Accellion recently released patches addressing four vulnerabilities in its File Transfer Appliance, a tool linked to a growing list of data breaches since December.

Background

On January 12, Accellion, a private cloud solutions company,published a statement regarding a security incident involving one of its customers. The statement revealed the presence of a “P0 (priority zero) vulnerability” in its File Transfer Appliance (FTA), a cloud or on-premises based solution for organizations to “transfer large and sensitive files.” The vulnerability was patched "within 72 hours" and affected "less than 50 customers," according to the Accellion statement.

Throughout January, multiple companies came forward acknowledging data breaches linked to Accellion’s FTA. In asubsequent statement on February 2, Accellion noted that in the weeks since the first P0 vulnerability was disclosed, it had identified “additional exploits” in FTA and had patched each of those vulnerabilities. However, the Feb. 2 statement did not share any specific details about these flaws or the versions of FTA that may be impacted.

At the time this blog post was published, at least 11 organizations had publicly confirmed being victims of data breaches associated with FTA.

On February 16, Accellion published the first descriptions for four vulnerabilities in FTA on its GitHub page.

Analysis

At the time this blog post was published, three of the four vulnerabilities received a CVSSv3 score of 9.8; the fourth did not yet have a score assigned to it.

CVE-2021-27101 is a SQL injection vulnerability. An unauthenticated, remote attacker could exploit the flaw by sending a specially crafted request as part of the Host header to the document_root file on a vulnerable FTA endpoint.

CVE-2021-27103 is a Server-Side Request Forgery (SSRF) vulnerability. An unauthenticated, remote attacker could exploit the flaw by sending a specially crafted POST request to the wmProgressstat file on a vulnerable FTA endpoint.

CVE-2021-27104 is an OS command injection vulnerability. An unauthenticated, remote attacker could exploit the flaw by sending a specially crafted POST request to an FTA administrative endpoint.

CVE-2021-27102 is another OS command injection vulnerability. We do not know if it is similar to CVE-2021-27104 because no CVSSv3 vectors were available at the time this blog post was published. If it is similar, we would expect it to apply to the same FTA administrative endpoint.

While details for these vulnerabilities are quite limited, we intend to update this blog as more detailed information becomes available.

Successful exploitation of these flaws may allow attackers to view and exfiltrate files from vulnerable FTA instances.

*Please note Tenable VPR scores are calculated nightly. This blog post was published on February 19 and reflects VPR at that time.

Unconfirmed connection to recently detailed web shell on FTA instance

On January 28, researchers at Guidepoint Security published a blog post detailing a joint investigation with deepwatch that analyzed a web shell found within an instance of Accellion’s FTA. Because of the timing of this publication, Tenable Research believes it may be an example of the attacks described, as the web shell analyzed would allow for an attacker to exfiltrate documents from a vulnerable FTA instance.

CL0P Ransomware claims responsibility for breach but denies Accellion connection

Recently, the CL0P ransomware group claimed responsibility for an attack on Jones Day, a U.S.-based international law firm. However, according to The Wall Street Journal, Jones Day is disputing the claim, saying the files pilfered were not from its network, but were the result of a breach in its use of Accellion’s FTA product.

The CL0P ransomware gang operates a leak website, a tactic pioneered by the Maze ransomware group in December 2019, which we discuss in our 2020 Threat Landscape Retrospective report. Leak websites are used to name and shame victims of ransomware attacks as a form of double extortion. The original extortion is the encryption of files on the victim’s network. The double extortion tactic involves exfiltrating data from the victim’s network and threatening to leak them publicly if ransom demands are not met. The ransomware groups post a sampling of files on these leak websites.

On the CL0P leak website (“CL0P LEAKS”), a cache of files associated with the Jones Day breach has been published. Files associated with Singtel, another organization recently linked to a data breach via Accellion’s FTA, have also appeared on the CL0P LEAKS website.

Image of list of affected organizations from the CL0P LEAKS website

It remains unclear whether or not the CL0P ransomware group exploited the vulnerabilities in Accellion’s FTA in order to steal files from these organizations. A section in the 44th edition of the Risky Business newsletter surmises that the CL0P ransomware group could be “helping other attackers monetise the theft of data” from these organizations.

Proof of concept

At the time this blog post was published there were no public proof-of-concept (PoC) exploits available for any of the four vulnerabilities in the FTA.

Solution

According to the recent publication of CVEs on Accellion’s GitHub page, there are two sets of patches for the SQL Injection and SSRF flaw as well as the OS Command Injection flaws. The following table lists the affected versions and fixed versions of FTA:

FTA reaches end of life on April 30

As part of its recent statements, Accellion has published a document announcing the official end of life (EOL) for its FTA product is April 30, 2021. Accellion is instructing all legacy FTA customers to migrate over to its kiteworks solution.

Image Source: Accellion EOL Document for FTA

We strongly encourage all organizations to apply these available patches as soon as possible and create a migration plan to move away from FTA before its EOL.

Identifying affected systems

Tenable customers can utilize our existing detection plugin to identify Accellion File Transfer Appliance assets in your environment.

Because FTA will reach EOL on April 30, we will be releasing an unsupported version detection plugin 60 days before the EOL date. The plugin will be available here on March 1.

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Accellion Initial Statement Regarding Security Incident
• Accellion Updated Statement Regarding Security Incidents
• GitHub Repository for Accellion Vulnerability Descriptions
• Guidepoint Security Blog Post on FTA Web Shell
• Accellion End of Life Announcement for FTA

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Your introduction to vulnerability assessment doesn't have to be confusing – let's go over the key terms.

When you're new to vulnerability assessment (VA) – or any other area of cybersecurity, for that matter – some aspects of the process might seem unfamiliar or confusing. This is particularly true of the jargon; cybersecurity and technology as a whole have a long list of specialized terminology. 

Now, let's be clear: You don't have to learn all of the words and their definitions from top to bottom right away. But it's important that you make yourself aware of the relevant language and key terms that security practitioners use every day while navigating the cyber trenches. Here’s a brief introduction.

The true definition of a vulnerability

Perhaps the most important point to keep in mind when learning the fundamentals of vulnerability assessment is the actual meaning of the word "vulnerability." The simplest accurate description is "any weakness in your network that can be exploited." It may be something as seemingly minor as a legacy application, or an app that's commonly used but doesn't feature the most recent patches. A vulnerability could also be a host on the network that lacks modern protections like next-generation firewalls or anti-malware features.

Keep in mind that “vulnerability” isn't a synonym for words like "malware," "virus," "trojan" or any of the other words that describe common cyberthreats. These cybersecurity hazards are often what emerge to take advantage of vulnerabilities that are present within some segment of your network or an asset connected to it (e.g., computers, mobile devices or operational technology such as network switches and control systems).

In addition to knowing the precise definition of a vulnerability, it's critical to understand that not all vulnerabilities are created equal. Some may only have minor negative effects on performance or affect only a small portion of the network. Others will pose clear and immediate danger to your environment and demand remediation as soon as possible. 

Arguably the best-known measurement for evaluating these threats is the Common Vulnerability Scoring System (CVSS),¹ a scale devised by the Forum of Incident Response and Security Teams (FIRST) cybersecurity organization. While useful for beginners and worth knowing, it shouldn't be the only score you use: Its criteria don't take into account the sheer number of vulnerabilities out there and also fail to analyze how likely it is for these flaws to be leveraged by attackers. (Tenable's Predictive Prioritization process can more effectively gauge the impact of vulnerabilities and help you prioritize vulnerabilities to devise a better management strategy.)

Understanding the taxonomy of cyberthreats 

Another point of confusion in vulnerability assessment is the broad scope of terms used to describe cyberthreats. Many cybersecurity discussions invoke the term malicious software or "malware," but those just getting to know the subject might wonder what the difference is between that word and "virus."

Functionally, there isn't much difference – viruses are malware. But malware works as an effective category name, whereas "virus" doesn't. Cyberthreats falling under the malware umbrella include:²

• Viruses: Malicious code that, once triggered through a user action like opening an attachment, can take control of existing apps within a host to "reproduce" itself and spread to other devices on a network. 
• Worms: Standalone malicious software that is also capable of self-propagation (without human intervention) to spread to other hosts.³
• Trojans: Malware disguised as programs or files a user needs.
• Spyware: Programs that monitor activity of infected computers (e.g., keystroke loggers or "formjackers," used to steal credentials).
• Botnets: Groups of automated, self-propagating applications that infect multiple machines and use them to conduct distributed denial of service attacks.

Then there's ransomware, which isn't one specific type of malware: any virus, worm, trojan or other malicious tool can fit the bill if it's used to gain leverage over a victimized organization and force ransom payments – many ransomware attacks employ data encryption or access denial as intimidation tactics.⁴

Reminder: All of those things listed above are not vulnerabilities – they're enabled by vulnerabilities.

Vulnerability assessment vs. vulnerability management

It's also important to know the difference between terms used to describe the process of mitigating vulnerabilities. For example, the terms “vulnerability assessment” and “vulnerability management” are not interchangeable. Assessment is a step in the vulnerability management process, and vulnerability scanning allows you to create the assessment. (Along similar lines, remember that Nessus Professional is primarily a vulnerability assessment solution; for an all-in-one vulnerability management suite, see Tenable’s enterprise platform products.)

Scans examine your network as broadly or narrowly as you choose: the entire network, a small number of hosts within one department of your organization or any range in between. When scanning is complete, you'll have a preliminary vulnerability assessment report, which is the foundational step that enables further investigation. Penetration tests (which are sometimes erroneously conflated with vulnerability scanning) or threat modeling may be beneficial to demonstrate how vulnerabilities work in controlled settings and map out their ultimate consequences.

After scans, tests and other assessments, you can begin to address cyberthreats across your environment, in order of their immediacy and severity. Focus on the most critical areas of potential exposure first, such as customers' financial and personal data or publicly facing systems. Mitigation and/or remediation may be as simple as patching an app or operating system, or may require more consequential actions like removing programs, disabling hosts or temporarily shutting down a network.

Balancing security and compliance

The last major terminology-based discrepancy we want to discuss is between vulnerability and compliance scanning. 

Tools like Nessus Professional can conduct compliance scans to determine adherence to cybersecurity protocols with government regulations, as well as industry standards like PCI DSS. (These scans are based on benchmarks from the Center for Internet Security [CIS] as well as certain Security Technical Implementation Guides [STIGs].) But a compliance scan isn’t a full vulnerability scan because it only searches for issues that make your system noncompliant, rather than any flaws that expose you to breach or attack. Your best course of action is to conduct both types of scans and then address their results separately. 

Ready to get started? Nessus Professional is an excellent solution for anyone who's starting out with vulnerability assessment.

Try Nessus Free for 7 Days

_{1. FIRST, "Common Vulnerability Scoring System v 3.1: Specification Document"
2. CSO Online, "Malware Explained: How to Prevent, Detect and Recover From It," May 2019
3. Kaspersky, "What's the Difference Between a Virus and a Worm?", February 2020
4. Cybersecurity and Infrastructure Security Agency, "Ransomware Guidance and Resources"}

Conquering your cyber risk requires a new approach to vulnerability management. With Tenable.ep, security teams gain a single, flexible license that enhances visibility and eliminates friction, so you can reduce the greatest risk with the least effort.

Over the past several years, I’ve talked with numerous IT and security professionals who are struggling to keep up with a changing attack surface.

It wasn’t long ago when most of their assets were located on-premises. Cloud migrations were primarily limited to off-site storage and a few redundant systems, primarily for the purpose of business continuity. Nowadays, the majority of their assets are located in the cloud, including those that are business-critical. They also have an abundance of web apps and critical assets in container environments. Some even manage hybrid IT-OT environments. They’re doing everything they can to gain visibility into these emerging asset types, so they can assess them for critical vulnerabilities and weaknesses.

