Cyber Security Trends 2024

Aspire’s Monthly Cyber Security Trends 2024

Welcome to the monthly 2024 cyber security trends report from Aspire’s Security Operations Centre. Our 24/7 security operations team works diligently to keep organisations safe, defending against attacks and continually developing detection capabilities to keep pace with emerging cyber security threats.

The team’s monthly threat analysis will explore the general trends Aspire are seeing in cyber attacks and provide recommendations where possible.

We will also explain the methods and tools our RealProtect managed cyber security services provide to mitigate such attacks.

March 2024

Abuse of Valid Account Credentials

Overview

Cybercriminals usually take to the path of least resistance to meet their objectives, and therefore it is worrying that it has been raised that abusing valid accounts are becoming a preferred means of access into victim environments for cybercriminals. Reports have shown that use of stolen credentials to access valid accounts surged by 71% over the previous year tied with phishing as the top infection vectors.

Additionally, X-Force observed a 100% increase in “Kerberoasting” during incident response engagements. Kerberoasting is a technique focused on compromising Microsoft Windows Active Directory credentials through Kerberos tickets. This indicates a technique shift in how attackers are acquiring identities to carry out their operations.

These shifts suggest that threat actors have revalued credentials as a reliable and preferred initial access vector.

The statistics from X-Force show that:

• 71% increase in cyber-attack which were promoted by stolen\compromised credentials.
• 32% were involved in data theft and leaks which shows that attackers have favored stealing and selling data, rather than encrypting it for extortion.
• 50% show that the AI market share milestone will incentivize attackers to invest in developing cost-effective tools to attack AI technologies.

Aspire Recommendations

• Question the email received. Are you expecting this email? Does the email look legitimate? What are the contents make sense and relevant? Does the email contain links?
• (2A) Ensure no one password is the same. Having one password for all systems makes it easier to steal those credentials as does more damage.
• (2B) Password reset policies. Often companies have a 90-day password expiration date to force users to reset their password.
• (2C) Password character policy. By setting up certain password requirements it means that users will be forced to come up with a new password. We all know how easy it is to just put an extra 1 or! at the end of an existing password. However, if the password reset policy meets some of the below requirements it makes it harder for a cyber criminal to gain unauthorized access and steal the credentials.

Example Password Requirements: 8 characters or more, numbers, special characters and when changing password, it doesn’t allow similar characters as the previous password.

• MFA Enabled, Multi-Factor authentication adds an additional layer of security by requiring users to provide a second form of verification, such as a code from a mobile app or a fingerprint scan.
• Use HTTPS, ensure that websites and applications use secure connections (HTTPS) to encrypt data during transmission. This helps protect credentials from being intercepted by attackers during communication.
• Privilege Levels, use the principle of least privilege by granting users the minimum level of access necessary to perform their job functions. Avoid unnecessary administrative privileges that could be exploited if credentials are compromised.
• Wi-Fi, use strong encryption and secure Wi-Fi protocols for wireless networks. Avoid open or unsecured networks, especially for business-related activities.
• Account Lockout Policy, enforce account lockout policies that temporarily disable an account after a certain number of failed login attempts which will help in preventing brute-force attacks

SocGholish

Overview

The SOC has seen an increased presence of SocGholish. SocGholish is a malware variant first discovered in 2018. The SocGholish attack path involves compromising a legitimate webserver, then hosting its malicious code that displays a popup suggesting the site visitors have updates pending. If the user clicks the popup to apply updates it will execute malicious JavaScript that can download other malware strains and C2 frameworks, often leading to full compromise of the victims’ machine and network.

Aspire Recommendations

• User Education: Socgholish’s infection mechanism depends on tricking a user into installing a fake browser update. Educating users about these social engineering tactics can help prevent employees from downloading and installing malware on their computers.
• URL Filtering: Socgholish distributes its malware via compromised or malicious websites. URL filtering based on threat intelligence can identify and block attempts by users to browse to URLs known to be associated with this or other malware campaigns.
• Web Security: Socgholish uses malicious JavaScript to induce the user to download and install a malicious browser update. Web security tools can inspect webpages for potential malicious content and prevent users from visiting these malicious or compromised websites.
• Endpoint Security: Socgholish is malware that collects information about a user’s machine and then installs other malware on it. An endpoint security solution should be able to identify and block the malware before it can be installed or causes damage to the system.
• Patch Management: Socgholish or other malware variants may exploit vulnerabilities as part of their installation process. Keeping web browsers and other programs up to date can help to protect them against attack.
• Data Security: Socgholish can install other malware variants, including ransomware, that put an organization’s data at risk. Implementing data security best practices – including least prvilege access controls and data loss prevention (DLP) – can help prevent.

