How Hackers Easily Gain Access to Companies

How Hackers Easily Gain Access to Companies

How hackers easily gain access to companies

In this post we are going to show you a real example of how easy it is to gain access to a company. There are of course several other posts that explain how this vulnerability works and how to exploit it, but for us the goal is to show you that this vulnerability is still being exploited and how easy it is to do so.

Some ways hackers can exploit to gain access to companies

  • Exploiting vulnerabilities and Zero days .
  • Exploiting poor employee awareness (Social Engineering).
  • Physical Breach.
  • Password guessing.

The attack way we are going to explain here is exploitation of a vulnerability, the vulnerability we are going to exploit is a Fortigate path traversal vulnerability.

The Fortigate CVE-2018-13379 Vulnerability

The FortiGate vulnerability (CVE-2018-13379) was discovered in 2018. Since the release of the exploit technique, companies world-wide has been breached. It is exploited by utilizing a simple http request that responds with all of the VPN user sessions including the credentials to access the VPN.

Cybia labs conducted a research on this vulnerability in order to check if this vulnerability was still found in the wild. By using masscan together with a custom tool we developed we got a large number of vulnerable hosts world-wide. We then run a reverse-ip query on all of the IPs and discovered that the vulnerable companies was from the defense industry, finance, healthcare and more. The following is a shodan query that you can use in order to detect Fortigate VPNs in the US: country:”US” xxxxxxxx-xxxxx, as shown in the image below:

To check if the Fortigate is vulnerable you can just have to append the following path to the fortigate url /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession, you will then receive the web-sessions of the FortiGate VPN including all the credentials of the VPN users. The following is an example of how these credentials are shown:

It is now easy to gain full access to this network by simply connecting with the VPN credentials. After connecting to the network you can leverage the attack by performing lateral movement, finding internal vulnerable hosts and perform other attack techniques. 

Final Thoughts 

Although this vulnerability was discovered in 2018, and several posts has already been released, it was important for us to write this post in order to show you that thousands of companies are still vulnerable and can easily be hacked. So if you have use Fortigate in your organization we strongly recommend to check the version of it. 

Mitigation Steps

Check the current version of the Fortigate VPN and if it is outdated you should do a update of it, below is an attached video that explains exactly how to do that. Good luck. 

The ultimate guide to a secure remote work environment in Corona times

The ultimate guide to a secure remote work environment in Corona times

The ultimate guide to a secure remote work environment in Corona times 

Since the coronavirus started, cybercriminals are celebrating without mercy. Cybersecurity is essential for companies today and it is important to not forget about the threats that every company faces these days. This post serves as a guideline for company’s to establish a secure remote work environment. And increase the awareness of different threats that are relevant to this period.  The following are four essential points that I want to focus on in this post: 

  • Endpoint hardening 
  • VPN Security
  • Patches and enrollment 
  • Cybersecurity awareness

Endpoint hardening 

Make the life of the cybercriminals hard by hardening your endpoints, this is one of the essentials things to do in order to secure your environment. The idea is to minimize actions regular users can perform and windows features that can be used by cybercriminals in order to exploit your endpoints and gain further access into your network. Following are some of the points that can be used to secure the endpoints in your organization: 

  • Disable windows features: Disable windows features used by hackers to exploit the system for regular domain users. Features that should be disabled are PowerShell, cmd, notepad
  • Restrict access to files with Applocker. Applocker is a windows feature that allows you to restrict file types in windows. It provides great security to your environment and is included in the windows enterprise operative system. 
  • Bitlocker: Since the employees are taking their laptops home, you should consider securing them with BitLocker. Bitlocker encrypts your files so that in case of laptop theft the thief would not be able to read the files or use the computer. 
  • On Macintosh, you can use Veracrypt in order to encrypt your important files. It’s free and can be downloaded here
  • Do a drill of your cybersecurity solutions in order to make sure they work properly on the laptops. Many policies can cause problems when the laptop suddenly connects from a different location. 

VPN Security

Since you are probably going to use a VPN to connect to your organization’s network remotely, it is important that you know this channel is secured. In the last two years, there have been several vulnerabilities found in VPN solutions, and unfortunately, many of them are not patched automatically so manual patching is necessary. I will attach some guidelines below in the references on how you can patch your VPN’s. The following points present the essentials of VPN security 

  • Use two-factor authentication. Two-factor authentication will greatly improve the security of your VPN since a cybercriminal would need to acquire the authentication code or cookie of your session, I don’t say it’s impossible but it does add a new layer of security and is not hard to implement. 
  • Check for new updates. Like mentioned above it’s important to check for updates for your VPN solution
  • Limit the use of VPN if possible. If an employee can work without VPN connection this is the best option, you want to minimize the threats. 
  • Implement a strong password policy. It is important to enforce a strong password policy of at least 8 characters, including digits, capital, and non-capital letters, and symbols, I recommend this password generator which is very useful
  • Secure the users’s WIFI connection. It is important for each employee that works from home to secure their wifi connection, this could be done by using a strong password with the same specs as mentioned above and make sure you don’t hand over this password to anybody you don’t know, if possible, create another home guest wifi network. 

Patches and enrollment 

It is important to make a check that everything works on both sides before rolling out the solutions. All laptops should be patched including their operating system and programs. For the company’s using ZOOM, several vulnerabilities were discovered lately and patches have been released. Make sure that all the programs of your employees are up to date. 