The problem is, when these security leaders began their vulnerability management programs, they were still in the midst of that old, on-premises world, so the tools they had to assess that environment were only intended to support that specific network configuration. Each time the organization ventured into a new environment, it created a blind spot in their attack surface, since existing security tools could neither assess the new assets, nor the vulnerabilities that reside on them. To solve the problem, they’d eventually get budget approval for a new security tool that would allow them to see and assess that new environment—but not until they endured agonizing, time-consuming processes to procure and ultimately deploy the new tool.

And those processes repeated themselves with every new evolution of their network.

Fragmented Tool Sets Expand the Attackers' Advantage

Today, security teams have multiple tools to assess the wide range of assets and vulnerabilities across their attack surface. That’s the good news; they’ve eliminated the blind spots. But at what cost? Each of those tools has its own license, technology platform and user interface, and each has its own unique way of processing and displaying security intelligence. So, defenders end up manually stitching together massive amounts of data from their various security tools to try to determine where they are exposed, and then put those vulnerabilities into context, so that they can effectively prioritize their remediation efforts.

One security leader I spoke with really put it in perspective for me. “We’ve purchased a ton of single-purpose tools to solve specific security needs, and now we spend too much time pulling that data together and not enough time acting on it,” he says. “We have to manually parse through all of that data to try to make sense of our situation, which leaves us chronically behind.” And he’s not alone. Nearly every security leader I’ve met talks about the fact that these challenges put their security teams at such an extraordinary disadvantage that they’re incapable of keeping up with the volume and velocity of vulnerabilities discovered in their environment.

These security leaders realize that now is the time to take control. They need the right tools to focus their time and resources on fixing what matters most. This is the risk-based revolution. 

Dynamically Assess Your Entire Attack Surface with the Tenable Exposure Platform

Today, we’re proud to announce the Tenable Exposure Platform (Tenable.ep) as a solution to these challenges. Tenable.ep is a unified risk-based vulnerability management platform that enables security leaders to know the exposure of every asset, on any platform, at all times. And it employs a flexible license that simplifies the definition of an asset to help streamline operations. Security teams can allocate resources according to their specific needs, and modify that allocation as their business needs or compliance requirements evolve.

Tenable.ep includes a comprehensive tool set that:

• Eliminates blind spots across the entire attack surface
• Provides a unified view of a wide range of assets and vulnerabilities
• Predicts which vulnerabilities are most likely to be exploited in the near future
• Measures security program maturity and highlights areas for process improvement
• Benchmarks the efficiency of the organization’s security program against industry peers

Best of all, Tenable.ep isn’t just a bundle of individual products all thrown together in a box and assigned a price. Instead, every component is tightly integrated to work together, and enables assets and vulnerabilities from across the attack surface to be assessed together on a single dashboard.

In short, Tenable.ep is the only solution you need to run comprehensive, effective vulnerability management programs. To learn more, visit the Tenable.ep product page.

As operational technology systems are exposed to new cyber risks, security leaders can maximize their defense of critical industrial environments through comprehensive and detailed inventory of assets.

Operational technology (OT) has been around for some time. It grew up alongside but quite separate from its more popular IT brother, with some striking differences. 

IT’s coming of age was always more in the spotlight because of the advent of the personal computer and the connectivity and applicability it provided to everyone. The name of the game with IT was “CIA,” or the confidentiality, integrity and availability of data and the network. Given these requirements, uptime, redundancy and security was front and center, and IT managers regularly swapped out older technology for the latest and greatest to ensure that, above all else, CIA was maintained. 

OT was never any less important than IT, but because of its purpose running back-end systems, it was sequestered from the public eye. No data was transferred in or out, and it operated as a closed system. OT grew up in isolation with the notion being “set it and forget it.” The name of the game was reliability and safety. Rather than systems being changed out regularly, they were left to perform their crucial role, sometimes for decades. To this day, there are instances where the OT environment may be the original one from when the plant first started operating.

This is not your father’s OT system

Because OT systems never had any cyber risk associated with them, there was little that needed to be done other than basic maintenance. As OT systems hummed along in the background, their reliability became an Achilles’ heel. Today, OT veterans and newcomers alike are re-examining this stance, faced with a growing need to secure these systems that were long ago set and forgot. 

With the recent phenomenon of OT infrastructure converging with IT networks, data now moves between the two with relative ease. Even in OT systems where the so-called “air-gap” remains, IT devices commonly interact with the OT environment in the form of human-machine interfaces (HMIs), thumb drives and more. This hybrid environment opens the possibility for “accidental convergence” and lateral security threats to emerge, thus exposing OT systems to as much — and, in many cases, more — risk than traditional IT systems.

Gaining a full inventory of your OT infrastructure

Applying security to an environment starts with knowing what is there. This initial step is especially important for OT environments that have been around for years, if not decades. In many cases, the original team that set up an OT environment is no longer in place, and therefore many legacy assets may not be accounted for. Moreover, deeper details such as which assets are communicating with each other, firmware versioning, backplane information and end-user access controls may not be appropriately documented or up to date. Gaining this deep situational analysis beyond simple asset inventory is a crucial step in applying the needed security based on the true state of the OT environment. In simple terms, you cannot secure what you do not know is there.

Identifying where we are most vulnerable

Once we gain an accurate lay of our OT landscape, patching weak points in our environment is an important ongoing exercise to minimize the potential attack surface. New vulnerabilities are constantly being announced — 18,358 were disclosed in 2020 alone— and keeping on top of them can inundate even the most robust security teams. Once we have the deep knowledge gleaned from our ongoing asset inventory, we can focus on the vulnerabilities that have exploits associated with them and are specific to the assets in our environment. This brings the number down to a more manageable level of a few hundred vulnerabilities. 

By further leveraging a Vulnerability Priority Rating (VPR) – the output of Tenable’s Predictive Prioritization process – we can use key indicators to triage the order of patching for each exploit once we have a maintenance window. By prioritizing each vulnerability in your environment, your team can ensure that the most critical exposures are fixed first, reducing the greatest amount of risk with your existing security resources. 

Building an ecosystem of trust

There are a lot of critical factors and functionality that are required when building an OT security system. This includes the notification and alarms on anomalistic behaviors, policy violations, user access and change management. Perhaps the most obvious but often overlooked OT security best practice is ensuring that the OT security system “plays well with others.” Previously deployed security such as next-generation firewalls (NGFWs), security event and incident management (SEIM) tools, and more can all ingest key OT data and do a better defense-in-depth job when they get key information and insights that an OT security solution can provide.

In summary

Security is a journey and not a destination. The fact that OT and IT are both in the security spotlight now requires our ongoing vigilance and adoption of security that rationalizes both sides of the organization’s environment. Employing the right security can help hasten the adoption of new and innovative technologies without compromising on security or exposing the organization to unacceptable risk.

Learn more

• Tune into one of our recent OT webinars, now available on-demand:
• Critical Infrastructure at Risk - Anatomy of an OT Breach
• OT Threat Hunting: Act Before the Breach

Proof-of-concept exploit scripts for a critical remote code execution flaw, along with mass scanning activity, indicate that organizations should apply vCenter Server patches immediately.

Background

On February 23, VMware released a security advisory (VMSA-2021-0002) to address two vulnerabilities in vCenter Server, a centralized management software for VMware vSphere systems, as well as a vulnerability in the VMWare ESXi hypervisor.

The most notable vulnerability disclosed as part of this advisory is CVE-2021-21972, a critical remote code execution (RCE) flaw in vCenter Server. The vulnerability was discovered and disclosed to VMware by Mikhail Klyuchnikov, a security researcher at Positive Technologies.

In recent years, Klyuchnikov has been credited with discovering and disclosing critical vulnerabilities that were later exploited by attackers in the wild. These include CVE-2019-19781, a critical vulnerability in Citrix Application Delivery Controller (ADC) and Gateway, and CVE-2020-5902, a critical vulnerability in F5 BIG-IP.

Analysis

CVE-2021-21972 is an unauthorized file upload vulnerability in vCenter Server. The issue stems from a lack of authentication in the vRealize Operations vCenter Plugin. It received a critical CVSSv3 score of 9.8 out of 10.0. An unauthenticated, remote attacker could exploit this vulnerability by uploading a specially crafted file to a vulnerable vCenter Server endpoint that is publicly accessible over port 443. Successful exploitation of this vulnerability would result in an attacker gaining unrestricted RCE privileges in the underlying operating system of the vCenter Server.

Klyuchnikov published a blog post detailing his discovery of the vulnerability, as well as two separate paths to achieve RCE. For Windows systems, an attacker could upload a specially crafted .jsp file in order to gain SYSTEM privileges on the underlying operating system. For Linux systems, an attacker would need to generate and upload a public key to the server’s authorized_keys path and then connect to the vulnerable server via SSH.

Default installations of vCenter Server are vulnerable

Despite the fact that this vulnerability stems from the vRealize Operations vCenter Plugin, the VMware advisory confirms that this plugin is included “in all default installations” of vCenter Server. This means that the vulnerable endpoint is available irrespective of the presence of vRealize Operations.

Over 6,700 vCenter Server systems are publicly accessible

According to a Shodan search query from David Krause, a threat intelligence engineer, there are currently over 6,700 vCenter Server systems that are publicly accessible.

Mass scanning activity for CVE-2021-21972 detected within one day

On February 24, just one day after VMware published their advisory, Troy Mursch, chief research officer at Bad Packets, tweeted that mass scanning activity has been detected searching for vulnerable vCenter servers.

Other vulnerabilities addressed in VMware Advisory

In addition to CVE-2021-21972, VMware addressed CVE-2021-21973, a Server Side Request Forgery (SSRF) vulnerability in vCenter Server that was also discovered by Klyuchnikov, as well as CVE-2021-21974, a heap overflow vulnerability in VMware ESXi that was discovered by Lucas Leong.

Proof of concept

At the time this blog post was published, there were at least four proof-of-concept exploit scripts available on GitHub, including one that is configurable for both Windows and Linux targets:

• NS-Sp4ce/CVE-2021-21972
• QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC
• horizon3ai/CVE-2021-21972
• yaunsky/CVE-2021-21972

Solution

On February 23, VMware released the following updates for vCenter Server to address CVE-2021-21972 and CVE-2021-21973:

Additionally, the following VMware Cloud Foundation platform versions are also impacted by these vulnerabilities:

If upgrading is not feasible at this time, VMware has provided workaround instructions for CVE-2021-21972 and CVE-2021-21973 that involve a change to the compatibility matrix file and setting the vRealize Operations vCenter Plugin to incompatible.

Please note that this should only be used as a temporary workaround until upgrading is feasible.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• VMware Security Advisory (VMSA-2021-0002)
• Positive Technologies Blog Post for CVE-2021-21972

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

More than 1,500 teams from nearly 140 countries competed in Tenable's first-ever Capture the Flag competition. And the winners are...

That’s a wrap on the first Tenable Capture the Flag event! 

We’d like to say a huge thank you to everyone who participated. We were overwhelmed by the response from the community. A few stats:

This event presented a series of security-related challenges in a Jeopardy-style format. Challenges ranged in difficulty and topics included Web App, Reverse Engineering, Crypto, Stego, Open-Source Intelligence (OSINT), Forensics, Code and more. 

It was a tough competition but a few teams came out on top.

And now - drumroll please...

Please congratulate the following winners for their superior performance in the 2021 Tenable CTF!

All but one challenge was solved, yet a few proved tougher than the rest. The challenges with the lowest solve rates fell into one of the following categories: Pwn, Reverse Engineering, Stego, and Web App. 

To see some of the community’s write-ups, check out the CTFtime page. 

We hope you all had as much fun competing as we had putting it together. Thanks for making the 2021 Tenable Capture the Flag a success!

