+44 (0)20 86848683

Perpetual IT

Category Archives: News

News

You’re invited! Join us for a live walkthrough of the “Follina” story…

by

On Thursday this week (16 June 2022 at 15:00 UK time), we’re holding a free webinar in which we’ll give you a live explanation and demonstration of the “Follina” vulnerability.

Although this bug is fairly easy to deal with (a simple registry change rolled out via Group Policy will largely immunise your network from attack), it nevertheless tells a fascinating story.

Follina, or CVE-2022-30190 if you prefer to keep things official, is an intriguing example of how cybercriminals figured out how to combine a “feature” that no one really wanted with a “feature” that no one really needed…

…to create a sneaky attack trick that no one expected.

In simple terms, FEATURE + FEATURE = BUG!?

What you will learn

If you’re hoping for PowerPoint slides and bullet points, followed by a product pitch, then this talk isn’t for you.

But if you like to watch technically-oriented demos that don’t require you to be a technical expert yourself, we think you’ll enjoy yourself.

We’ll show you:

  • How and why the bug works.
  • How to investigate security holes like this one safely.
  • How it could catch your users out.
  • How to protect yourself and your network.

We’ll also take a look at other “features” in Windows that could lead to similar problems, and what to do about those, too.

We’ll keep the jargon to a minimum, so you don’t need to be a sysadmin or a SecOps coder to attend…

…but if you are, you’ll still learn tons of tips and techniques for tracking down technological trouble.

As one of our readers said, after looking in the Windows registry to see how many Follina-like problems might still be lurking in the shadows:

Yuck, I just went into the registry to see what other ‘undocumented features’ are in HKEY_CLASSES_ROOT. What did I find? Job security.

The demo will take approximately 30 minutes, followed by 10 minutes of official Q&A time, after which we’ll be staying online informally for anyone who has further questions on this or any related topics.

Sign up now! (Email address required for registration.)

Date:  Thursday 2022-06-16

Time:  3pm UK time (10:00 EDT, 14:00 UTC, 15:00 BST, 16:00 CEST)

Length:  30 mins + 10 mins Q&A + informal session after that

News

S3 Ep86: The crooks were in our network for HOW long?! [Podcast + Transcript]

by

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT

(Text edited for clarity.)

DOUG.  How attackers get in, and a couple of zero-days.

Well, at least one 0-day.

All that more on the Naked Security podcast….

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth, and he is Paul Ducklin.

DUCK.  Hello, Doug.

DOUG.  Well, let’s start with a little tech history.

I’d like to bring to your attention that this week, on 08 June 1978, Intel released the 8086, a 16-bit microprocessor that gave rise to the x86 architecture, which has been used in approximately one bajillion IBM PC-compatible computers over the years.

Ironically, the original IBM PC used the slower, less expensive, 8-bit Intel 8088 chip.

DUCK.  You’d think that the 8-bit chip would come out first, and then it would be upgraded to the 8086.

DOUG.  No, sir.

DUCK.  “Hey, let’s do the cheap version.”

I suppose it’s like when you’ve got your big-block V8 that isn’t selling very well.

But people like the styling, so you stick a little straight- six motor in there and sell it a bit more cheaply, don’t you?

Something like that… I think I’m maybe showing my automotive age there, Doug [LAUGHTER] – it’s so long since I had a car.

Do you still even get V8s any more, or are they considered infra dignitatem these days?

DOUG.  I just filled up my car – it was 72 dollars.

And I think that’s a V6, so I wouldn’t want to know what a V8 costs to fill up nowadays.

DUCK.  I thought you were going to say, “I just filled up my car and it was 72 kilowatt hours.”

DOUG.  I don’t know about you, Paul, but I have delighted many times, over the years, in the x86 architecture.

So thank you, Intel, for bringing that out.

But something we don’t delight in around here is adversaries! Cybercriminals!

And we have a big report out called the Active Adversary Playbook 2022.

It’s a look at how the bad guys get into your network.

We looked at 144 real-life cases that our Sophos Rapid Response team tackled during 2021.

We found out some interesting insights, Paul!

DUCK.  Yes, this was done by friend and colleague John Shier.

And what I like about it is that it doesn’t talk about what might have been: “Oh, there are these 17,000 techniques and the crooks could use any or all of them.”

There’s a place for reports like that, but this one doesn’t talk about what *might* have happened.

These are attacks that Sophos was called in to help with, because something had gone wrong.

Obbviously, and unfortunately, the true figures or the true stats in real life might be slightly worse.

What about the attacks where nobody noticed at all until it was too late, and we were never called in, so we never got to investigate?

DOUG.  Sure.

DUCK.  Obviously, once you’re called in, the attack ends and you go, “Yes, the crooks were in for 52 days.”

