This blog is aimed at the business owner and users, many of whom have direct input into a business’ daily security measures.
DO NOT STOP READING if you think the AV or cyber software you have in place is all good and this blog is not relevant to you – I am willing to bet that more than 70% of people who read this will not have considered the measures that are outlined in the blog.
DO NOT STOP READING if you think I’m trying to sell you something – I’m not. Much of what you need to protect yourselves you already have and pay for, It just may not currently be implemented.
The reason for writing this blog is in response to a growing number of reports across industry sectors as to successful cyber-attacks. A very recent report in particular, stood out. This report was published by the CISA Cybersecurity and Infrastructure Security Agency (CISA) – a US government cyber agency akin to the National Cyber Security Centre in the UK who track, identify and alert businesses as to the latest security threats.
The latest advisory note was issued on 4th October 2022 and has some specific details that are important for even the layperson to at least acknowledge.
The latest threats and their approach
Some of you may have recently seen some of these messages appearing in your inbox. They are usually from people you know and have corresponded with before, and feature subject titles such as: “Project” or “Important Information”. These emails usually contain a link or some other form of request, requiring you to respond.
This is often followed up by emails from these users that contain a warning or request to delete the previous email. It would be easy to assume that this is just another phishing attack, unfortunately this is much more complex…
Cyber criminals – referred to as Bad Actors by most cyber security firms, are targeting everything and everyone, big or small. They use a range of methods to seek out your valuable data for their nefarious purposes.
Spoofing has been around for quite some time, and most cyber savvy users understand that a strange email, even from a colleague, could be a spoof attack. Previously, the most effective method, was to compare the link’s email with the actual address being used. This was usually different. But as with most things, the bad actors have identified this and adapted their tactics.
I wrote a blog about how your RSS feed could be hacked. This discussed the way in which the attack is executed, and it appears the new spoofing attack is very similar.
If you want to read about this cyber attack the link is here: https://www.vissensa.com/blog/stress-from-your-rss-the-new-hack-on-the-block/
The new spoofing method is far more dangerous because these messages are being spoofed from inside you email domain – so they are valid emails being sent in your name. They are avoiding all of your cyber security domain checks and have a stronger chance of defeating anyone in your email contacts “whitelist” settings, the setting of approved or safe recipients of your mails.
Like the RSS feed attack, this new spoofing tactic relies on the hacker being inside your network, so as long as you have a cyber security product and have your cyber essentials or cyber essentials plus tick your good – right?
Don’t be the easy target
Many businesses still fail to understand that cyber security is a layered approach. Several elements need to be in place to make an attack on your business too difficult. Eventually they will get bored, and move on to an easier target.
The best start for your business is to enable multi factor authentication – this severely limits the number of routes that an attacker can take.
In recent months, shared mailbox hacks have become popular among bad actors. These are mailboxes shared amongst users within an organisation and often possess weak or widely published credentials. The structure is rarely audited or reviewed, and it is also rare that anyone would log on to an outlook shared mailbox account – there is rarely any need.
All these factors make shared mailboxes the perfect place to hide in the clear. Outlook shared mailboxes often have all the default functionality that an individual user does.
Many attacks are coming from this mailbox hack method but also being used as the access to information about your network, user directories, groups, security in place etc.
All the security measures you have in place to repel attacks from outside your network are now being executed from inside your boarders and from a valid user with valid Active Directory credentials.
Another emerging target is the MFD Multi-Functional Device within your network as this also shares many of the same network domain credential attributes as the outlook shared mailbox.
Let’s double down on the problem.
In the latest CISA alert (4th October) specific details have been shared about how such sophisticated attacks are made on organisations.
Specifically, The MFD’s in an organisation have been highlighted as being an attack vector and successfully exploited. The bad actors infiltrate deep within a network, installing and setting more and more software in order to have multiple ways to access and control. These are known as APT’s or Advanced Persistent Threats.
The simplified narrative to this real attack is as follows.
The bad actors gathered information about the exchange environment by performing mailbox search resulting in them finding a compromised administrator account and accessed the EWS Application Programming Interface (API). A month later the bad actors returned to the network and used these compromised credentials to access EWS API again using a virtual private network (VPN), introducing a program to interact with the victim’s network. This gave the bad actors information about the organisation’s environment, ability to collect sensitive data from shared drives, for eventual exfiltration. The actors used the organisations own Exchange environment to split up data being stolen into 3MB chunks making it easy to send. At the same time the actors implanted another program called “Impacket”, used to construct and manipulate network protocols, in an attempt to move laterally to another system.
Three months later the bad actors had exploited at least 4 Microsoft “CVE” vulnerability patches and installed over 20 further programs on the organisations exchange server and other systems.
The CISA discovered that the Impacket trojan used used several legitimate Windows tools such as WMI and SMB to create the interaction with the target devices. This was enabled by the use of valid user credentials already stolen.
The link to your MFD and Shared mailboxes
The bad actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organisation's multifunctional devices by first using the service account to remotely access the organisation’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterwards, the actors assigned the Application Impersonation role to the service account by running PowerShell command for managing Exchange.
Want to know more?
To try and keep this blog as high level as possible, I have created an alternative blog with more technical details of how APT actors infiltrate a network, if you want to dig a bit deeper the extended information can be found here.
The full document from the CISA alert that I used as part of this blog can be accessed here:
What to do if this blog has highlighted gaps in your cyber knowledge
Firstly, don’t panic. Most of the remedial action you can take is already contained within the licences such as Microsoft that you already pay for so its not going to cost the earth to become safer.
- Check that you have multifactor authentication turned on. This set alone can reduce your threat of someone gaining access to your systems substantially.
- Take time to understand what Active Directory is, you don’t need to be a techie to understand the basics and with that knowledge you will be much better informed in what risks you might currently be taking. Vissensa have written a set of free guides on the subject of security including what Active Directory (Azure AD) is and does which are available here.
In Active Directory Microsoft defined four “types” of users, if you can understand these simple terms then you can state to know where to look for problems:
Azure AD identity types are: users, service principles, managed identities and devices.
User – a representation of something that is managed by Azure AD. Employees and guests user accounts are represented as users in Azure AD
Service Principal: – a security identity used by applications or services to accept specific Azure resources. You can think of it as an identity for an application.
Managed identity: – typically used for logons for authenticating cloud applications with an Azure service, Two types: system assigned and user assigned.
Device: a piece of hardware, such as a mobile device, laptops, servers or printer. Device identities can be set up in different ways in Azure AD, to determine properties such as who owns the device.
- Check that outlook shared mailboxes have strong credentials and that these can’t be changed without privileged administration approval.
- More advisable is to remove shared mailboxes from your Microsoft exchange or 365 environments in favour of a secure group mailbox which does not have the login capabilities as the outlook shared mailbox account. i.e change info@ HR@, sales@ etc mailboxes.
- Check the password and credentials of any MFD (Multi Functional Device) i.e printer, scanner, copier and ensure these are also strong passwords on these device accounts. Also ensure that remote access to the systems tools on these devices is disabled. Check for the patches applied and ensure these are all vendor specific. Where possible restrict the connectivity of these MFD’s to just the parts of the network required.
If you would like more information or a no obligation chat then give Vissensa security team a call.