Zero-Day Exploits

Overview

Our SOC has seen an increase in what’s known as Zero-Day Exploits. A zero-day attack is a cyber-attack where an adversary exploits a previously unknown and unpatched vulnerability (a “zero-day vulnerability”) in software or hardware. The term “zero-day” indicates that the affected vendor has had zero days to address and release a fix for the vulnerability before it is exploited by attackers.

There are many different types of zero-day exploitation. Please see some below examples along with some remediation techniques.

Method: Browser Zero-Day Exploit

Description: An attacker discovers and exploits a previously unknown vulnerability in a popular web browser.

Impact: Enables the attacker to execute arbitrary code on the victim’s system, potentially leading to unauthorized access, data theft, or malware installation.

Remediation:

• Apply browser updates promptly.
• Use browser security features such as sandboxing.
• Employ network-based security controls to detect and block malicious traffic.

Method: Operating System Kernel Vulnerability

Description: A zero-day vulnerability is discovered in the kernel of a widely used operating system.

Impact: Allows attackers to escalate privileges, compromise the integrity of the operating system, and potentially gain control of the entire system.

Remediation:

• Apply operating system updates and patches.
• Implement endpoint protection solutions.
• Employ network segmentation to limit lateral movement.

Method: Office Suite Zero-Day

Description: An attacker exploits a previously unknown vulnerability in a popular office productivity suite.

Impact: Enables the execution of malicious code in documents, leading to potential compromise of sensitive information or installation of malware.

Remediation:

• Keep office software updated.
• Disable unnecessary macros in documents.
• Use email filtering to block suspicious attachments.

Method: Mobile Device Zero-Day

Description: A zero-day vulnerability is exploited on a mobile operating system, targeting smartphones or tablets.

Impact: Allows attackers to compromise mobile devices, steal sensitive data, or remotely control the device.

Remediation:

• Apply mobile operating system updates.
• Use mobile device management (MDM) solutions for centralized security controls.
• Educate users about the risks of downloading apps from untrusted sources.

Method: Network Appliance Zero-Day

Description: A vulnerability is discovered and exploited in a network appliance, such as a firewall or router.

Impact: Allows attackers to manipulate network traffic, bypass security controls, or gain unauthorized access to the organization’s network.

Remediation:

• Regularly update firmware and software for network appliances.
• Implement intrusion detection and prevention systems.
• Monitor network traffic for anomalies

General Remediation Practices for Zero-Day Attacks:

• Stay informed about emerging threats through threat intelligence sources.
• Establish a rapid response plan for zero-day vulnerabilities, including incident detection and response.
• Employ network segmentation to limit the potential impact of a successful attack.
• Regularly update and patch software and systems promptly.
• Use intrusion detection and prevention systems to identify unusual or suspicious behavior.

February 2024

CVE-2024-21762 – Fortinet FortiOS Out-of-Bound Write Vulnerability

Overview

The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands. An out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests. Fortinet has stated that it is likely this is being “exploited in the wild.” This is concerning as this vulnerability can lead to sensitive data exposure and/or a disruption in network operations.
The Bottom-line Up Front (BLUF) denotes that both vulnerabilities enable authenticated attackers to execute arbitrary code, significantly impacting confidentiality, integrity, and availability, and require no user interaction.

Countermeasures

It is incredibly important to identify which products are used within a company’s environment and if this is on the Affected Version and if so, upgrade these as soon as possible to mitigate potential threats. If you are unable to patch affected instances, it is possible to mitigate CVE-2024-21762 by disabling SSL VPN (Virtual Private Network) as a workaround.

Aspire Recommendations

• Patch Management: Keep all software, operating systems, and firmware up to date with the latest security patches and updates to mitigate the risk of exploitation by known vulnerabilities.
• Data backup and Recovery: Implement regular data backup procedures to ensure that critical data can be restored in the event of a cyber incident. Store backups securely, preferably offline or in a separate, isolated environment.
• Access Control and Privilege Account Management: Implement strong access control measures to limit access to sensitive data and systems. Use multi-factor authentication (MFA) for accessing critical systems and regularly review and update user access privileges.
• Employee Training: Provide regular cybersecurity training to employees to increase awareness of potential threats, such as phishing attacks, malware, and social engineering tactics. Employees should be trained on how to recognize and report suspicious activity.

Aspire SOC

A Security Operations Centre (SOC) is important in mitigating and preventing threats such as CVE-2024-21762. A SOC will provide constant monitoring and respond to any potential threats. When an attack takes place, a SOC will respond quickly to contain the threat and prevent further action taking place.