Four zero-day vulnerabilities in Microsoft Exchange servers have been used in chained attacks in the wild.

Background

On March 2, Microsoft published out-of-band advisories to address four zero-day vulnerabilities in Microsoft Exchange Server that have been exploited in the wild.

In a blog post, Microsoft attributes the exploitation of these flaws to a state-sponsored group it calls HAFNIUM. The group has historically targeted U.S.-based institutions, which include “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” according to the Microsoft blog. Researchers at Volexity also published a blog post about this attack, referring to it as Operation Exchange Marauder.

The vulnerabilities affect the on-premises version of Microsoft Exchange Server. Microsoft Exchange Online is not affected by these vulnerabilities.

Analysis

CVE-2021-26855 is a SSRF vulnerability in Microsoft Exchange Server. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable Exchange Server. In order to exploit this flaw, Microsoft says the vulnerable Exchange Server would need to be able to accept untrusted connections over port 443. Successful exploitation of this flaw would allow the attacker to authenticate to the Exchange Server.

Volexity, one of three groups credited with discovering CVE-2021-26855, explained in its blog post that it observed an attacker leverage this vulnerability to “steal the full contents of several user mailboxes.” All that is required for an attacker to exploit the flaw is to know the IP address or fully qualified domain name (FQDN) of an Exchange Server and the email account they wish to target.

CVE-2021-26857 is an insecure deserialization vulnerability in Microsoft Exchange. Specifically, the flaw resides in the Exchange Unified Messaging Service, which enables voice mail functionality in addition to other features. To exploit this flaw, an attacker would need to be authenticated to the vulnerable Exchange Server with administrator privileges or exploit another vulnerability first. Successful exploitation would grant the attacker arbitrary code execution privileges as SYSTEM.

CVE-2021-26858 and CVE-2021-27065 are both arbitrary file write vulnerabilities in Microsoft Exchange. These flaws are post-authentication, meaning an attacker would first need to authenticate to the vulnerable Exchange Server before they could exploit these vulnerabilities. This could be achieved by exploiting CVE-2021-26855 or by possessing stolen administrator credentials. Once authenticated, an attacker could arbitrarily write to any paths on the vulnerable server.

Microsoft’s blog says its researchers observed the HAFNIUM threat actors exploiting these flaws to deploy web shells onto targeted systems in order to steal credentials and mailbox data. The attackers reportedly were also able to obtain the offline address book (OAB) for Exchange. Possessing this information would be useful for a determined threat actor performing further reconnaissance activity on their target.

Intrusions detected going back to at least January 2021

Despite the initial disclosure on March 2, Steven Adair, president of Volexity, says his team has worked on “several intrusions since January” involving these vulnerabilities.

Our team has been tirelessly working several intrusions since January involving multiple 0-day exploits in Microsoft Exchange. We've released the details of this threat activity alongside Microsoft's Out of Band patch. Take a look and update Exchange! https://t.co/GWGxQWAdGO

— Steven Adair (@stevenadair) March 2, 2021

The Volexity blog post includes a video demo showing the successful exfiltration of individual emails associated with a targeted user without authentication. This was achieved by sending an HTTP POST request using an XML SOAP payload to the vulnerable Exchange Server’s Web Services API.

Other threat actors are reportedly leveraging these flaws in the wild

According to a Twitter thread from ESET research, “several cyber-espionage groups” — whose targets not only include the United States, but other countries including Germany, France, Kazakhstan, and more — have actively exploited the SSRF vulnerability (CVE-2021-26855).

Most targets are located in the US but we’ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 pic.twitter.com/kwxjYPeMlm

— ESET research (@ESETresearch) March 2, 2021

Microsoft also addressed three unrelated Exchange Server vulnerabilities

In addition to the four zero-day vulnerabilities, Microsoft also patched three unrelated remote code execution (RCE) vulnerabilities in Microsoft Exchange Server that were disclosed to them by security researcher Steven Seeley.

Proof of concept

At the time this blog post was published, there were no proofs-of-concept available for any of the four zero-day vulnerabilities disclosed by Microsoft.

Solution

Microsoft released out-of-band patches for Microsoft Exchange Server on March 2 that address all four vulnerabilities exploited in the wild as well as the three unrelated vulnerabilities.

Both Microsoft and Volexity have shared indicators of compromise (IOCs) for the attacks in their respective blog posts.

There are some mitigations organizations can apply until patching is feasible, such as restricting untrusted connections to Exchange Server. However, Tenable strongly encourages all organizations that deploy Exchange Server on-premises to apply these patches as soon as possible. We expect that once a working proof-of-concept becomes available, attackers will begin leveraging these flaws indiscriminately.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Microsoft Blog Post on HAFNIUM
• Volexity Blog Post for CVE-2021-26855
• Microsoft Blog Post on Nation-State Cyberattacks
• Microsoft Security Response Center Blog Post on Exchange Server Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

In part one of our series on cyber hygiene, we explore the fundamentals that can help businesses understand where they're vulnerable and how to protect their networks from cyberattacks and breaches.

No doubt you've got a lot on your plate running a business: keeping productivity and output on track, monitoring expenses and sales, managing employees, maintaining customer service and so on. As such, you may not be as aware of cybersecurity fundamentals– what those in the industry often call "cyber hygiene" – as you should be. Leaders of small businesses might even be wondering, "Why would my business be hacked? It's not big enough to attract hackers' attention." 

Fear not; the Tenable team has you covered. In part one of our series, we'll explore why cyber hygiene is so important and dig into essential practices for establishing it.

Understanding your vulnerability risk

For starters, it's important to define vulnerabilities. The term "vulnerability" isn't synonymous with "malware" or "virus”: It simply means any weakness within your network that can be exploited. Vulnerabilities can be errors in application coding, unpatched flaws in the operating systems of hosts on the network, devices on the network with insufficient security measures or other complications. (Malware and other cyberthreats often enter networks because of vulnerabilities; they are not vulnerabilities in and of themselves.) Recognizing what these weaknesses are is the first step toward establishing cyber hygiene.

Another principle to keep in mind is that business size or level of renown doesn't necessarily matter: Research from the Ponemon Institute found that 66% of small- or medium-sized businesses (SMBs) experienced at least one cyberattack in FY 2019, while 63% underwent a data breach.¹ This illustrates an important distinction: Even if you aren't specifically targeted by ransomware or a banking trojan, a data breach can still occur as the result of an underlying vulnerability somewhere on your network. Even if the vulnerability is not exploited, the fact that it can be is dangerous enough. You might even bear the brunt of a cyberattack without being its main target: This happens with self-propagating botnet attacks that seize onto every accessible network in their path and wreak havoc indiscriminately, as well as hacks that use your business as a springboard to a bigger target (if, say, you supply materials to an enterprise-scale company).

Additionally, it's been found that cyberattackers go after SMBs b fecause they consider them easier targets. An April 2020 study by Infrascale reported that 46% of small businesses were specifically hit with ransomware, and 73% of these organizations paid the money demanded of them.² While a large-scale ransomware attack on a major corporation could certainly net hackers a big payday, it's simpler to pursue many smaller targets: From an attacker’s point of view, they're more likely to get paid and less likely to be caught or stopped with the latter approach. 

Defining "shadow IT" and your attack surface

Once you understand the need for constant vigilance, the next step toward cyber hygiene is to develop full awareness of your network. Begin by inventorying all hosts and devices connected to your network.³ Pay specific attention to devices that aren't company-issued: Personal computers, smartphones and tablets may not include the same protections as their organization-provided counterparts, and thus represent a significant risk – they're often called "rogue IT" or "shadow IT." Prioritize network assets according to greatest risk, paying closest attention to those with personal information of customers, employees or suppliers as well as any that contain PCI-protected credit card data, health information under the umbrella of HIPAA and any other data covered by regulations relevant to your business. 

Similarly, you must make yourself aware of all applications running on the network. Unauthorized, unknown applications are always a major red flag, but so are apps that haven't been updated in a while: The latter can be just as dangerous as the former, due to their higher likelihood of featuring unpatched vulnerabilities. Once you catalog all vulnerable elements of the network, you will have a fuller understanding of your attack surface.

Implementing fundamental cybersecurity protections

Now that you know what can be vulnerable, it's time to look at what is vulnerable, starting with the use of vulnerability scanning solutions. Such tools will pinpoint specific vulnerabilities, wherever in your network they may be. Many of them can be easily addressed by downloading and installing the latest patches from manufacturers. (Leaving known vulnerabilities within your network unpatched for any length of time opens your organization to serious risk, which only increases as time passes. A significant number of organizations do nothing upon learning of unpatched vulnerabilities– not a habit you want to mimic.)

Other vulnerabilities may require you to delete excessively compromised applications and replace them with similar, non-vulnerable programs. Alternatively, you might need to get rid of host computers or devices with unsupported software or operating systems that are too outdated to be worth the trouble of patching. While these application or device removals might not be simple processes, you can't ignore their necessity if your scan determines that they're the sources of critical vulnerabilities. 

Eliminating definite or potential threats is only half of the battle, of course – you also have to reduce your chances of future exposure. If you're not already using anti-malware tools and firewalls, implement them immediately⁴ (ideally in the most up-to-date iterations you can find, like next-gen virtual or hardware-based firewalls). Beyond that, you'll want to encourage better cyber hygiene throughout your organization by training your employees and establishing a cybersecurity policy that all employees must follow, detailing not only what solutions should be used but also best practices like creating smart passwords (with random character combinations) and spotting phishing emails (noticing suspicious-looking requests to click links or attachments, et al). 

If you're unsure how to create this policy on your own, the FCC's Cyberplanner tool is a great place to start. Also, if handling all of these issues on your own is untenable, you can turn to cybersecurity consultants or managed services providers, but be sure to check the service-level agreement you sign with either of those parties to know exactly what they'll offer you and what you're expected to cover yourself. 

Next steps

All of the practices noted above are very valuable for protecting your business from cyberattacks and breaches, but they're ultimately the basics. True minimization of your attack surface may require more precise actions, which we'll examine closely in part two of this series.

_{1. Ponemon Institute, "2019 Global State of Cybersecurity in Small and Medium-Sized Businesses," October 2019
2. Infrascale, "Infrascale Survey Reveals Close to Half of SMBs Have Been Ransomware Attack Targets," April 21, 2020
3. CISA, "Cyber Essentials," Aug. 17, 2020
4. Carnegie Mellon University, "Cyber Hygiene: A Baseline Set of Practices"}

We urge organizations to patch Proxylogon (CVE-2021-26855) and related vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in Microsoft Exchange Server and investigate for potential compromise within their networks. Here's how Tenable products can help.

Background

Following Microsoft’s out-of-band advisory for four zero-day vulnerabilities in Microsoft Exchange Server that were exploited in the wild by a nation-state threat actor known as HAFNIUM, multiple reports have emerged that over 30,000 organizations may have been compromised as a result of these flaws. Jake Sullivan, the White House national security advisor, tweeted that the administration is aware of “potential compromises” at U.S. think tanks and defense industrial base entities.

We are closely tracking Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software and reports of potential compromises of U.S. think tanks and defense industrial base entities. We encourage network owners to patch ASAP: https://t.co/Q2K4DYWQud

— Jake Sullivan (@JakeSullivan46) March 5, 2021

The impact of these vulnerabilities is not limited to U.S.-based organizations, as there are reports of compromised entities in the Czech Republic and Norway. We expect more compromised organizations will be identified in the coming days and weeks.

As Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA) has said, organizations that exposed Exchange Server to the internet should assume compromise and begin hunting for known indicators.

This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode. https://t.co/865Q8cc1Rm

— Chris Krebs (@C_C_Krebs) March 5, 2021

How Tenable Can Help

Tenable released version check plugins for Exchange Server 2010, 2013, 2016 and 2019, which can be used to determine which Exchange Server systems are vulnerable in your environment. However, we’ve also produced additional checks that can be used to directly identify vulnerable systems, as well as flagging potential web shells on hosts that may be compromised.

