The 2010 discovery of the Stuxnet worm was one of the truly seminal moments in the world of cybersecurity. The world saw firsthand how malicious code could cause crippling damage to physical assets. Virtually every industry had to stop and take notice, and none more so than the energy sector.
Penetration testing is a critical best practice for virtually any organization’s cybersecurity posture. By putting defenses to the test against trained offensively-minded professionals, organizations can gain deep insights into how they’ll fare against real attackers. Often, the challenge is that the results are not what you would have hoped. When pen testers are able to carve through your defenses at will, it can be discouraging and hard to know where to start.
In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a critical vulnerability that was discovered by Preempt. This vulnerability can be classified as a logical remote code execution (RCE) vulnerability. It resembles a classic relay attack, but with a nice twist: It is related to RSA cryptography (and prime numbers) which makes it quite unique and interesting.
In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a vulnerability discovered by Preempt researchers. The vulnerability consists of a logical flaw in Credential Security Support Provider protocol (CredSSP) which is used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials to target servers. The vulnerability can be exploited by attackers by employing a man-in-the-middle attack to achieve the ability to run code remotely on previously not infected machines in the attacked network. The vulnerability, in many real-world scenarios where victim network has vulnerable network equipment, could result in an attacker gaining the ability to move laterally in the victim’s network and even infect domain controller with malicious software. No attacks have been detected in the wild by Preempt.
Over the past few months, the Preempt research team discovered and reported two Microsoft NT LAN Manager (NTLM) vulnerabilities. These vulnerabilities have a common theme around two different protocols handling NTLM improperly. These issues are particularly significant as they can potentially allow an attacker to create new domain administrator accounts even when best-practice controls such as LDAP server signing and RDP restricted admin mode are enabled.
Really, it’s not just me saying that Active Directory is the crown jewel. It's actually them, the hackers, that de facto target the active directory in almost every advanced attack. They look for domain credentials and administrative accounts, they practice domain reconnaissance, privilege elevation, targeted attacks against the domain controller and more. Their motivation is similar to terror. For example: produce widespread fear, obtain recognition and attention of media, steal money, damage facilities and functionalities. This is why it was not surprising to learn about the QakBot Trojan causing a mess.
Just like the rest of the world, I’ve been fascinated by the CIA documents released by WikiLeaks (aka Vault 7 release). The more you read about the way CIA operates, the more it feels like there’s little anyone can do.