March 2024
Abuse of Valid Account Credentials
Overview
Cybercriminals usually take to the path of least resistance to meet their objectives, and therefore it is worrying that it has been raised that abusing valid accounts are becoming a preferred means of access into victim environments for cybercriminals. Reports have shown that use of stolen credentials to access valid accounts surged by 71% over the previous year tied with phishing as the top infection vectors.
Additionally, X-Force observed a 100% increase in “Kerberoasting” during incident response engagements. Kerberoasting is a technique focused on compromising Microsoft Windows Active Directory credentials through Kerberos tickets. This indicates a technique shift in how attackers are acquiring identities to carry out their operations.
These shifts suggest that threat actors have revalued credentials as a reliable and preferred initial access vector.
The statistics from X-Force show that:
- 71% increase in cyber-attack which were promoted by stolen\compromised credentials.
- 32% were involved in data theft and leaks which shows that attackers have favored stealing and selling data, rather than encrypting it for extortion.
- 50% show that the AI market share milestone will incentivize attackers to invest in developing cost-effective tools to attack AI technologies.
Aspire Recommendations
- Question the email received. Are you expecting this email? Does the email look legitimate? What are the contents make sense and relevant? Does the email contain links?
- (2A) Ensure no one password is the same. Having one password for all systems makes it easier to steal those credentials as does more damage.
- (2B) Password reset policies. Often companies have a 90-day password expiration date to force users to reset their password.
- (2C) Password character policy. By setting up certain password requirements it means that users will be forced to come up with a new password. We all know how easy it is to just put an extra 1 or! at the end of an existing password. However, if the password reset policy meets some of the below requirements it makes it harder for a cyber criminal to gain unauthorized access and steal the credentials.
Example Password Requirements: 8 characters or more, numbers, special characters and when changing password, it doesn’t allow similar characters as the previous password.
- MFA Enabled, Multi-Factor authentication adds an additional layer of security by requiring users to provide a second form of verification, such as a code from a mobile app or a fingerprint scan.
- Use HTTPS, ensure that websites and applications use secure connections (HTTPS) to encrypt data during transmission. This helps protect credentials from being intercepted by attackers during communication.
- Privilege Levels, use the principle of least privilege by granting users the minimum level of access necessary to perform their job functions. Avoid unnecessary administrative privileges that could be exploited if credentials are compromised.
- Wi-Fi, use strong encryption and secure Wi-Fi protocols for wireless networks. Avoid open or unsecured networks, especially for business-related activities.
- Account Lockout Policy, enforce account lockout policies that temporarily disable an account after a certain number of failed login attempts which will help in preventing brute-force attacks
SocGholish
Overview
The SOC has seen an increased presence of SocGholish. SocGholish is a malware variant first discovered in 2018. The SocGholish attack path involves compromising a legitimate webserver, then hosting its malicious code that displays a popup suggesting the site visitors have updates pending. If the user clicks the popup to apply updates it will execute malicious JavaScript that can download other malware strains and C2 frameworks, often leading to full compromise of the victims’ machine and network.
Aspire Recommendations
- User Education: Socgholish’s infection mechanism depends on tricking a user into installing a fake browser update. Educating users about these social engineering tactics can help prevent employees from downloading and installing malware on their computers.
- URL Filtering: Socgholish distributes its malware via compromised or malicious websites. URL filtering based on threat intelligence can identify and block attempts by users to browse to URLs known to be associated with this or other malware campaigns.
- Web Security: Socgholish uses malicious JavaScript to induce the user to download and install a malicious browser update. Web security tools can inspect webpages for potential malicious content and prevent users from visiting these malicious or compromised websites.
- Endpoint Security: Socgholish is malware that collects information about a user’s machine and then installs other malware on it. An endpoint security solution should be able to identify and block the malware before it can be installed or causes damage to the system.
- Patch Management: Socgholish or other malware variants may exploit vulnerabilities as part of their installation process. Keeping web browsers and other programs up to date can help to protect them against attack.
- Data Security: Socgholish can install other malware variants, including ransomware, that put an organization’s data at risk. Implementing data security best practices – including least prvilege access controls and data loss prevention (DLP) – can help prevent.
Zero-Day Exploits
Overview
Our SOC has seen an increase in what’s known as Zero-Day Exploits. A zero-day attack is a cyber-attack where an adversary exploits a previously unknown and unpatched vulnerability (a “zero-day vulnerability”) in software or hardware. The term “zero-day” indicates that the affected vendor has had zero days to address and release a fix for the vulnerability before it is exploited by attackers.
There are many different types of zero-day exploitation. Please see some below examples along with some remediation techniques.
Method: Browser Zero-Day Exploit
Description: An attacker discovers and exploits a previously unknown vulnerability in a popular web browser.
Impact: Enables the attacker to execute arbitrary code on the victim’s system, potentially leading to unauthorized access, data theft, or malware installation.
Remediation:
- Apply browser updates promptly.
- Use browser security features such as sandboxing.
- Employ network-based security controls to detect and block malicious traffic.
Method: Operating System Kernel Vulnerability
Description: A zero-day vulnerability is discovered in the kernel of a widely used operating system.
Impact: Allows attackers to escalate privileges, compromise the integrity of the operating system, and potentially gain control of the entire system.
Remediation:
- Apply operating system updates and patches.
- Implement endpoint protection solutions.
- Employ network segmentation to limit lateral movement.
Method: Office Suite Zero-Day
Description: An attacker exploits a previously unknown vulnerability in a popular office productivity suite.
Impact: Enables the execution of malicious code in documents, leading to potential compromise of sensitive information or installation of malware.
Remediation:
- Keep office software updated.
- Disable unnecessary macros in documents.
- Use email filtering to block suspicious attachments.
Method: Mobile Device Zero-Day
Description: A zero-day vulnerability is exploited on a mobile operating system, targeting smartphones or tablets.
Impact: Allows attackers to compromise mobile devices, steal sensitive data, or remotely control the device.
Remediation:
- Apply mobile operating system updates.
- Use mobile device management (MDM) solutions for centralized security controls.
- Educate users about the risks of downloading apps from untrusted sources.
Method: Network Appliance Zero-Day
Description: A vulnerability is discovered and exploited in a network appliance, such as a firewall or router.
Impact: Allows attackers to manipulate network traffic, bypass security controls, or gain unauthorized access to the organization’s network.
Remediation:
- Regularly update firmware and software for network appliances.
- Implement intrusion detection and prevention systems.
- Monitor network traffic for anomalies
General Remediation Practices for Zero-Day Attacks:
- Stay informed about emerging threats through threat intelligence sources.
- Establish a rapid response plan for zero-day vulnerabilities, including incident detection and response.
- Employ network segmentation to limit the potential impact of a successful attack.
- Regularly update and patch software and systems promptly.
- Use intrusion detection and prevention systems to identify unusual or suspicious behavior.