Direct check plugin

Unlike version checks, which may require the use of a credentialed scan, a direct check plugin is designed to test whether or not your Exchange Server instance is vulnerable to the exploit itself. We have released Plugin ID 147171, which can be used for uncredentialed scans of vulnerable Exchange Server instances. Once the scan is complete, the scan output will produce the following result if vulnerable:

In this instance, the Exchange Server is vulnerable to CVE-2021-26855.

Indicators of Compromise (IOC) check plugin

In addition to the direct check plugin, Tenable Research has produced a plugin (147193) that can be used to identify Microsoft Exchange hosts which may have been compromised based on publicly available IOCs. The plugin may produce the following results:

This screenshot shows the plugin returning results of .aspx files which may indicate that the host has been compromised.

Please note that the IOC plugin may flag benign aspx files as suspicious, so we strongly encourage cross-referencing these against known good lists like this one provided by NCC Group, as well as malware databases like VirusTotal, Hybrid Analysis and PolySwarm.

Using YARA rules to scan for hashes and others IOCs

As we noted in our previous blog, IOCs were initially published by Microsoft and Volexity. Volexity provided a set of three YARA rules to identify web shells.

Tenable products provide the ability to perform YARA scanning by supplying a YARA rule. YARA scanning will scan files on the target to determine if any file matches the user provided YARA rules. This feature uses the Directories and Custom Filescan Directories options to determine which files to scan. A file that is successfully matched against a YARA rule generates a "critical" vulnerability in the scan report and the offending file is attached if it is under 5MB.

In addition to YARA scanning, customers can also provide a list of known bad hashes (MD5, SHA1 and SHA256) to identify on the target system. Microsoft shared a list of known bad hashes associated with the HAFNIUM campaign.

Prioritize patching and investigate for potential compromise

While we strongly encourage our customers to apply the available patches provided by Microsoft as soon as possible, we also believe it is just as critical to identify the presence of web shells and further compromise within your organization as the attackers may have already established a presence. Applying the available patches plugs the hole, but it doesn’t address the possibility that the attackers are already lurking within your network, which is why hunting for these IOCs is crucial.

Identifying affected systems

The following is a summary of all the checks Tenable Research has produced related to the Exchange Server vulnerabilities.

We will update this blog post if we publish any additional plugins related to these events.

Get more information

• Tenable's Blog for Four Zero-Day Vulnerabilities in Microsoft Exchange Server
• Microsoft Blog on HAFNIUM targeting Exchange Servers with 0-day exploits
• Volexity Blog on Operation Exchange Marauder
• CISA Alert (AA21-062A): Mitigate Microsoft Exchange Server Vulnerabilities

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

In its March release, Microsoft addressed 82 CVEs, including a zero-day vulnerability in Internet Explorer that has been exploited in the wild and linked to a nation-state campaign targeting security researchers.

1. 10Critical
2. 72Important
3. 0Moderate
4. 0Low

Microsoft patched 82 CVEs in the March 2021 Patch Tuesday release, including 10 CVEs rated as critical and 72 rated as important.

This month's Patch Tuesday release includes fixes for Application Virtualization, Azure, Azure DevOps, Azure Sphere, Internet Explorer, Microsoft ActiveX, Microsoft Exchange Server, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Office, Microsoft Office Excel, Microsoft Office PowerPoint, Microsoft Office SharePoint, Microsoft Office Visio, Microsoft Windows Codecs Library, Power BI, DNS Server, Hyper-V, Visual Studio, Visual Studio Code, Windows Admin Center, Windows Container Execution Agent, Windows DirectX, Windows Error Reporting, Windows Event Tracing, Windows Extensible Firmware Interface, Windows Folder Redirection, Windows Installer, Windows Media, Windows Overlay Filter, Windows Print Spooler Components, Windows Projected File System Filter Driver, Windows Registry, Windows Remote Access API, Windows Storage Spaces Controller, Windows Update Assistant, Windows Update Stack, Windows UPnP Device Host, Windows User Profile Service, Windows WalletService, and Windows Win32K.

Remote code execution (RCE) vulnerabilities accounted for 46.3% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) flaws at 36.6%.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains March 2021.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from March 2019 using Tenable.io:

A list of all the plugins released for Tenable’s March 2021 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

• Microsoft's March 2021 Security Updates
• Tenable plugins for Microsoft March 2021 Patch Tuesday Security Updates
• Tenable Blog Post for Exchange Server Vulnerabilities
• Tenable Guidance on Identifying and Discovering Compromised Exchange Servers
• ENKI Internet Explorer Zero-Day Analysis
• McAfee: Critical Vulnerabilities in DNS Dynamic Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Ransomware is the root cause in a majority of the healthcare breaches analyzed.

As the ongoing COVID-19 pandemic continues to place unprecedented strain on global healthcare infrastructure, attackers are finding what was already an attractive target even more enticing. This unfortunate scenario has greatly expanded the attack surface for these malicious parties with the introduction of greater demand for remote services like telehealth, COVID-19 contact tracing app data, demand from medical manufacturing companies, and a race for medical research facilities to find a cure. An analysis of publicly disclosed breach data by the Tenable Security Response Team (SRT) reveals 237 breaches in the healthcare sector in the calendar year 2020. And the activity looks set to continue unabated in 2021, with 56 breaches already disclosed as of February 28. One finding is clear: ransomware attacks are not going away anytime soon.

Breaches Hit Healthcare Hard

The Tenable SRT monitors threat and vulnerability intelligence feeds to help drive and prioritize plugin coverage for Tenable products as well as keeping customers informed of the risks associated with vulnerabilities. For additional context, the team also monitors and tracks publicly disclosed breaches to understand how and when vulnerabilities are a factor. The Tenable 2020 Threat Landscape Retrospective (TLR) revealed a total of 22 billion records exposed as a result of 730 publicly disclosed breaches between January 2020 and October 2020, with healthcare being by far the most affected industry sector.

This comes as no surprise given the critical role healthcare infrastructure has had as a result of the COVID-19 pandemic.

Breaches have long been a profitable business for threat actors, as highlighted in IBM's 2020 Cost of a Data Breach Report, which notes the average cost of a breach at $3.86 million. If that number weren't incentive enough for threat actors, the average cost of a breach for healthcare specifically was $7.13 million, with personally identifiable information (PII) valued at $150 per record making the industry a prime target.

Source: IBM Security Cost of a Data Breach Report 2020

Given the particular importance of the healthcare sector at a time of global pandemic, we felt it was important to expand on the original analysis provided in the TLR, which was limited by our publishing deadlines. In this blog, we examine the full 12 months of publicly disclosed breaches in 2020 and take a closer look at activity we've seen in the first two months of 2021. We've analyzed 293 breaches in the healthcare sector which were publicly disclosed between January 2020 and February 2021; records were confirmed to have been exposed in nearly 93% of these breaches. One obstacle with accurately tracking breaches is that public disclosures can occur days, months or even years after the event itself and, even then, the level of detail available may be scant. Of the 293 breaches known to have exposed records in the 14-month period we analyzed, 57.34% of the affected organizations have publicly disclosed how many records were exposed. The number of records exposed in this period reached a total of nearly 106 million records; 76.45% of these were disclosed in 2020. (Editor's note: At the time this blog was published, the ramifications of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, four actively exploited Microsoft Exchange Server zero-days, are just beginning to emerge; Tenable Research is closely following developments related to this disclosure.)

Root Cause Analysis of Healthcare Breaches

A root cause was reported in 93.17% of the healthcare breaches disclosed in the 14-month period we've analyzed. Among these, ransomware was by far the most prominent root cause of healthcare breaches, accounting for a whopping 54.95%. Other leading causes included email compromise/phishing (21.16%), insider threat (7.17%) and unsecured databases (3.75%).In some instances, breaches don't occur as a result of direct action against the victim or of their own actions, but rather occur as a result of a third-party breach. This occurs when a third-party vendor that you use is breached and, as a result, attackers gain access to your data which is stored in their system. In some circumstances, attackers exploit vendors to gain direct access to your system. In cases where the numbers were made public, our analysis shows that third-party breaches accounted for over a quarter of the breaches tracked and accounted for nearly 12 million records exposed. The breach of a single company accounted for over 10 million of these records. This breach has been linked back to 61 of their healthcare customers, with the number of exposed records expected to increase as more of these impacted customers disclose their numbers.

Some Healthcare Sectors Hit Worse Than Others

While the term "healthcare" is often used as if it describes a monolithic sector, there are in fact quite significant differences in the types of organizations operating within the broader healthcare category. In order to provide a more granular view, we've further segmented the data into 12 key classifications, which can be found in the table below. Healthcare systems — typically a collective of institutions, people and various resources across a geographical area — accounted for just over 30% of the breaches tracked. Because such systems can include multiple facilities spread across a number of campuses, the impact of 88 breaches is exponentially worse than if they had occurred in an individual, standalone facility such as a single hospital.

The top five healthcare categories experiencing the most breaches in the past 14 months were:

1. Healthcare systems (30.03% of overall breaches)
2. Hospital (19.11%)
3. Mental health care/rehabilitation (6.14%)
4. Medical clinic (5.12%)
5. Government agency (4.10%)

Source: Tenable Research analysis of publicly disclosed breaches, January 2020 - February 2021.

Ransomware - Root Cause of Healthcare Breaches

Ransomware accounted for 54.95% of breaches tracked, or 161 breaches. For 108 of these breaches, the culprits responsible never became publicly known. There are a variety of reasons for this, including:

• They were never identified.
• They decided to remain anonymous.
• The victims never publicly disclosed the details.
• They were never observed to have listed their victims or dumped their data on ransomware sites.

When it came to healthcare, Ryuk stood out above the rest, repeatedly appearing in breach disclosures and accounting for 8.64% of ransomware-related breaches, followed by Maze (6.17), Conti (3.7%) and REvil/Sodinokibi (3.09%), as shown in the chart below.

At one stage, towards the beginning of the pandemic, there was a glimmer of hope for the healthcare industry. Bleeping Computer reported that some ransomware groups claimed they would cease attacks against the sector. However, these ransomware gangs reneged on their promises, continuing to be tied to breaches throughout 2020, raising the question of whether ransom payments will be honored.

Unpatched Vulnerabilities Leveraged by Ransomware Groups

The root cause of the breaches tracked was predominantly disclosed as a result of ransomware or phishing/email compromise; it is a rare occurrence that exact methods used to breach a company are disclosed. Ransomware groups tend to favor leveraging certain attack vectors, so much so that they have their own fingerprints. Some are known to exploit vulnerabilities while others will utilize phishing/email compromise to establish an initial foothold before dropping malware or leveraging a vulnerability to gain further access to the victim's systems to deploy the ransomware.

Ryuk ransomware, the leading culprit for ransomware attacks against the healthcare industry, is known to favor a number of vulnerabilities, including those associated with Microsoft Server Message Block (SMB) as reported by Trend Micro. Analysis from researchers at The DFIR Report demonstrated how Ryuk threat actors went from sending an initial phishing email (similar to Conti) to controlling an entire domain using CVE-2020-1472 to elevate privileges less than two hours after the initial phish. This vulnerability, also dubbed "Zerologon," targeted a vulnerability in Netlogon which could allow attackers to hijack a Windows Domain Controller (DC). This vulnerability is highlighted as the top vulnerability in the Tenable 2020 TLR, so severe that Microsoft rolled out a second patch for it in February 2021 to enable Enforcement Mode by default.

