At the beginning of the new year, we decided to summarize how simple it was for the penetration testers to overcome the security systems in the passing year. And of course, this post would be incomplete without the recommendations on how to defend against such attack vectors.
1. ImageTragick 2.0
Undoubtedly, the easiest attack vector of last year was the second reincarnation of this vulnerability in ImageMagick, which Tavis Ormandy revealed on July 21, 2018. Everything like the last time: upload a picture (for example, avatar), and automatically get arbitrary code execution on the target system. It’s so easy that it’s just embarrassing.
To make your application protected from ImageTragick is easy only at first glance. Of course, if you can afford to narrow down the list of file types that the system receives from its users to PNG, JPG and GIF, then you are very lucky — do it. And make sure that the ImageMagick policy reflects these requirements and (most importantly) does not allow PostScript and derivative files processing. More information about ImageMagick security settings could be found here.
What should you do if you have to allow the upload of SVG, PDF and other dangerous file formats? The most practical recommendation, in our opinion, is isolating the image processing functions on a separate host, and even better in a temporary container, that will exist as short as possible and will not be integrated with other modules of the system.
The logic of this solution is elementary, so it is very effective: the user loads the file into a temporary environment (Docker container), in which the file is processed (filtered, resized, compressed), then pushed into a static repository (S3), from which it becomes available in the main application. A more subtle approach to protection against attacks on ImageMagick could be found here.
2. Interception and recovery of password hashes
In 2018 (surprise-surprise) users still have not learned to pick long and complex passwords, so this attack vector is still very simple and extremely productive. Once one has access to the internal network, they can launch the Responder and see that all neighboring hosts are generously sharing NTLMv2-hashes with their users’ passwords. Inside the Windows infrastructure network, this happens because of the default setting for the Local Link Multicast Name Resolution (LLMNR) protocol, which contains a number of innate flaws.
Due to these weaknesses, each participant in the network can fake the answers to LLMNR-requests of their neighbors and direct their traffic to themselves. It remains only to raise the necessary fake services that will require authentication on the certain TCP ports, and voila — all your hashes already belong to the attacker.
A bit less trivial is the technique of intercepting password hashes from outside the corporate network. We must admit: Microsoft is trying to make their products more secure, but still do not have time to fix all the findings of hackers. Therefore, the technique of loading an MS Office document element from an external server (which, of course, requires authentication of the user) is still valid. For example, by sending a user an MS Office XML document that downloads an external file via SMB. The next steps are to retrieve original passwords using hashcat and high-quality dictionaries and rules.
Protecting yourself from such attacks is extremely easy. Disable LLMNR and prevent outbound traffic through TCP port 445 on the firewall — that’s all. Most likely, legitimate users will not even feel the difference, but the life of hackers will become much more complicated.
3. “Universal” password of the local administrator
Using Group Policy Object to set up a local administrator on all computers in the domain with the “universal” or “standard” password is the biggest gift administrators could give to pentesters. After receiving increased privileges on one computer in the domain, further movement through the infrastructure becomes extremely comfortable, and obtaining the domain admin level of access to is a matter of time.
Sometimes, however, a file that contains the encoded (and not encrypted) password of the local admin has long been deleted from the share on the domain controller, and the group policy has long been removed. But the passwords installed with their help are still the key to any server in the domain. Moreover, getting this password in its clear form is not necessary, because having its hash it is possible to use it further to execute the Pass-the-Hash-enabled Metasploit modules and other convenient utilities.
So deleting the group policy and password files is not an option. To right these wrongs, you must change the passwords of all local admins in the domain, or even better — rename and lock them out. Of course, all passwords should be unique, otherwise, the situation will not change at all. And the best way to get a reliable result is to use the Local Administrator Password Solution (LAPS).
4. Phishing
No changes here. With few exceptions, phishing works everywhere and every time. And we still do not understand why companies do so little to improve the situation.
The most effective pretexts for phishing in 2018 were the written instructions of the carriers of expert (IT and IT specialists) and formal (CEO, CFO, HR) power. Users were happy to follow the guidance they received because it looked quite legitimate and did not contain any signs of external interference. Getting hundreds of valid contacts to send phishing messages to is still not a problem because employees are happy to share their data on social networks, and corporations’ mail servers still allow to check email addresses validity en masse.
To make phishing attacks less effective, in addition to the obviously necessary training of users, administrators can mark off external email messages with appropriate tags in the subject field. This trick is very easy to implement in GSuite and Office365, but owners of “basement” email servers will have to put a little more effort into it.
Another way to complicate phishing attacks is to prevent mass checking of email addresses on mail gateways. Typically, this check is done by opening SMTP sessions and checking large email lists, derived from the employees’ names and last names on LinkedIn and Facebook, by inserting them into the VRFY and RCPT verbs. The former command is less common now, but the latter one still often allows validating the presence or absence of an address in the email domain.
Despite the false stereotype of the inutility of combating social engineering, it is possible and necessary to counteract it. Sure thing, remote computer-based awareness training and other “traditional” methods are not suitable for that. After all, the effectiveness of social engineering is based not on the lack of education, but on the cultural features of modern society. A change in culture is a change of the artificial instincts from which the culture is woven. And this is not a task for the one-time online webinar, but for continuous learning. In other words, anyone can install a GoPhish server and regularly send out training phishing messages to their employees, but it’s unlikely that many companies do this.
5. Remote domain admin sessions
Finally, the most favorite and easiest procedure for obtaining the rights of the domain admin. And it is not the brute-force of passwords from password hashes, but getting them in clear text from the computer memory. Where they are generously left by the system administrators who left the remote RDP session and went in their business. This kind of task seems complicated but it hardly is, because tools that easily implement it have been integrated into Metasploit (mimikatz & kiwi) for a long time, and are performed without any interaction with the hard drive, and therefore are not detected by most modern anti-virus products.
Almost everyone ignores the requirement to restrict Windows interactive login privileges. In an ideal world, domain administrators should log in only to domain controllers, but in the ideal world, notPetya does not happen. An essential requirement to log in everywhere with the rights of ordinary users, and then, if necessary, to use the “Run as…” tool to escalate privileges, can make your infrastructure tens of times more secure. But most likely it will not, — until the first devastating incident.
In this lyrical note, we will complete our review of the most enjoyable gifts that the pentesters received in 2018. Some may argue that the introduction of the above countermeasures will still not provide absolutely reliable protection. Certainly, it will not. But it will transform a cyber attack from a comfortable limousine journey on a humpback Zaporozhets trip with all the relevant consequences.
Be safe out there.