Tools a SOC will use, such as Qualys are crucial to quickly identifying and patching any vulnerabilities such as CVE-2024-21762. Qualys will scan infrastructure and identify vulnerabilities, which can then be remediated in a timely manner.

January 2024

Ivanti Connect Secure VPN faced a significant security threat due to two zero-day vulnerabilities identified as CVE-2023-46805 and CVE-2024-21887.

Summary

Two zero-day vulnerabilities in Ivanti Connect Secure VPN. Zero-day vulnerabilities are previously unknown software flaws that hackers can exploit before the software vendor has an opportunity to create a patch to fix the flaw. In this context, Ivanti Connect Secure VPN, which is widely used for secure remote access to corporate networks, is vulnerable. This situation is particularly critical because VPNs are critical for secure communication, and vulnerabilities within them can lead to unauthorised access, data breaches, and potentially large-scale security incidents.

Countermeasures

To determine if your system has been compromised by the vulnerabilities in Ivanti Connect Secure VPN as reported by Volexity, follow these key steps:

1. Run Ivanti Integrity Checker Tool: Use this tool to detect any new or mismatched files on the Ivanti Connect Secure VPN appliance. Follow instructions in Ivanti’s KB44755 for guidance on running this tool.
2. Analyse Network Traffic: Check for unusual outbound and inbound connections involving the VPN appliance. Look for signs like unexpected curl requests to external websites, reverse proxy connections, or SSH tunnelling that are not part of regular operations.
3. Review VPN Device Logs: Examine logs for signs like wiped or disabled logs, which can be a strong indicator of a compromise. Also, look for requests to atypical file paths or other irregular log entries.
4. Check for Signs of Lateral Movement: Monitor internal network traffic for unusual activities such as RDP, SMB, and SSH attempts to internal systems, or unexpected port scanning activities.
5. Examine Modifications to System Components: Look for unauthorised changes to system files, especially web components like CGI or JavaScript files used by the VPN appliance, which could indicate credential theft or command execution setups.
6. Evaluate Integrity Checker Tool Results: Pay attention to the results from the Integrity Checker Tool, particularly any reports of new or mismatched files, which could be a strong indicator of a compromise.

If any of these signs are present, it is crucial to consider the system compromised and initiate a comprehensive incident response, including forensic investigation and mitigation measures.

Recommendations

Based on the Ivanti report on the vulnerabilities in Ivanti Connect Secure VPN, here are key recommendations to safeguard your systems:

1. Apply Ivanti Mitigations and Patches: Immediately implement the available mitigations provided by Ivanti and install any patches as soon as they are released. This is crucial for preventing exploitation of the vulnerabilities.
2. Regular Use of the Integrity Checker Tool: Utilize Ivanti’s Integrity Checker Tool regularly to identify any new or mismatched files on the VPN appliance. This tool is vital for early detection of potential compromises.
3. Enhanced Network Monitoring: Vigilantly monitor network traffic for anomalies, especially outbound and inbound connections related to the VPN appliance, to detect signs of a compromise.
4. VPN Device Log Analysis: Regularly review the logs from your VPN device for unusual activities such as wiped logs, requests for uncommon file paths, or other irregular entries that might indicate a breach.
5. Investigate Signs of Lateral Movement: Be on the lookout for indications of lateral movement within your network, such as unauthorised RDP, SMB, SSH attempts, or port scanning activities.
6. Credential Management Review: Assume that credentials accessible or stored on the compromised VPN appliance are at risk. Implement immediate resets and changes to these credentials.
7. Incident Response Preparedness: In case signs of compromise are detected, have a robust incident response plan ready to swiftly address and mitigate the breach.
8. Educate and Train Staff: Raise awareness among your staff about these specific vulnerabilities and general best practices in cybersecurity to prevent successful phishing or other exploitation attempts.

Aspire SOC & IR

The joint effort of the Security Operations Centre (SOC) and Incident Response (IR) in managing Ivanti Connect Secure VPN vulnerabilities provides an effective and comprehensive defence. This approach swiftly addresses immediate threats and bolsters long-term cybersecurity. Incident Response is crucial for quick containment, in-depth analysis, and the implementation of strategic remediations, ensuring the organisation is better prepared for future cyber threats.

Elevation of Privilege Vulnerability in Microsoft SharePoint Server: CVE-2023-29357.