In a recent article in SC Magazine, Jamie Hart, cyberthreat intelligence analyst at Digital Shadows, gives insight into Conti ransomware and how it has targeted healthcare facilities. Hart notes that Conti initially targeted victims with phishing emails before leveraging CVE-2020-0796, a wormable remote code execution (RCE) vulnerability in Microsoft SMBv3, to gain access to an admin account. Conti would use well-known open-source tools to enumerate and gain further access to the victim's networks. While Hart provides one observation of Conti ransomware, Coverware researchers highlight that they have observed Conti ransomware favoring the Remote Desktop Protocol (RDP). The Tenable 2020 TLR highlighted the increased use of RDP in the last year favored for remote working as it is included in the Windows operating system (OS). RDP, unfortunately, has a history of having critical vulnerabilities associated with the protocol, including CVE-2019-0708, dubbed "BlueKeep," CVE-2019-1181, CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226, collectively named "DejaBlue."

Maze, prior to shutting down on November 1, 2020, was responsible for a number of attacks as highlighted by the above chart. Much like Conti and other ransomware groups, they are known to favor RDP as an attack vector but also have a history of targeting certain CVEs. These include CVE-2019-19781, a vulnerability in Citrix Application Delivery Controller (ADC) and Gateway, as reported by SHIELDX and CVE-2019-11510, a vulnerability in Pulse Connect Secure SSL VPN, as highlighted by Palo Alto Networks Unit 42. Both of these vulnerabilities made the top five vulnerabilities in the Tenable 2020 TLR despite being disclosed in 2019 as threat actors continue to target unpatched vulnerabilities.

Telehealth Solutions Expand the Attack Surface

The new norm of social distancing and doctors being very selective of the patients they see in person has resulted in an exponential rise in the use of telehealth for medical advice. Listening to Patient Data Security: Healthcare Industry and Telehealth Cybersecurity Risks, a study by Security Scorecard and DarkOwl, analyzed 148 of the most-used telehealth vendors from September 2019 to April 2020. The study found a staggering 30% increase per domain in their findings; below are some concerning stats directly from their report:

Source: Listening to Patient Data Security: Healthcare Industry and Telehealth Cybersecurity Risks, a study by Security Scorecard and DarkOwl analyzing 30,000 healthcare organizations from September 2019 to April 2020.

While it's a positive to see a 65% increase in patching cadence findings reported, seeing an increase in telehealth IPs flagged as malicious, issues in insecure protocols and an uptick in vulnerabilities in telehealth being exploited do raise flags. It's clear from the Security Scorecard / DarkOwl study that there was an increase in exploiting telehealth in 2020 into the start of the pandemic. It would not be unfounded to assume telehealth was in the scopes of threat actors for the remainder of the year and going into 2021.

Vaccine Research and Production Prompts Cyberattacks

The research and development of COVID-19 vaccines introduced a prime target for threat actors and organizations involved in these efforts should be on high alert, as warned in a U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) public service announcement towards the early stages of the pandemic. These attacks against vaccine research and production facilities prompted further advisories; the U.K.'s National Cyber Security Centre (NCSC) published one on July 16, 2020, in relation to an advanced persistent threat. The advisory highlighted APT29 as targeting COVID-19 vaccine development and is known to leverage the previously mentioned CVE-2019-19781 and CVE-2019-11510 but also CVE-2018-13379, a vulnerability in FortiGate SSL VPN. These facilities will continue to be targeted as long as they present financial opportunities, whether it's to halt production or research and hold victims to ransom or the act of cyber espionage with the intent to sell the data to the highest bidder.

The Prognosis for Healthcare Breaches

Whether threat actors leverage email compromise/phishing or vulnerabilities to gain an initial foothold in healthcare systems, it is highly probable that vulnerabilities will be the root cause of a system-wide compromise. The healthcare industry should take a two-pronged approach to cybersecurity:

• Prioritize vulnerabilities: identify and remediate vulnerabilities most likely to target and impact your organization.
• Address the root cause: while the human element is a factor in some instances, the majority of breaches can be prevented, or at a minimum impeded, by patching target vulnerabilities. The health of the network can be maintained through regular check-ups.

As explained above, the vulnerabilities being leveraged by these ransomware groups are targeted due to lack of patching, and overlap with vulnerabilities targeted by state-sponsored actors for the same reason.

It's clear healthcare will continue to be targeted in 2021 with breaches already making media headlines. Action needs to be taken to nullify the risk before more damage can be done.

Learn more

• Download Tenable's 2020 Threat Landscape Retrospective here.
• Watch the on-demand webinar, Tenable Reserach 2020 Recap and Defender's Guidance for 2021, here
• Visit the Tenable Research landing page here. 

The Nessus team continues to develop advanced assessment capabilities, including visibility into new operating systems, exploitable vulnerabilities and container instances.

When Renaud Deraison first announced Nessus on Bugtraq on Apr. 4, 1998, it was an “alpha” release. Today, as Nessus nears its 23rd birthday, the alpha release has become the alpha vulnerability scanner, the most widely adopted vulnerability assessment tool in the world.

The enduring growth of Nessus is now industry lore. When first released, Nessus compiled on Linux and had 50 plugins. Less than five years later, Nessus had over 1,000 plugins and helped launch Tenable, the enterprise platform that pioneered the risk-based vulnerability management space. After five more years, Nessus’ operating system support had expanded dramatically to include over 20,000 plugins and Nessus had been downloaded over 5,000,000 times. A generation of security professionals has grown up with Nessus, and many can still recall the experience of their first scan.

It's no secret as to why Nessus has consistently remained #1 in accuracy, coverage and adoption in the market. 

Over the past decade, Nessus has continued to add features and enhance performance. Today, Nessus runs on all common (and a few less common) Linux distributions, FreeBSD, Apple macOS, Windows Servers and desktop operating systems. It has more reporting options than ever, a robust API, preconfigured scan templates for common vulnerabilities and an estimated 152,000 plugins covering 61,000 Common Vulnerabilities and Exposures (CVEs). In 2020 alone, Tenable Research released over 12,000 plugins and updated over 16,000 plugins. We don’t just release plugins once—we work to continuously improve them as new information becomes available.

More impressive than those large numbers are the people behind them. It takes a team of dozens to write, test, update and deploy our plugins and audit files. Tenable doesn’t just react to published vulnerabilities; we have an impressive zero-day research team that continuously finds new vulnerabilities, disclosing 100 zero-days in 2019 and 141 in 2020.

Even as Tenable expands our enterprise solutions, we never forget our roots with Nessus. Over the past year alone, our team has added many new features that continue to advance the vulnerability assessment space:

• Added support for six additional operating systems to natively run Nessus, expanding the total footprint across Mac, Linux and Windows:
• SUSE Linux Enterprise Server 15
• FreeBSD 12.x
• Kali 2018, 2019, 2020
• Unbuntu 20.04

• Six new predefined reports for users ranging from operating system detections to persistent vulnerabilities that are older than one year: 
• OS Detections - Security analysts receive a summary of the most prevalent operating systems on the network to help identify systems with the most risk.
• Exploitable Vulns - Security analysts can focus remediation efforts and better protect the network by identifying the most at-risk vulnerabilities that have known working exploits in the wild.
• Unsupported Software - System administrators receive a summary of the software that is no longer supported by vendors to help understand the associated risk.
• Known Accounts - Security analysts can review and identify systems with configuration issues related to user accounts to prevent lateral movement in the network.
• Hosts with Vulnerabilities - System administrators can view the top 25 most prevalent vulnerabilities and a list of IP addresses associated with each vulnerability.
• Vulnerabilities Older Than One Year - Security analysts gain awareness of persistent vulnerabilities in their environment that were published more than a year ago.
  
  
• Improved scan performance and templates make Nessus faster than ever before.
  
  
• The ability to deploy Nessus as a Docker Image. Customers can deploy a managed Nessus scanner or an instance of Nessus Professional as a Docker image to run on a container.
  
  
• New backup and restore functionality enables users to create Nessus backups that are easily and quickly restored. This can be a previous backup of Nessus to restore later on another system, even if it is a different operating system.
  
  
• More than 28,000 Nessus plugins and updates published by Tenable Research, which continues to lead the industry in CVE coverage, zero-day research and vulnerability management.

Why do we put so much effort into discovering vulnerabilities? Because security begins with visibility, and strong vulnerability assessment is the bedrock of an effective cyber defense.

While it was great watching Nessus grow when I was a user, it has been even better as a member of the Tenable team, watching from the inside as Nessus continues to add features, improve performance and reimagine the user experience. We’re still early in the story, and I can’t wait for you to see what comes next.

F5 releases patches for multiple vulnerabilities in BIG-IP and BIG-IQ, including a critical remote command execution flaw that does not require authentication and is likely to attract exploits in the near future.

Background

On March 10, F5 published a security advisory for several critical vulnerabilities in BIG-IP and BIG-IQ, a family of hardware and software solutions for application delivery and centralized device management.

Analysis

CVE-2021-22986 is a remote command execution vulnerability in the BIG-IP and BIG-IQ iControl REST API. The API is accessible through the BIG-IP management interface and self IP addresses. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable REST interface. Successful exploitation would give an attacker the ability to achieve arbitrary code execution on the vulnerable system and, according to F5, “lead to complete system compromise.” We consider this the most severe of the vulnerabilities patched by F5 because it does not require authentication and its potential for successful exploitation is high.

Traffic Management User Interface (TMUI) related vulnerabilities

In addition to CVE-2021-22986, F5 patched four vulnerabilities within F5’s BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration Utility.

All four vulnerabilities require an attacker to be authenticated to the vulnerable system in order to exploit these flaws. In some instances, specific configurations are required, such as the device running in Appliance mode and/or with the provisioning of the F5 Advanced Web Application Firewall (WAF) or Application Security Manager (ASM).

CVE-2021-22988 is the same vulnerability as CVE-2021-22987, except an enabled Appliance mode is not a requirement for exploitation.

Buffer-overflow vulnerabilities in TMM and Advanced WAF/ASM

CVE-2021-22991 is a buffer-overflow vulnerability in the BIG-IP Traffic Management Microkernel (TMM) due to the improper handling of undisclosed requests with a destination of a virtual server. F5 lists certain configurations of BIG-IP as vulnerable, including:

• BIG-IP Access Policy Manager (APM)
• BIG-IP ASM Risk Engine
• BIG-IP Policy Enforcement Manager (PEM)
• BIG-IP APM Secure Web Gateway (SWG)
• BIG-IP SSL Orchestrator
• BIG-IP System

CVE-2021-22992 is a buffer-overflow vulnerability in the Advanced WAF or ASM virtual server due to the way the Login Page is configured. F5 says that in order for an attacker to exploit this vulnerability they would need to be able to either manipulate server-side HTTP responses or control the back-end web servers. At a minimum, the attacker would be able to cause a denial-of-service (DoS) against the vulnerable device. In some instances, the attacker could gain arbitrary code execution privileges.

At the time this blog was published, a Shodan query shows that there are over 5,000 BIG-IP devices that are internet-facing, each of which could be potentially vulnerable:

The spectre of CVE-2020-5902 looms large

For practitioners, it's hard not to recall last summer’s F5 advisory for CVE-2020-5902, a critical remote code execution vulnerability in F5 BIG-IP’s TMUI that was quickly exploited in the wild after its disclosure. Because of its severity and overarching impact, CVE-2020-5902 was featured as one of the Top 5 Vulnerabilities in our 2020 Threat Landscape Retrospective report.

We anticipate that CVE-2021-22986 will follow in the footsteps of CVE-2020-5902, as attackers begin to actively scan for and attempt to exploit this flaw in the wild, with a proof-of-concept expected to become available in the near future. The seriousness of these vulnerabilities is further reinforced by the Cybersecurity and Infrastructure Agency’s (CISA) latest advisory encouraging users to apply patches as soon as possible.