Cybersecurity Awareness 

In this period, cybercriminals are taking full advantage of the situation. They will use different tricks and techniques to try to gain access to your employee’s computers and your network. The following are some scenarios that can be exploited: 

  • The malicious actor could call your employees to ask them to hand over passwords or other information, social engineering techniques can be used to for example make them think they are from the companies staff or IT department. It is important to verify every call before performing any action 
  • You can receive phishing emails from cybercriminals trying to trick you into handing them your passwords and other valuable information. Carefully inspect your emails and don’t open any suspicious email or link, no-one will offer you 1$M and your password has not been compromised. 
  • Since you are accessing the internet from your home and not from the company’s network, there could be several security features that are disabled, it is therefore important to be aware when you access sites on the internet, don’t access sites that are not work-related and be cautious of actions that you are not aware of on the computer. 

References and more guidelines 

https://www.theregister.co.uk/2020/01/07/pulse_secure_attacks/

https://arstechnica.com/information-technology/2020/01/as-attacks-begin-citrix-ships-patch-for-vpn-vulnerability/

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-best-practices-52/Security%20Profiles/Patch_Mgmt.htm

Cover Your Webcam

Cover Your Webcam

Have you ever felt like someone is listening to your conversations, watching you on your webcam? Would you believe that this is true?

In one of our red team engagements we had just managed to gain foothold to the company’s network and gain high privileges. The goal was now to gather trophies that was decided on the engagement.  

One of the trophies was to show the executives the possibility to spy on the employee’s computers by recording their microphones and seeing their webcams. Our team searched for computers around the network and finally found one computer with a working webcam. We recorded the microphone and were able to hear conversations that were done with clients, see the employee’s webcam and fully control his computer.

What should we learn from this first of all? Besides the lack of security that let us control the employee’s computer, the webcam was also not covered. This let us spy on the employee.

Secure me.

Secure me.

One of the largest Industrial companies in the world with branches world-wide got attacked by a critical Ransomware which shut down their production for weeks. In the after-math of the incident , Cybia was hired to assess the organization’s cyber security level in several of their branches world-wide. This included assessing executive-level process and policies, Technical system, Awareness and more of all the branches, and calculate the organization’s overall risk level.

The organization received a technical level report that presented all of the findings in each of the branches, and an executive-level report that presented the main business risks. The company also received a tailored  plan and strategy on how to improve their cybersecurity posture according to their current budget. The screenshot below describes the current cybersecurity posture of the organization according to what we refer to as the security pillars of the organization. 

Bluekeep RDP CVE-2019-0708 Metasploit Exploit POC

Bluekeep RDP CVE-2019-0708 Metasploit Exploit POC

Bluekeep is a security vulnerability that was discovered on the remote desktop protocol. It was discovered by the UK National cyber center and reported on May 14, 2019, as a security vulnerability. The name Bluekeep was given by the security researcher Kevin Beaumont. The vulnerability is present in all unpatched NT-based versions of windows from Win 2000 – Windows 7 / Winsrv 2008. The remote desktop protocol has to be activated in the operative system in order to be vulnerable. According to shodan 71297 systems are still vulnerable in the US and over a million systems in the world. We can estimate that this will give a new breakout of a Wannacry type of mass attack on the internet, exploiting the vulnerability. A lot of organizations are opening RDP to the internet, not like SMB which is less used because it requires a share to be opened. So we can for sure expect a more serious attack in the nearest future. The Wannacry ransomware estimated to have infected over 200,000 computers across 150 countries with damages ranging between millions to billions. One attack example was the Tai

On the 6th of September, a Metasploit exploit was released to the public. The exploit is not yet 100% stable but does work at least on Windows 7. We believe that an exploit with higher quality will be developed in the nearest future that will be able to exploit systems from Win 2000 – Windows 2008 R2. 

Short Explanation of the Vulnerability

The RDP protocol uses “virtual channels”, configured pre-authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 “static” virtual channels, and “dynamic” virtual channels are contained within one of these static channels. If a server binds the virtual channel “MS_T120” (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.

So how does the exploitation of the vulnerability work? 

  • You create an RDP connection with the “MS_T120” virtual channel (which there is no legitimate reason for a client to connect to)
  • Heap Spray
  • Invoke Allocations
  • Control the EIP
  • Cause the UAF heap corruption and execute the ring 0 shellcode

!NOTE the exploit is not 100% stable and may cause the remote host to crash and enter bluescreen mode. 

How to mitigate the vulnerability 

  • RDP should really not be used as a protocol listening on the internet. This protocol can be exploited not only with this exploit but also by guessing user credentials or potential phishing chained attacks. As a general rule, it is recommended to not use RDP externally. We recommend using a secure VPN connection instead if you have to connect to your organization
  • Patch your windows with the latest windows security updates. You can do this from the following link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 If you are still using Windows XP or Windows 2003 which is not recommended you can patch them with the following update:
  • http://www.catalog.update.microsoft.com/search.aspx?q=4500331
  • You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
  • If you don’t use RDP we still recommend blocking port 3389 and RDP connection in your firewall/security system to be sure that there is no way to connect to RDP to or from your organization’s network.
    Note: 

It is illegal to use this exploit on any computer without the owner’s permission. This blog post is written for educational purposes only and to show how the vulnerability is exploited and how to mitigate against it.