoft Office.
Malicious document displays text in a scrambled font
The next-stage information is saved in an XML (eXtensible Markup Language) file inside a .dotm file. A.dotm file is a Microsoft Word document template that contains the default layout, settings, and macros for a document.
When the victim manually clicks the “Enable Content” lure message and opens the file, the [redacted].dotm document drops a new file to the system and opens it.
“The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate. In fact, it’s a classic cyber bait-and-switch, performed invisibly right under the victim’s nose”, researchers said.
An executable file that is run on the system via the macro will be the final stage of execution. The final payload is a DLL that connects to a hard-coded C2 server and functions as a reverse shell. With the use of reverse shells, attackers can force communication and gain total control of the target machine by open ports.
Example of information collected from infected system
An American aerospace organization was the targeted target of both campaigns, based on the content of the lure message. Its goal was probably to obtain insight into its target’s internal resources to assess its vulnerability to a potential ransom demand.
CISA has recently confirmed that Iran-affiliated attackers took over a Unitronics Vision Series PLC at a water system facility in Pennsylvania, and urged other water authorities to promptly secure their Unitronics PLCs.
The agency has advised them to change the default password and port used by the PLC, disconnect it from the open internet or secure remote access by using firewall, VPN and multi-factor authentication (MFA), create configuration backups, and update the PLC/HMI to the latest available version.
CyberAv3ngers has previously claimed responsibility for numerous attacks against critical infrastructure organizations in Israel working in the water, energy, shipping, and distribution sectors, and only recently targeted Unitronics PLCs deployed by multiple US-based water and wastewater facilities.
In the latest advisory, the agencies shared additional information about the APT group’s activites and indicators of compromise (IoCs) associated with their most recent attacks.
“These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment,” the advisory explains.
“It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities.”
The UK National Cyber Security Centre (NCSC) says that the compromise of the PLCs is “highly unlikely” to disrupt routine operations of affected organizations. “There is a very low potential risk, if the threat is unmitigated, to some small suppliers,” they noted.
The agencies repeated CISA’s initial risk mitigation advice and urged organizations to apply it to all internet-facing PLCs, not just those manufactured by Unitronics (which, it has been pointed out, may also be rebranded and appear as made by different manufacturers).
Finally, they called on device manufacturers to do their part in securing OT devices by:
Not shipping products with default passwords
Avoiding the exposure of administrative interfaces to the internet
Not imposing additional fees for security features
A privacy report for a 2020 Volkswagen Tiguan.
