June 3rd: 10 Ways Attackers Gain Access to Networks +++ Zero-Day Vulnerability in Microsoft Office +++ CIOs Concerned that their Software Supply Chain is Vulnerable

10 Ways Attackers Gain Access to Networks

CISA, Cybersecurity & Infrastructure Security Agency, revealed the top ten attack vectors most exploited by cybercriminals in order to gain access to organization networks, as well as the techniques they use to gain access. And boy, is it a lot to stomach. Alas, we tried to filter the most important parts for you.

The advisory cites five techniques used to gain leverage:

  1. Public facing application. Not patched and updated internet facing application.
  2. External remote services. Theft of accounts combined with corporate remote services.
  3. Phishing. Business centric attack from spear phishing to CEO fraud.
  4. Trusted relationships. Third-party trusted access.
  5. Valid accounts. Obtained by phishing, social engineering, insider threats or carelessly handed data.

And here they are, the 10 ways attacks gain access:

  1. Multifactor authentication is not enforced. Useful to prevent techniques like phishing.
  2. Wrongly applied privileges or permissions, along with errors within access control lists. User only able to access resources necessary for any given purpose.
  3. Software is not up to date. Asset and patchmanagement will keep operating systems and other key software up to date. Vulnerability scans which software is unsupported, end of life will help.
  4. Use of vender supplied default configuration or default credentials. Default setups and default username/password are not good for business since they are easily available.
  5. Remote services. Poorly handled Remote service
  6. Strong password policies are not implemented. Insufficient and week passwords are a keyway to gain a foothold on the network.
  7. Cloud service unprotected. Permanent feature of security breach stories.
  8. Open ports and misconfigured services are exopod to the Internet.
  9. Failure to detect or block phishing attempts.
  10. Poor endpoint detection and response.

In our usual manner, we won’t be leaving you hanging with bad news. So how do you protect your system from being attacked?

  • Control access: Rigorously access policing. No local admin. Network segmentation.
  • Harden Credentials: MFA across all areas of the organization. Password policy combined with checking devices used, time of day, location data and user history.
  • Central log management: Log generation and retention are essential tools.
  • Antivirus solution: Security solution dealing with exploits that require no user interaction and attacks reliant on social engineering.
  • Detection Tools: IDS helps sniff out malicious network activity. Penetration testing can expose misconfiguration.

Needless to say, but we will: If you want to dig deeper, here is our source material for you to enjoy:

10 ways attackers gain access to networks | Malwarebytes LabsWeak

Security Controls and Practices Routinely Exploited for Initial Access | CISA

Zero-Day Vulnerability in Microsoft Office

On May 29th, IT security researchers including Kevin Beaumont discovered a Word document that loads and executes malicious code from the Internet when opened. There is still no official update to close the gap in older Office versions, but using the current Microsoft Office version in particular apparently prevents the exploit that has been found. Victims would have to disable the „protected view“ of a manipulated document. The document uploaded to Virustotal was found by nao_sec. It used Word’s Remote Template feature to download an HTML file from the Internet. This in turn relied on Microsoft’s ms-msdt:-URI handler to download additional code and execute PowerShell code, explained IT researcher Kevin Beaumont.

In his summary (Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar), Beaumont explains that the attackers could bypass advanced protections of endpoint detection and response (EDR) systems because Microsoft Office executes the code using the msdt.exe diagnostic tool. And it does so even if macro execution has been disabled in the settings. However, the protected view is activated first.

The IT security researcher goes on to say that the danger can be increased with a little help: If the document is changed to RTF format, the code already runs without the file being opened by the user. This happens in the Windows Explorer preview. There, of course, without „protected view.“

Currently affected versions:

  • Windows 10, without local administrator rights and if execution of macros is completely disabled, with Microsoft Defender and the Office 365 in the semi-annual channel
  • Office 2013 and 2016, 2019, 2021 as well Professional Plus, possibly more

Mitigation:

Guys, stay safe – and if you’re not sure whether you are, let’s get in touch!

Say what? You want to know more? Hey, you know where to go. Here’s our trusted sources:

https://isc.sans.edu/diary/28694

Zero-Day-Lücke in Microsoft Office ermöglicht Codeschmuggel | heise online

Microsoft Word struck by zero-day vulnerability | The Register

Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild | thehackernews.com

Security Update Guide – Microsoft – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Technical Analysis: Rapid Response: Microsoft Office RCE – “Follina” MSDT Attack | huntress.com

CIOs Concerned that their Software Supply Chain is Vulnerable

A clear majority of 82 percent of CIOs surveyed believe their organizations are vulnerable to software supply chain attacks, according to a new study commissioned by private security firm Venafi. At the same time, 85 percent have been told by their business leaders to make improvements regarding security, according to the report. Awareness of the problem is therefore present – yet confident approaches to solving it are still lacking.

A supply chain attack is an attack that damages a company by first compromising the company’s supply chain. The supply chain used for the attack can be either a hardware or software supply chain; or both. In a supply chain attack, a group of attackers first gains access to the victim’s network by infiltrating the network of a business partner that has access to the victim’s systems or data. A prominent example was a momentous software supply chain attack in 2020: Attackers had gained access to internal networks via widely distributed maintenance software from the company Solarwinds and remained undetected for months, affecting around 18,000 customers of Solarwinds‘ products.

With the trend moving away from in-house data centers and toward hybrid or complete cloud infrastructures, the study says it sees increased responsibility among software developers for security. „As a result, development and software engineering teams are overseeing many of the security controls for these environments,“ it states.

87 percent of CIOs surveyed agreed with the statement that developers sometimes circumvent security rules. „Software developers and engineers – who are most familiar with how these new and complex environments work – must play a key role in defending them.“

The study surveyed 1,000 CIOs from companies in the DACH region, the United States and United Kingdom, Benelux countries, Australia and New Zealand.

For more insights on the topic, feel free to check our sources below:

IT-Security: Mehrheit der CIOs ist um die Softwaresicherheit besorgt | Golem.de

Venafi_WhitePaper_CIOStudy_SoftwareBuildPipelinesAttackSurfaceExpanding_2022_f .pdf

CIOs admit their software supply chain is vulnerable | The Register


Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.