Proof of concept

At the time this blog post was published, there were two proofs-of-concept available:

• CVE-2021-22991 (configuration dependent)
• CVE-2021-22992

Solution

F5 released patches to address all seven vulnerabilities. The following table contains the affected versions as well as the fixed versions of BIG-IP and BIG-IQ.

All customers of BIG-IP and BIG-IQ are strongly advised to apply these patches as soon as possible.

If applying the patches for CVE-2021-22986 is currently not feasible, F5 has provided temporary mitigations that can be applied to restrict access to the iControl REST interface either via blocking access through self IP addresses or blocking access through the management interface. Please note these mitigations should only be used temporarily until you can apply the provided patches.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here. To scan for vulnerable devices, users are required to enable the “Show potential false alarms” setting, also known as “paranoid mode,” in their scan policy.

We also recommend enabling only these specific plugins in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.

Enabling Paranoid Mode

To enable this setting for Nessus or Tenable.io users:

1. Click Assessment > General > Accuracy
2. Enable the “Show potential false alarms” option

To enable this setting for Tenable.sc users:

1. Click Assessment > Accuracy
2. Click the drop-down box and select “Paranoid (more false alarms)”

Get more information

• F5 Security Advisory for Critical Vulnerabilities in BIG-IP and BIG-IQ (March 2021)
• F5 Security Advisory for CVE-2021-22986
• Tenable Blog Post for CVE-2020-5902 (July 2020)
• Shodan Query for F5 BIG-IP Devices
• CISA F5 Security Advisory

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

As organizations continue to respond to a flurry of attacks by HAFNIUM and other threat actors leveraging Proxylogon (CVE-2021-26855) and related vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), Tenable has released a plugin to help you identify potentially compromised assets.

Background

Microsoft published an out-of-band advisory for four zero-day vulnerabilities in Microsoft Exchange Server on March 2 in response to in-the-wild exploitation of these flaws by a nation-state threat actor known as HAFNIUM as well as several other threat actors. Initial reports suggested that over 30,000 organizations may have been compromised as a result, but that number has since been revised to over 60,000.

On March 9, Microsoft found more than 100,000 publicly accessible Exchange servers were still vulnerable. On March 12, Microsoft said that number had decreased to 82,000, which shows that while efforts to patch have been successful, there are still many Exchange servers exposed, leaving them vulnerable to attacks.

On March 11, Michael Gillespie, founder of the ID Ransomware service, discovered a new ransomware family called DearCry targeting vulnerable Exchange servers. This was subsequently confirmed by Microsoft Security Intelligence.

We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.

— Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021

As more and more organizations focus their efforts on patching these flaws, it is increasingly important for them to take the time to look for signs of existing compromise in the process.

Exchange Server Plugins

Tenable released four plugins since the March 2 out-of-band advisory, including two version check plugins, a direct check plugin and an indicator of compromise (IOC) plugin.

The IOC plugin, identified as plugin ID 147193, can be used by organizations scanning for vulnerable Exchange servers in their environment to collect IOCs. The results from this plugin can aid defenders in determining if attackers successfully compromised their systems.

Examining the output from the IOC plugin

The IOC plugin will flag files in select Exchange Server directories where attackers are known to have implanted webshells. These details can be seen in the output section of the scan results:

In the example above, three files were discovered in these selected directories.

Comparing files from the plugin output against known IOCs

Knowing which files are in these directories is just the first step. The next step is to compare these results against publicly available indicators of compromise associated with these attacks. Fortunately, Microsoft has published a list of IOCs in both CSV and JSON format that list files known to be malicious.

The image above is a section within Microsoft’s list of IOCs. When comparing this list with the output for the IOC plugin, we see that one file, discover.aspx, is a direct match, including the path. This is a strong indication that the attackers implanted a webshell on a vulnerable Exchange Server.

In addition to Microsoft’s list of IOCs, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory about the Exchange Server attacks and included a list of File Path Indicators to examine for potential compromise.

For example, the FBI/CISA advisory calls out the presence of files within the \inetpub\wwwroot\aspnet_client\\system_web\ path as well as any file or modified file not part of the standard Exchange Server Install for a number of file paths, including \\FrontEnd\HttpProxy\owa\auth\.

When we review the output from our IOC plugin, we see there is an aspx file under the system_web path called 1302992a.aspx, as well as a file, HttpProxy.aspx, under the \\FrontEnd\HttpProxy\owa\auth\ path. The presence of these files does not definitively confirm additional compromise, but warrants further exploration as they may also be associated with these attacks.

It is important to note that with more and more threat actors targeting vulnerable Exchange servers, the list of known bad filenames and hashes will continue to grow. We highly recommend reviewing all files within the paths provided by the FBI/CISA and Microsoft.

Solution

Webshells give attackers an effective way to maintain persistent access to a victim’s systems. Once webshells associated with these Exchange Server vulnerabilities have been identified in your environment, it is important to immediately activate incident response processes to remove the webshells and determine the scope of these attacks. Removing the webshells is not just a step to prevent the threat actors who implanted them from maintaining persistence, but to prevent other threat actors from “piggybacking” by scanning for and using them as well, as was recently confirmed by security researcher Marcus Hutchins.

Confirmed my suspicious that someone is scanning for Exchange web shells left behind by Hafnium and trying to piggyback them. Once you patch, make sure to find and remove any web shells left behind.

— MalwareTech (@MalwareTechBlog) March 10, 2021

Frequently Asked Questions

Q: Why didn’t the IOC plugin trigger for all of my Exchange servers?

A: The IOC plugin will only trigger on Exchange Servers where potential IOCs have been found within the identified Exchange Server paths.

Q: How do I know the IOC plugin ran?

A: When reviewing the output for plugin ID 147193, there are two expected results:

If the plugin runs successfully, you will see one of the two expected outputs above. If you do not see these results after completing a scan, you can refer to this troubleshooting article.

Q: I patched my Exchange servers but the IOC plugin is still triggering?

A: Patching Exchange Servers addresses the underlying vulnerabilities. It does not remediate potential web shells that may have been implanted on those servers through the exploitation of these flaws, which is why the IOC plugin will still trigger even after patches have been applied. If potential compromise is detected, it is important to follow our recommendations to remediate by activating incident response processes to remove any web shells and investigate for further compromise.

Get more information

• Tenable's Blog for Four Zero-Day Vulnerabilities in Microsoft Exchange Server
• Tenable’s Blog for Finding Proxylogon and Related Microsoft Exchange Vulnerabilities
• Microsoft Blog on HAFNIUM targeting Exchange Servers with 0-day exploits
• FBI and CISA Joint Advisory on Microsoft Exchange Server Compromise

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

In part two of our series on cyber hygiene, we look at why businesses may need to go beyond the basics of vulnerability scanning and antivirus protection to ensure comprehensive security for their networks. 

All businesses can significantly boost their information security by implementing fundamental elements of cybersecurity – vulnerability scanning, patch application, antivirus and anti-malware tools, firewalls and companywide security policies featuring well-established best practices. These should all be standard procedures for your company, given the risks businesses face today (which are considerable, as we saw in part one of this series). 

That said, those measures shouldn't be your organization's be-all, end-all, at least not across the board. In part two of our deep dive into cyber hygiene, we'll take a look at the more substantial (and, in some cases, more complex) factors you should consider when looking to devise a truly effective infosec strategy for your business. 

Establishing threat-severity assessment

Determining the severity of a threat is key when figuring out how quickly you need to address a given vulnerability. "As fast as possible" may seem like a reasonable rule but quickly becomes unsustainable with the volume of vulnerabilities disclosed on a regular basis. Microsoft regularly releases patches for over 100 vulnerabilities every month. In the last year alone, over 18,350 new vulnerabilities were reported across the broader threat landscape.

The most basic rubric for assessing cyberthreats is the Common Vulnerability Scoring System (CVSS), which is overseen by the Forum of Incident Response and Security Teams (FIRST).¹ While worth looking at as a baseline, it has certain flaws that make it untenable as a single vulnerability assessment system – most notably its strict focus on technical impact rather than realistic threat level.² More than 13% of the 60,000 vulnerabilities catalogued by CVSS have scores of 9.0 (High) or 10.0 (Critical), which makes it difficult for organizations to properly prioritize threats. 

Businesses can maximize their risk reduction by adopting dynamic threat metrics based on real-time attacker activity. For example, Tenable’s Vulnerability Priority Rating (VPR) incorporates a variety of threat intelligence signals – such as exploit kit availability and dark web chatter – to make an informed projection regarding the vulnerabilities attackers are most likely to exploit next. This way, you account for vulnerabilities that become more or less dangerous over time. And once you know which exposures to prioritize, you can use an Asset Criticality Rating (ACR) to further refine your remediation efforts and identify the most business-critical hosts to fix first. 

Relying on thorough attack vector analysis

Because you have so many other things to think about while running a business, it may be tempting to stick to the basics as you remediate certain vulnerabilities. In a handful of cases, that will be all you need to do – apply a patch or implement another appropriate solution and move on. But if you take the time to look at the threat very closely in the midst of the identification and interdiction process, before you apply the patch or implement any other necessary fix, you may significantly reduce your likelihood of being hit by a similar vulnerability in the future.

Processes like threat modeling and penetration testing are valuable because they allow you to examine exactly how a particular vulnerability, if exploited, would harm your network – in explicit detail. A penetration test may be especially useful because it essentially functions as a live, second-by-second demonstration of how a vulnerability is leveraged by a cyberattacker. This type of granular detail can help your organization determine what its cybersecurity strategy should look like going forward.³ Meanwhile, addressing the danger of certain cyberthreats, such as ransomware, requires not only patching vulnerabilities but also preparing a series of backups and contingency plans for your data.⁴

Setting up secure configurations

The behavior of hosts and applications is determined through configurations. As you might imagine, these initial presets come from manufacturers and developers, and are often engineered for ease of use rather than optimal security.⁵

Examining the configurations of hardware and software on your network and rectifying any security-related shortcomings can go a long way toward boosting the state of your business's overall cybersecurity. Benchmarks from the Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) can serve as strong standards for ideal configuration: These guidelines are available for dozens of operating systems and applications, and while comprehensive, they're not solely for expert use (though you may need to work with a consultant on implementation if you don't have an IT team on payroll). 

Auditing for optimal compliance

This segment of cybersecurity focuses not on finding, modeling or eliminating vulnerabilities, but rather on ensuring your systems are compliant with various government and industry standards. The most obvious example of this issue's importance, especially for small- and medium-sized businesses (SMBs) would be the PCI DSS guidelines: Nearly every business accepts credit and debit card payments, and if yours isn't protecting payment data appropriately, you're not only exposing customers to identity theft but also setting yourself up for noncompliance penalties.⁶

The same risk applies, in varying degrees, to other notable regulations, including HIPAA, the GDPR (for businesses with European business dealings) and the California Consumer Privacy Act (if you have customers or business partners in the Golden State). Conducting thorough compliance auditing from time to time ensures that sensitive customer information is protected and provides a solid foundation for maintaining regulatory compliance and reducing your chances of encountering cyberthreats. 

Managing diverse assets

Crafting a more nuanced cybersecurity strategy must also extend to assets you may not think much about day to day but are still extremely important to operations. If you use any cloud storage, your provider will likely cover some bases as far as security goes,⁷ but this isn't guaranteed, so you'll need to check the terms of your service-level agreement and know exactly what security responsibilities you're expected to cover. As a rule of thumb, your cloud provider handles security “of the cloud” (protecting the infrastructure that runs all of the services offered by the provider) while you are responsible for security “in the cloud” (configuration and management tasks along with application updates and patches among other items). Similar logic applies if you use virtual private networks (VPNs) for certain data transmissions, or rely on a mobile device management (MDM) platform to oversee company-issued smartphones. You must determine how much of the security for these tools you need to set up on your own and how much (if any) is integrated into either system.