Summary

This type of vulnerability typically enables attackers to obtain higher-level permissions on a system or network, potentially leading to unauthorised access or control over the affected system. Specifically in the context of Microsoft SharePoint, a widely used platform for collaboration and document management, this vulnerability could allow attackers to gain elevated privileges within the SharePoint environment. Such exploitation compromises the integrity and confidentiality of the data and processes managed by SharePoint. A remote, unauthenticated attacker can exploit this vulnerability by sending a spoofed JWT (JSON Web Token) authentication token to a vulnerable server, thereby obtaining the privileges of an authenticated user on the target system.

Countermeasures

1. Apply Microsoft Security Patches: Promptly install all security updates released by Microsoft for SharePoint Server.
2. Regular System Updates: Keep systems up to date with the latest security features.
3. Enhance Monitoring and Logging: Improve surveillance of SharePoint Server activities for early detection of unusual access or exploitation attempts.
4. Implement Strict Access Controls: Strengthen environment security through rigorous access control and user privilege management.
5. Conduct Regular Security Audits: Perform routine audits to identify and resolve any lingering vulnerabilities, reinforcing defence mechanisms.

Recommendations

1. Develop an AI-Integrated Security Framework: Integrate AI tools for advanced threat detection specific to SharePoint environments.
2. Employee Awareness and Training: Educate staff about the latest security threats to SharePoint Server and train them in best practices for prevention and response.
3. Backup and Disaster Recovery Planning: Establish robust backup protocols and a disaster recovery plan to ensure data integrity and availability.
4. Collaborate with Security Experts: Engage with cybersecurity experts to gain insights into advanced protection strategies for SharePoint Server.
5. Evaluate Third-Party Security Solutions: Consider implementing third-party security solutions that complement Microsoft’s native security features for SharePoint.
6. Implement Network Segmentation: Use network segmentation to protect SharePoint data by limiting access to sensitive areas within the network.
7. Regular Penetration Testing: Conduct penetration testing to proactively identify and address potential security weaknesses.

Aspire SOC

A Security Operations Centre (SOC) is crucial in managing vulnerabilities like CVE-2023-29357 in Microsoft SharePoint Server. The SOC’s role includes continuous network monitoring for early threat detection and expert analysis to guide swift response actions. Although the SOC does not directly apply patches, it plays a significant role in vulnerability identification using tools like Qualys. It also informs tenants, particularly if the vulnerability is being actively exploited, and offers ongoing surveillance and threat intelligence, contributing to a more robust security posture.

The Rise of Ransomware 2024

Summary

Ransomware in 2024 presents a critical and evolving threat, with attackers employing advanced techniques and specifically targeting high-value entities. The use of complex social engineering, sophisticated phishing, and exploitation of zero-day vulnerabilities has become more prevalent, often amplified by artificial intelligence to increase the efficacy of attacks. There is a significant shift towards focused attacks on corporations and government institutions, aimed at securing higher ransom payouts. The emergence and growth of Ransomware-as-a-Service (RaaS) have made ransomware tools and services more accessible, broadening the pool of potential attackers. Additionally, the strategy of double extortion, involving the encryption of victim data followed by threats to publish or sell the information, adds a layer of complexity and urgency for organisations, heightening the stakes and pressure to comply with ransom demands.

Countermeasures

• · Implement advanced cybersecurity protocols.
• Employ AI and machine learning for threat detection.
• Strengthen defences against social engineering and phishing.
•  Regularly update software to patch vulnerabilities.
• Use multi-factor authentication and strong password policies.
• Secure and regularly back up critical data.
• Monitor network traffic for suspicious activities.
• Conduct regular penetration testing.
• Isolate critical systems to limit potential spread.
• Employ endpoint detection and response solutions.

Recommendations

• Regularly update and review cybersecurity policies.
• Conduct comprehensive risk assessments.
• Increase employee awareness and training on cybersecurity.
• Develop a robust incident response plan.
• Foster a culture of cybersecurity vigilance.
• Stay informed about the latest ransomware trends.
• Engage with cybersecurity communities for shared intelligence.
• Invest in advanced threat detection and response tools.
• Review and strengthen data encryption practices.
• Collaborate with external cybersecurity experts as needed.

Aspire SOC

A Security Operations Centre (SOC) is vital in defending against ransomware through its ongoing monitoring and quick response. The SOC is key for early threat detection, using advanced technology to identify and address risks. During attacks, the SOC’s rapid actions help contain the impact and prevent extensive damage. Post-attack analysis by the SOC aids in refining security strategies and preventing future incidents. By keeping up with the latest ransomware trends, the SOC ensures that an organisation’s defences adapt to changing cyber threats, making it crucial for robust cybersecurity.