Figure 1: The Dark Web The dark side of the internet is explored in a documentary produced...
2021 Might Haunt You into the New Year Unless You Address These Vulnerabilities
How does a vulnerability that had allegedly been patched as of August 2019 translate into the data of hundreds of millions of Facebook users making a giant splash on the Internet two years later? Why does Log4J keep resurfacing and flooding the news like a bad cold that won’t go away?
- cough* We’re getting major pandemic vibes here.
Figure 1: CyberDan
2021 has taught us an essential aspect about cybersecurity; Throwing new technology and fancy tools at problems is not a solution — addressing your vulnerabilities is the secret to improved security for your business in 2022 and beyond.
This article distills the most prolific cyber incidents of 2021 down to their exploited vulnerabilities, so you may want to strap in, for this isn’t just another recap that doesn’t apply to you.
However, before digging into the subject, let us agree on the below:
Vulnerabilities or weaknesses exist across people, processes, and technology.
Exploited Vulnerability: People
They say your greatest assets can easily become your greatest weakness, and vice versa. This is something the malicious hackers from DemonWare ransomware group clearly subscribed to when they wrote to Crane Hassold, director of threat intelligence at Abnormal Security, offering to pay him $1 million in bitcoin, or 40% of the $2.5 million ransom demand if he agreed to launch their malware inside his employer’s network.
While this may seem like a really brash approach with little to no chances of success, it is an avenue for easy money to be made. Instead of investing months or even years of reconnaissance to infiltrate the network of a big company, it is comparatively easier for cybercriminals to go trolling for disgruntled employees because those are a dime a dozen.
Even in the absence of rogue employees, insider threats remain a real risk for organisations across the various industries because a careless employee poses just as significant a threat. Just ask the well-intentioned senior staff member at Australian National University who previewed a phishing email. Decades worth of private information enclosed in some 700 MB of data was stolen that fateful day, and she did not even click on any links.
Accidental insiders, like malicious insiders, are endemic to organisations small and large. This vulnerability presented by people is hardly a new development, but it is an oft-neglected one.
Exploited Vulnerability: Process
In other outlandish news, it appears a server-side misconfiguration is all it would have taken Bezos to save $970 million in investment dollars. That was the amount Amazon’s founder paid to acquire Twitch and its source code, which was made publicly available following the breach that compromised 125GB of sensitive data.
While the specific “server configuration change that allowed improper access by an unauthorised third party” has not and does not look like it will be made publicly known, a misconfiguration is, at its core, incorrect or insecure security settings that can be remedied by an effective cybersecurity strategy. This saga would certainly give netizens another reason to rally behind the #TwitchDoBetter movement.
A continuous testing and monitoring process would assumably have come in handy in identifying web and application vulnerabilities, and providing timely notifications regarding the necessary controls to be implemented. Alas, the leak of the internal source code essentially allows interested parties to search for vulnerabilities and compromise Twitch users long after the breach.
Processes bring much-needed consistency to a disorderly world, especially one where payments are made and yet money still goes missing. The type of cyberattack that is notoriously known to result in misdirected funds, business email compromise (BEC), works by convincing someone with financial authority to change the account information on an electronic funds transfer through the use of fake invoices.
$37 million was a hefty price to pay for not verifying the email address, which provided Toyota Boshoku Corporation, a major supplier of Toyota auto parts, with the vendor’s banking account. Scams like this have costed the global business community and they will continue to till more companies adopt sufficient processes to redress human error.
Exploited Vulnerability: Technology
Speaking of vulnerabilities that keep on debilitating, four vulnerabilities (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, and CVE-2021–27065) found in Microsoft’s Exchange Server software were exploited in the hack into 30,000 US commercial and governmental emails. These vulnerabilities, collectively known as ProxyLogon, allowed malicious hackers to remotely target systems running on unpatched Exchange servers by sending specially crafted HTTP requests and authenticating as the Exchange server. Post-authentication, they were able to move laterally through the network, extract valuable information, and deploy further malware in the system that might let them back into those servers at a later time.
It has been speculated that this set of vulnerabilities could have paved the inroad for the ransomware attack that saw the highest known ransom demand of $50 (or possibly $100) million. If true, this has been a critical and expensive (if Acer actually made the ransom payment) lesson in patch management for the hardware and electronics giant, Acer. That said, the privacy status of the information in Acer’s stolen files — comprising bank balances, bank communications, and financial spreadsheets — remains unknown to date. It could still be dangling by a thread or already be making its rounds on the internet.
The unfortunate fact of the matter is that those not working in IT-related sectors tend to gravitate toward stories of successful exploits — ones where sizeable ransoms and large conglomerates are involved — and neglect the underlying issue, or the fine grain in the hubris so to speak.
Without going into too much technical detail, Baron Samedit (CVE-2021–3156) is a software flaw that strikes at the very core of data confidentiality and integrity. Once exploited, it grants the user super user privileges so an executive with limited access and navigation rights to company data can perhaps tamper with records or pry into payroll, among other confidential matters. Further, with elevated access rights, an attacker could easily navigate the security infrastructure while avoiding detection because it would appear as if the instruction came from a trusted individual and no one would be the wiser. This word blend of a moniker is truly befitting, likening an attack as clandestine as privilege escalation to the characteristically chaotic God of the Dead, Baron Samedi.
Log4Shell (CVE-2021–44228, CVE-2021–44832, CVE-2021–45046 & CVE-2021–45105) takes it a step further with remote code execution and enables the unauthenticated attacker to not only make the logs do as they bid, but also take control of a device if it were running certain versions of Apache Log4j 2. As a popular Java library, Log4j has extensive applications at the enterprise level and is widely used by vendors across the world. However, most do not realise it. To further complicate matters, a simple search for Log4j will not suffice because of the way it is often packaged with other pieces of software to make those additional pieces work.
Here’s a directory to vendor advisories and their vulnerable products and a compilation of tools for detecting dangerous log4j libraries put together by the friendly folk at Bleeping Computer.
In order to better arm your business for the future, you want to be proactive in your cybersecurity approach by protecting your business from known advances. In this article, we told the story of how the cyberattackers have gotten in via weaknesses in people, process and technology, but ultimately, technology is only as effective as the people who handle it and the processes managing it.
On the technical front, Microsoft and the respective maintainers of Sudo and Log4j have each released several security updates to fix the abovementioned vulnerabilities. Given the breadth of the attack surface for these vulnerabilities, our recommendation is to prioritize applying these patches because after a vulnerability has been disclosed, it’s a race against time — will you or a cyberattacker get there first? And even if the fix has been implemented, data security may already have been compromised if the bug was exploited prior.
Yet, if you know the vulnerability exists and choose to overlook it, it’s a conscious choice you’re making to use vulnerable software.
What choices are you making for your business in 2022?
Figure 2: Free Immunity Report