Last but not least, you should consider examining your key applications and creating an “allowlist” – a policy that ensures only apps on that list of approved tools can run on your system.⁸ While this may take some time to establish, as it must cover applications at the controller and server levels, within databases and on individual computers and other devices, the degree of protection it allows for is well worth it.

At the end of the day, you should consider proper cyber hygiene to be one of your business best practices - alongside other everyday practices such as proper accounting, exemplary customer service and maintaining high employee morale.

_{1. FIRST homepage
2. Carnegie Mellon University, "Toward Improving CVSS," December 2018
3. TechTarget, "Penetration Testing"
4. Securities and Exchange Commission, "Cybersecurity: Ransomware Alert," July 10, 2020
5. Center for Internet Security, "Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers."
6. PCI, "Why Security Matters"
7. Amazon Web Services, "Shared Responsibility Model"
8. Cybersecurity and Infrastructure Security Agency, "Cyber Essentials"}

VMware has addressed a pair of vulnerabilities in vRealize Operations that, when chained together, could result in unauthenticated remote code execution in vulnerable servers.

Background

On March 30, VMware released a security advisory (VMSA-2021-0004) to address two vulnerabilities in vRealize Operations, an AI-powered IT operations management platform for multi-cloud, private and hybrid environments.

These vulnerabilities affect vRealize Operations, and also impact VMware Cloud Foundation (vROps) and vRealize Suite Lifecycle Manager (vROps). VMware has attributed the responsible disclosure of both of these vulnerabilities to Egor Dimitrenko, a security researcher at Positive Technologies.

These were not the first VMware-related vulnerabilities to be disclosed by researchers at Positive Technologies in 2021. On February 23, VMware released a security advisory (VMSA-2021-0002) addressing a number of vulnerabilities in VMware vCenter Server. Included in this advisory was CVE-2021-21972, a critical remote code execution (RCE) vulnerability scoring a CVSSv3 score of 9.8. The RCE flaw was discovered and disclosed by Mikhail Klyuchnikov, a security researcher from Positive Technologies.

Analysis

CVE-2021-21975 is a Server-Side Request Forgery (SSRF) vulnerability in the vRealize Operations API Manager that could allow a remote, unauthenticated attacker to steal administrative passwords. VMware assigned the vulnerability an “Important” severity rating with a CVSSv3 score of 8.6.

CVE-2021-21983 is an arbitrary file write vulnerability in the vRealize Operations API Manager that could allow an authenticated remote attacker to write files (potentially malicious in nature) to arbitrary locations on VMware’s underlying operating system (OS), Photon OS. While exploiting this vulnerability on its own would require authentication, the attacker can bypass this requirement by chaining CVE-2021-21975.

On March 30, Positive Technologies published a tweet highlighting the vulnerabilities discovered by Dimitrenko. The tweet disclosed a further risk to unpatched systems in which attackers could achieve unauthenticated RCE on vulnerable systems by chaining both CVE-2021-21975 and CVE-2021-21983 together. No details have been shared publicly as to how this can be achieved, but we anticipate researchers or threat actors to develop a proof-of-concept (PoC) exploit in the near future.

VMware fixed CVE-2021-21975 and CVE-2021-21983, which when chained together lead to an unauth RCE in vRealize Operations.

The vulnerabilities were found by our researcher Egor Dimitrenko.

Advisory: https://t.co/WbQwWyCuhSpic.twitter.com/qzEcBqJAg3

— PT SWARM (@ptswarm) March 30, 2021

Proof of concept

At the time this blog post was published, there were no PoC exploits available for either vulnerability, or a combination of the two.

Solution

On March 30, VMware released the following updates for vRealize Operations to address CVE-2021-21975 and CVE-2021-21983:

If upgrading is not feasible at this time, VMware has provided workaround instructions for CVE-2021-21975 and CVE-2021-21983 that involve modifying the casa-security-context.xml file and restarting the Cluster Analytic (CaSA) service. The patching and workaround steps are linked in the corresponding KB articles in the table above.

Please note that this should only be used as a temporary workaround until upgrading is feasible.

Patches have also been released for VMware Cloud Foundation (vROps) versions 3.x and 4.x as well as vRealize Suite Lifecycle Manager (vROps) 8.x. Information on the patch can be found in the support article KB83260.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• VMware Security Advisory (VMSA-2021-0004)
• vRealize Operations 8.3 Security Patch (83210)
• vRealize Operations 8.2 Security Patch (83095)
• vRealize Operations 8.1.1 Security Patch (83094)
• vRealize Operations 8.0.1 Security Patch (83093)
• vRealize Operations 7.5 Security Patch (82367)
• VMware vRealize Operations security patches (83260)
• CVE-2021-21972: VMware vCenter Server Remote Code Execution Vulnerability

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Recognizing the “perfect storm” created by COVID-19 disruptions, the NLC partnered with trusted security leaders to develop a turnkey solution for cities and local governments.

The National League of Cities (NLC) announced a major initiative last week in which they have entered into a strategic partnership with cybersecurity services provider NuHarbor Security (NuHarbor) to deliver a turnkey managed cybersecurity solution to NLC member cities, towns and villages. Tenable and Splunk will provide the technology to power the NuHarbor solution, building on their long history of successful product integrations. Tenable was the first vulnerability management partner to integrate with Splunk’s new unified security operations platform, Mission Control, and together the two cybersecurity market leaders continue to deliver an integrated solution to public sector customers at all levels of government.

Recognizing the “perfect storm” created by COVID-19 disruptions to its members’ budgets and operations, and the simultaneous rise in cyber hackers targeting local governments, NLC brought together a comprehensive offering that gives its member jurisdictions a flexible, scalable and customizable security resource. The solution can be adapted rapidly and efficiently to meet the unique needs of any NLC member city, town or village. In coordination with NuHarbor and its partners Splunk and Tenable, NLC can now offer its members a security option that maximizes the cost-effectiveness and operational efficiency of cutting-edge software solutions and, as a complement to existing information security programs, will enhance resource utilization while upholding the highest cybersecurity standards. 

The shared goal of the partnership is to strengthen member organizations’ ability to defend themselves from the growing threat of ransomware and other cybersecurity attacks, in spite of overwhelming budget and operational challenges posed by the current environment. With a forecast for continued challenges and steadily increasing cyberattacks, the partnership will continue to evolve to deliver the needed capabilities. 

Bolstering the front lines of municipal cybersecurity

Hamstrung by a lack of resources and budget, many local governments are turning to managed security service providers (MSSPs) to help establish and deploy city-wide cybersecurity programs. This provides all the benefits of a dedicated, in-house cybersecurity team — technical expertise, deep product knowledge and top-notch support — without the significant cost. 

Backed by NuHarbor’s expert managed services, this offering brings the power of Tenable and Splunk to NLC members across the country. 

Tenable’s Predictive Prioritization capabilities, for example, enable participating organizations to achieve a higher level of security and protection against ransomware and other threats despite the increase in attacks and limited resources. Building on threat intelligence and Tenable Research algorithms, Tenable directs remediation efforts to that small percentage of vulnerabilities that actually pose risk of attack, thus enabling users to truly “do more with less.”

Tenable will be participating in a number of events to help raise awareness about this important development in municipal cybersecurity. To learn more about upcoming events as well as the security offering, please visit our NLC webpage.

Don't let misconceptions stand in your way – get the facts on five common myths about vulnerability assessment.

The simple truth of vulnerability assessment is that it's not always an easy task to accomplish, especially if you're new to it. Complications arise, and if you sometimes find yourself confused by one part of the process or another as a result, that's nothing to be ashamed of. 

In fact, having an inaccurate understanding of some aspects of vulnerability assessment likely isn't your fault at all: Certain myths about this unique aspect of cybersecurity have spread wildly in recent years. It'll be of the utmost importance for you and other stakeholders in your organization with a focus on cybersecurity to look beyond the misconceptions and understand the facts behind effective security. Let’s start myth-busting!

Myth #1: "You don't need to bother with vulnerability assessment because you're not a valuable target."

Of all the myths we'll discuss here, it's probably easiest to understand how this one spread. Most of the hacks and data breaches that make the news or get talked about around the office are the biggest ones: Equifax, Target, British Airways and so on. This leads people to believe big-box retailers, credit card companies and multinational banks are the institutions of most interest to hackers. 

But that's simply not the whole truth. No potential target is "valueless" to malicious online actors just because of its size or low profile. Recent research has borne out that the odds of a small or medium-sized business (SMB) undergoing a cyberattack or data breach are more than 50-50:

• About 66% of SMBs experienced at least one cyberattack in 2019.¹
• Just under 50% of SMBs were specifically hit with a ransomware attack.²
• Video conferencing and VoIP solutions that became must-haves for remote-operating organizations (as necessitated by the COVID-19 pandemic) were common attack vectors during 2020. Zoom, Microsoft Teams and Cisco Webex, among others, all bore the brunt of such aggression.³

To be fair, the biggest corporations are always in the sights of individual black-hat hackers and cybercrime organizations. But those attacks require months of planning and prep. In the meantime, black hats can attack dozens of SMBs with ransomware and extort a series of smaller payments that add up to a hefty illicit profit. These hackers know SMB leaders are less likely to fight off attacks and more likely to hand over ransoms. (This is one of many reasons why Christopher C. Krebs, former director of the Cybersecurity and Infrastructure Security Agency, recently characterized ransomware as "the most visible, disruptive cyberthreat."⁴)

Even eliminating those possibilities, your SMB might still be at risk of attack not because of your resources, but those of your business partners or other organizations in your software supply chain. (The recent events of the SolarWinds hack exemplify this sort of risk.)

Myth #2: "You don't need vulnerability assessment if you have patch management."

Patch management (PM) is a valuable part of any cybersecurity strategy – one of the ways in which many garden-variety vulnerabilities are dealt with. "Patch" is the common slang for software and firmware updates released by software manufacturers on a regular basis to address bugs and vulnerabilities as well as bring new features and general functionality improvements to various apps, platforms and operating systems. 

Unfortunately, there are some organizations that, simply due to lack of information, think they can implement patch management and have their cybersecurity needs covered. 

Don't worry – this is an easy mistake to fix. It's just important to know exactly how it may happen. The biggest reason why patch management isn't a cure-all is simple: It cannot cover all of your network's entry points. Even if the management process is partially or almost completely automated, there's still room for human error that could allow an app to remain unpatched. PM software vendors won't automatically handle the updates by default– the organization using the PM solution must configure it to automatically update as needed when setting it up in the first place.⁵ Some security issues simply don't have patches, because they're related to configuration changes, which many patch tools either can't handle or fail to do so properly. Moreover, there's plenty of downtime in between automatic patches during which attackers could discover (or actively create) and exploit a new vulnerability. 

Ultimately, it's best to use vulnerability assessment as a prelude to a patching strategy, so you have a better idea of what you're looking to prevent or mitigate through patches and not applying them indiscriminately. A disorganized, "patching-just-to-patch" plan can be a waste of time, effort and money.

Myth #3: "Running a vulnerability assessment will invalidate EULAs."

Running a vulnerability assessment scan does not invalidate warranties or end-user license agreements (EULAs) related to the applications, hosts, operating systems or operational technology being scanned on your network. However, this myth is heard with somewhat alarming frequency, particularly in relation to scans that cover operational technology (OT) systems, or sensitive environments such as medical and financial services.

You can run a successful vulnerability scan on your OT without compromising your EULA. But the scan must be capable of accommodating both the IT and OT assets within the context of an OT environment. Additionally, because OT systems don’t typically have frequent maintenance schedules, it will be critical to develop a prioritized list of vulnerabilities so that the most pressing threats are dealt with first when OT does come up for maintenance. 

Myth #4: "You don't need to scan isolated or unconnected systems."

