Latest Joint Cyber Alert Warns of Initial Access Exploits


butterflies SVG



Latest Joint Cyber Alert Warns of Initial Access Exploits


The United States (CISA, NSA, DOJ), Canada, United Kingdom, Netherlands, and New Zealand have released a seven page cybersecurity alert (Alert AA22-137A, Weak Security Controls and Practices Routinely Exploited for Initial Access) detailing the techniques cyber actors use to routinely “gain initial access or as part of other tactics to compromise a victim’s system”. 

 

Adversaries are constantly scanning for these common mistakes and misconfigurations. If an organization hardens these areas, most attackers will move along if they can’t gain initial access in a reasonable amount of time. Take a look at these common initial access techniques and mitigations, and see how you can improve your company’s security posture today.

Common Techniques

Listed below from the report are common techniques attackers use to obtain initial access to a victim’s systems:

 

  • Exploit Public-Facing Applications
      • Attackers use vulnerabilities (think OWASP Top Ten) to intrude upon any internet facing system, application, or service (SMB, SSH, etc.). After gaining this initial access, an attacker will look for ways to create persistence within the system or network.
  • External Remote Services
      • Adversaries attack remote services like VPNs, Citrix, Windows Remote Management, VNC, and other remote access tools as a method to connect remotely to an organization’s internal network. This can also include containerized environments that lack authentication or exposed APIs.
  • Phishing
      • I hope that we’re all familiar with what phishing is at this point of our journey through the cyber realm. This is a common method that attackers use to steal credentials from unwitting users. This can be done through e-mail, text messaging, social media, over the phone, or any method through which you can transmit information. Most commonly, attackers use e-mail to send fake messages from seemingly trusted sources, and then direct users to a counterfeit log-in page that steals the credentials and sends them to the attacker.
  • Trusted Relationship
      • To get into an intended target, an attacker may compromise a partner or vendor that's trusted by the target. It’s not uncommon for partners or contractors to have elevated privileges on client’s networks or systems, and if an attacker can breach them to get to you, they will make that extra hop. This can also play into social engineering and phishing attacks where adversaries impersonate businesses you trust, such as HVAC, ISPs, cleaning services, etc.
  • Valid Accounts
    • Adversaries sometimes use valid accounts as a way to traverse networks and systems without being detected. Instead of using malware or vulnerabilities which can typically be identified, attackers leverage stolen credentials for valid, trusted accounts on a system or network. In some cases, this allows escalated privileges to certain parts of a network that contain critical information.

 

Common controls, configurations, and practices that adversaries look to exploit

  • No Multi-Factor Authentication
  • Misaligned privileges or permissions in Access Control Lists
  • Unpatched software
  • Default credentials
  • Lack of authentication for remote services
  • Lack of strong password policies
  • Unprotected cloud services
  • Open ports and misconfigured internet-facing services
  • Failure to detect phishing attempts
  • Poor endpoint detection and response

Mitigations

  • Zero-trust security model
  • Limit remote admin privileges
  • Control data access and services
  • Control data access
  • Harden conditional access policies
  • Verify RDP isn’t open, and if it is, put it behind a firewall
  • Credential hardening
  • Change default credentials
  • Detect compromised credentials
  • Generate sufficient logs
  • Deploy anti-malware solutions and monitor them
  • Implement endpoint and detection response tools
  • Conduct regular penetration tests and vulnerability scanning

Our Takeaway

Don’t make the bad guys' job easy. Attackers tend to first try known weaknesses and common vulnerabilities before they get fancy. If organizations take the time to monitor and verify that they’re not making these common mistakes, the likelihood of a persistent attack diminishes greatly. Invest in security personnel and train them. Create strong password policies. Collect logs and monitor them. Patch your software. Train your employees on phishing and social engineering techniques. If you want to be secure, empower your people, and do the little things right.





Make Something Worthwhile!

Join Our Team
support-chat SVG