How Hackers Easily Gain Access to Companies

How Hackers Easily Gain Access to Companies

How hackers easily gain access to companies

In this post we are going to show you a real example of how easy it is to gain access to a company. There are of course several other posts that explain how this vulnerability works and how to exploit it, but for us the goal is to show you that this vulnerability is still being exploited and how easy it is to do so.

Some ways hackers can exploit to gain access to companies

  • Exploiting vulnerabilities and Zero days .
  • Exploiting poor employee awareness (Social Engineering).
  • Physical Breach.
  • Password guessing.

The attack way we are going to explain here is exploitation of a vulnerability, the vulnerability we are going to exploit is a Fortigate path traversal vulnerability.

The Fortigate CVE-2018-13379 Vulnerability

The FortiGate vulnerability (CVE-2018-13379) was discovered in 2018. Since the release of the exploit technique, companies world-wide has been breached. It is exploited by utilizing a simple http request that responds with all of the VPN user sessions including the credentials to access the VPN.

Cybia labs conducted a research on this vulnerability in order to check if this vulnerability was still found in the wild. By using masscan together with a custom tool we developed we got a large number of vulnerable hosts world-wide. We then run a reverse-ip query on all of the IPs and discovered that the vulnerable companies was from the defense industry, finance, healthcare and more. The following is a shodan query that you can use in order to detect Fortigate VPNs in the US: country:”US” xxxxxxxx-xxxxx, as shown in the image below:

To check if the Fortigate is vulnerable you can just have to append the following path to the fortigate url /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession, you will then receive the web-sessions of the FortiGate VPN including all the credentials of the VPN users. The following is an example of how these credentials are shown:

It is now easy to gain full access to this network by simply connecting with the VPN credentials. After connecting to the network you can leverage the attack by performing lateral movement, finding internal vulnerable hosts and perform other attack techniques. 

Final Thoughts 

Although this vulnerability was discovered in 2018, and several posts has already been released, it was important for us to write this post in order to show you that thousands of companies are still vulnerable and can easily be hacked. So if you have use Fortigate in your organization we strongly recommend to check the version of it. 

Mitigation Steps

Check the current version of the Fortigate VPN and if it is outdated you should do a update of it, below is an attached video that explains exactly how to do that. Good luck. 

Bluekeep RDP CVE-2019-0708 Metasploit Exploit POC

Bluekeep RDP CVE-2019-0708 Metasploit Exploit POC

Bluekeep is a security vulnerability that was discovered on the remote desktop protocol. It was discovered by the UK National cyber center and reported on May 14, 2019, as a security vulnerability. The name Bluekeep was given by the security researcher Kevin Beaumont. The vulnerability is present in all unpatched NT-based versions of windows from Win 2000 – Windows 7 / Winsrv 2008. The remote desktop protocol has to be activated in the operative system in order to be vulnerable. According to shodan 71297 systems are still vulnerable in the US and over a million systems in the world. We can estimate that this will give a new breakout of a Wannacry type of mass attack on the internet, exploiting the vulnerability. A lot of organizations are opening RDP to the internet, not like SMB which is less used because it requires a share to be opened. So we can for sure expect a more serious attack in the nearest future. The Wannacry ransomware estimated to have infected over 200,000 computers across 150 countries with damages ranging between millions to billions. One attack example was the Tai

On the 6th of September, a Metasploit exploit was released to the public. The exploit is not yet 100% stable but does work at least on Windows 7. We believe that an exploit with higher quality will be developed in the nearest future that will be able to exploit systems from Win 2000 – Windows 2008 R2. 

Short Explanation of the Vulnerability

The RDP protocol uses “virtual channels”, configured pre-authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 “static” virtual channels, and “dynamic” virtual channels are contained within one of these static channels. If a server binds the virtual channel “MS_T120” (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.

So how does the exploitation of the vulnerability work? 

  • You create an RDP connection with the “MS_T120” virtual channel (which there is no legitimate reason for a client to connect to)
  • Heap Spray
  • Invoke Allocations
  • Control the EIP
  • Cause the UAF heap corruption and execute the ring 0 shellcode

!NOTE the exploit is not 100% stable and may cause the remote host to crash and enter bluescreen mode. 

How to mitigate the vulnerability 

  • RDP should really not be used as a protocol listening on the internet. This protocol can be exploited not only with this exploit but also by guessing user credentials or potential phishing chained attacks. As a general rule, it is recommended to not use RDP externally. We recommend using a secure VPN connection instead if you have to connect to your organization
  • Patch your windows with the latest windows security updates. You can do this from the following link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 If you are still using Windows XP or Windows 2003 which is not recommended you can patch them with the following update:
  • http://www.catalog.update.microsoft.com/search.aspx?q=4500331
  • You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
  • If you don’t use RDP we still recommend blocking port 3389 and RDP connection in your firewall/security system to be sure that there is no way to connect to RDP to or from your organization’s network.
    Note: 

It is illegal to use this exploit on any computer without the owner’s permission. This blog post is written for educational purposes only and to show how the vulnerability is exploited and how to mitigate against it.