Certain parts of your network won't be connected to the internet (public or otherwise) at all times. Others may be significantly isolated from the rest of the network, sharing little data with the vast majority of your IT infrastructure. It's understandable that you might think these areas can't be easily compromised and thus don't need to be included in vulnerability scans – especially if you have more immediate security needs.

But just as there's no organization that can't be targeted for a cyberattack, there's nowhere on the network immune to vulnerabilities that an attacker might exploit. When self-propagating malware enters any part of your system, it immediately begins searching for conduits through which it can spread to other systems. Say a malware strain entered an industrial control system (ICS) while it wasn't connected to the company's overall network. Once the system is compromised, it will spread its malware when any host or device interacts with it – even through an action as seemingly inconsequential as using a memory stick to take ICS data to a separate host.⁶ Then the host is infected, and more will follow as soon as it gets connected to your network. Conversely, what if the ICS is effectively invulnerable but employees' laptops have an unpatched vulnerability? The second you connect an infected host to the ICS for a direct file transfer, the malware can spread to the OT environment and wreak havoc. This risk scenario would also apply to a host that was hit by malware while interacting with a cloud instance outside the enterprise network.⁷

The "air gap" concept is a subset of this myth: It posits that a portion of a network physically isolated from the corporate network at large is safe. Although this myth began to be debunked in the early and mid-2010s,⁸ it hasn't disappeared completely. Your best bet is to keep reminding yourself that every area of your network is vulnerable, and regular scanning is the best way to monitor and remediate any flaws as fast as possible.

Myth #5: "You don't need to scan assets that are protected with EDR"

Endpoint detection and response (EDR) systems are another valuable part of a cybersecurity strategy, and should be used by any organization with security needs. Unfortunately, because of how these tools are marketed, it's tempting to think you've found the centerpiece of your cybersecurity strategy right there. 

But EDR can't be a set-it-and-forget-it tactic: While such a platform can detect suspicious files and apps within the endpoints to which it's connected, that doesn't help you root out vulnerabilities that exist as a result of unpatched apps and systems, or flaws that are baked into legacy hardware or software. Also, EDR offers no guarantee of detecting or interdicting every possible threat that can pass through endpoints (or enter the network in other ways). 

Regular vulnerability scans take some of the burden off of EDR, allowing you to discover vulnerabilities before they become attack vectors. 

While it may take you some time to fully implement the right security tools and shrug off the misconceptions from myths you've heard, there's no better way to get started with scanning than Nessus Professional from Tenable. 

Try Nessus free for 7 days

_{1. Ponemon Institute, "2019 Global State of Cybersecurity in Small and Medium-Sized Businesses," October 2019
2. Infrascale, "Infrascale Survey Reveals Close to Half of SMBs Have Been Ransomware Attack Targets," April 21, 2020
3. Tenable Research, "2020 Threat Landscape Retrospective," Jan. 14, 2021
4. Tweet by fmr. CISA Director Krebs, November 16, 2020.
5. Dark Reading, "The Problem with Patching: 7 Top Complaints," April 21, 2016
6. Tenable, "Accidental Convergence – A Guide to Secured IT/OT Operations," 2020
7. Tripwire, "Malware in the Cloud: Protecting Yourself Based on Your Cloud Environment," Jan. 7, 2020
8. Security Week, "Air Gap or Not, Why ICS/SCADA Networks Are at Risk," Aug. 9, 2016}

Threat actors and ransomware groups are actively targeting three legacy Fortinet vulnerabilities.

Background

On April 2, the Federal Bureau of Investigation (FBI) along with the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory regarding activity involving advanced persistent threat (APT) actors.

In March 2021, the FBI and CISA observed APT actors scanning and enumerating publicly accessible Fortinet systems over ports 4443, 8443 and 10443. The agencies believe these APT actors are gathering a list of vulnerable systems in both the public and private sectors in preparation for future attacks. The advisory highlights three Fortinet vulnerabilities.

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 8 and reflects VPR at that time.

All three vulnerabilities reside within Fortinet’s FortiOS, the operating system that underpins Fortinet’s devices.

Analysis

CVE-2018-13379 is a path traversal vulnerability in Fortinet’s FortiGate SSL VPN. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request containing a path traversal sequence to a vulnerable Fortigate SSL VPN endpoint in order to read arbitrary files from the device. This vulnerability is a pre-authentication flaw, which means an attacker does not need to be authenticated to the vulnerable device in order to exploit it. Successful exploitation would allow the attacker to read the contents of the “sslvpn_websesion” session file that contains both usernames and plaintext passwords.

This vulnerability, along with several other Fortinet flaws, were discovered by researchers Orange Tsai and Meh Chang of the DEVCORE research team as part of their research into breaking SSL VPNs. A blog post about their findings was published in early August 2019; later that month, the first attempts to exploit CVE-2018-13379 in the wild were detected.

CVE-2019-5591 is a default configuration vulnerability in the FortiGate SSL VPN. Under the default configuration, when a Lightweight Directory Access Protocol (LDAP) server sends a connection request to the FortiGate device, the certificate is not verified. To exploit the vulnerability, an attacker could connect to a vulnerable FortiGate device by impersonating an LDAP server. Successful exploitation would allow the attacker to harvest sensitive information intended for a legitimate LDAP server.

CVE-2020-12812 is an improper authentication vulnerability in the FortiGate SSL VPN. This vulnerability exists due to settings used for two-factor authentication—specifically, when two-factor authentication has been enabled under the “user local” setting, but the authentication type is set to remote authentication, such as LDAP. If a VPN user changes the case of their username, a mismatch occurs, and the device won’t prompt for a second factor, allowing an attacker to bypass the two-factor authentication requirement.

SSL VPN vulnerabilities are a goldmine for threat actors

In our 2020 Threat Landscape Retrospective (TLR), CVE-2018-13379 cracked the Top 5 vulnerabilities of 2020, despite being disclosed in 2019. It was one of three SSL VPN vulnerabilities from 2019 that were favored by attackers in 2020. CVE-2018-13379 was also featured in multiple CISA alerts from late 2020 regarding APT groups targeting the public sector (AA20-283A) as well as activity originating from a Russian APT group (AA20-296A). We can expect to see additional advisories from government agencies regarding such legacy vulnerabilities, as threat actors will continue to leverage publicly known and unpatched vulnerabilities.

Cring ransomware group targets vulnerable Fortinet SSL VPNs

In January 2021, Amigo-A, a freelance reporter and researcher, discovered a new ransomware known as Cring.

A new #Cring#Ransomwarehttps://t.co/NmIogn6lZZ
Extension: .cring
Note: deReadMe!!!.txt
Email: eternalnightmare@***, qkhooks0708@***
We've tracked it down over the past 2 months.
Originals of images are in the article on the site.@demonslay335@BleepinComputerpic.twitter.com/xztNwcBwf3

— Amigo-A (@Amigo_A_) January 21, 2021

Soon after Amigo-A’s disclosure, Switzerland’s Swisscom Computer Security Incident Response Team (CSIRT) tweeted that they had observed Cring being deployed by “human operated ransomware actors.”

CRING a new strain deployed by human operated ransomware actors. After the actors have established initial access, they drop a customized Mimikatz sample followed by #CobaltStrike. The #CRING#ransomware is then downloaded via certutill. ^mikehttps://t.co/v5h8eqHCPtpic.twitter.com/fkU2USEZis

— Swisscom CSIRT (@swisscom_csirt) January 26, 2021

At the time, it was uncertain how Cring gained initial access into their victim environments. However, on April 7, researchers at Kaspersky’s ICS-CERT team published a report regarding an incident investigation involving Cring. Kaspersky’s report linked the primary cause to vulnerable firmware versions on the FortiGate VPN server, and identified CVE-2018-13379 as the initial attack vector that permitted access to the enterprise network, and ultimately led to the deployment of the Cring ransomware.

Image Source: Kaspersky ICS-CERT

Mass scanning activity observed following FBI/CISA alert

On April 3, one day after the FBI/CISA joint cybersecurity advisory was published, Troy Mursch, chief research officer at Bad Packets, tweeted that mass scanning activity for CVE-2018-13379 had been detected.

While this latest spike in activity is concerning, there has been significant mass scanning activity linked to the vulnerability since it was disclosed in 2019. As long as there are publicly accessible, unpatched Fortinet systems, we expect both sophisticated APT groups and cybercriminals in general to continue targeting them using these vulnerabilities.

Proof of concept

At the time this blog post was published, there were 10 proof-of-concept (PoC) exploit scripts available on GitHub for CVE-2018-13379.

Solution

Fortinet released patches for all three vulnerabilities over the last few years. The following table contains a list of affected versions and fixed versions by CVE.

We strongly encourage all customers or Fortinet users to apply these patches as soon as possible to thwart exploitation attempts.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

• FBI/CISA Joint Cybersecurity Advisory for Fortinet Vulnerabilities (April 2021)
• Fortinet Advisory FG-IR-18-384 for CVE-2018-13379
• Fortinet Advisory FG-IR-19-037 for CVE-2019-5591
• Fortinet Advisory FG-IR-19-283 for CVE-2020-12812
• DEVCORE Blog Post on FortiGate SSL VPN Vulnerabilities (CVE-2018-13379)
• Tenable Blog Post for In-the-Wild Exploitation of CVE-2018-13379
• CISA Alert AA20-283A (Vulnerability Chaining Including CVE-2018-13379)
• CISA Alert AA20-296A (Russian APT Activity)
• Kaspersky ICS-CERT Report on Cring Ransomware Attacks

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Microsoft addresses 108 CVEs, including CVE-2021-28310 — which has reportedly been exploited in the wild — as well as four new remote code execution vulnerabilities in Microsoft Exchange.

1. 19Critical
2. 88Important
3. 1Moderate
4. 0Low

Microsoft patched 108 CVEs in the April 2021 Patch Tuesday release, including 19 CVEs rated as critical, 88 rated as important and 1 rated as moderate.

This month's Patch Tuesday release includes fixes for

• Azure AD Web Sign-in
• Azure DevOps
• Azure Sphere
• Microsoft Edge (Chromium-based)
• Microsoft Exchange Server
• Microsoft Graphics Component
• Microsoft Internet Messaging API
• Microsoft NTFS
• Microsoft Office Excel
• Microsoft Office Outlook
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft Windows Codecs Library
• Microsoft Windows Speech
• Open Source Software
• DNS Server
• Hyper-V
• Visual Studio
• Visual Studio Code
• Visual Studio Code - GitHub Pull Requests and Issues Extension
• Visual Studio Code - Kubernetes Tools
• Visual Studio Code - Maven for Java Extension
• Windows Application Compatibility Cache
• Windows AppX Deployment Extensions
• Windows Console Driver
• Windows Diagnostic Hub
• Windows Early Launch Antimalware Driver
• Windows ELAM
• Windows Event Tracing
• Windows Installer
• Windows Kernel
• Windows Media Player
• Windows Network File System
• Windows Overlay Filter
• Windows Portmapping
• Windows Registry
• Windows Remote Procedure Call Runtime
• Windows Resource Manager
• Windows Secure Kernel Mode
• Windows Services and Controller App
• Windows SMB Server
• Windows TCP/IP
• Windows Win32K
• Windows WLAN Auto Config Service.

Remote code execution (RCE) vulnerabilities accounted for nearly 52% of the vulnerabilities patched this month, followed by Elevation of Privilege (EoP) at 17.6%.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains April 2021.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from March 2019 using Tenable.io:

A list of all the plugins released for Tenable’s April 2021 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

• Microsoft's April 2021 Security Updates
• Tenable plugins for Microsoft April 2021 Patch Tuesday Security Updates
• Kapersky’s Desktop Window Manager (CVE-2021-28310) Technical Writeup
• CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065: Four Zero-Day Vulnerabilities in Microsoft Exchange Server Exploited in the Wild
• Tenables’s 2020 Threat Landscape Retrospective

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.