But if we hadn’t been called in, how much longer might they have been there, in attacks that nobody ever really found out about?

So I like this report because it’s entirely based on Sophos Rapid Response.

It gives you a fantastic idea not of what *might* have happened, but what *did* happen.

So, if you’re a risk management type, or you want to know, “What are the things that I should do first if I haven’t done already?”, then this is a great way to focus your mind on where to start.

That doesn’t mean that you can put off doing all the other things forever.

But if, like most cybersecurity responders, you’re struggling with budget and time, then this makes sure that you haven’t left out the things that you really should have done first… the ones that give you what you might call the biggest bang for the buck.

DOUG.  We’ve got some of the usual suspects here.

We’ve got unpatched vulnerabilities; we’ve got RDP; we’ve got stolen data.

They’re not super-shocking numbers, but it’s a good a reminder, especially the unpatched vulnerabilities.

Unpatched vulnerabilities were the entry point for close to half of the attacks that are getting in.

And so, when we say,”Patch early, patch often,” that’s a real thing!

DUCK.  It really is!

I think, in the old days, it would have been guessed passwords, or it would have been public RDP portals that the company had forgotten about.

Those are down, because fewer than 15% of attacks now start with RDP.

But we have a rather fateful reminder that you can’t think about network security as your primary defence anymore, because networks don’t really have a perimeter anymore.

What’s *up* is the use of RDP for the crooks to wander around once they’re inside – this happened in over 80% of attacks.

So RDP is still a problem – it’s just not the problem that it used to be.

So, a 50% chance the crooks will get in because you didn’t patch…

…but then, once they’re inside, they’re saying, “Well, you locked down all your RDP at the edge really well, but you’ve been quite sloppy inside, because you assume no one’s going to get in in the first place.”

In particular, when ransomware did not appear to be the primary goal of the crooks, the average length of time that they were in was more than a month.

So, if you’re making it easy for them to go wherever they want by having insecure RDP inside your network, then that is something you really need to address.

I think that stood out really clearly.

And, of course, Doug, you mentioned stolen data.

We noticed that the attackers were known to have stolen data in approximately 40% of all the incidents that we investigated.

And my gut feeling is that the true number is probably a little higher, or even a lot higher, given that 40% represents those incidents where we knew the crooks had stolen data because they left behind incontrovertible evidence…

…such as scheduled tasks that used cloud backup clients that the crooks themselves had installed to upload all your data to a service you did not normally use.

That’s a dead giveaway!

But the thing with stolen data is that it’s not like stolen property – like when you go into your study and there’s a hole where your laptop used to be.

“They’ve stolen it!”

But with data, although we call it data theft, it’s not always obvious because you still have a copy.

And, if you think about it, even if all the crooks are doing is figuring out your passwords for resale to other criminals later, then they’ve stolen data anyway.

So when we say “40% of attacks involved stolen data”, that pretty much means that they harvested it with industrial-quality equipment.

DOUG.  Okay, so those were non-ransomware attacks, with those long dwell times.

And, Paul, you make the argument that… well, it’s not that you want either, but a ransomware attack is pretty cut-and-dried and then it’s over with.

They get in; maybe they’re there for a little bit; but boom, ransomware!

You can either restore from backup and get your files back, or just deal with it.

Is that a more optimal situation than having someone effectively “living in your basement” for a month without you knowing it, and just rooting around your house when you’re not home?

DUCK.  I suspect that your choice of words “cut-and-dried” and “more optimal”… I know what you’re saying, there Doug: “Is it less worse?”

DOUG.  [LAUGHS] Yes.

DUCK.  Clearly a ransomware attack is like being punched in the face.

It could cause your business to derail then and there.

As we’ve talked about on the podcast, there is a small but nontrivial number of companies that don’t survive ransomware attacks – it is essentially the end of the world for them.

But yes, I think you can make a case to for that “living in the basement” story being worse.

And remember, they’re not living in the basement – they’re living in amongst the rooms of your house, but they’re invisible.

DOUG.  [LAUGHS] Like a ghost.

DUCK.  I think it’s a vital reminder, and John Shier makes it absolutely clear, and explains this very well in the paper.

There are, if you like, entire cliques? clans? – I don’t know what the right word is for the cybercrime community – that aren’t really into ransomware at all.

And one of those groups, they go by -it’s rather a mouthful, but the jargon term is that they’re called IABs.

That means Initial Access Broker.

Basically, people go in and learn all about you, and your staff, and your company, and your customers, and your suppliers, and anything they can find.

They harvest all that data, get your passwords, learn what your network looks like.

Basically, they create a detailed “video tour” of your entire business operation and then go and sell it.

And they don’t only sell it to one group.

The ransomware crooks, well, they want to get in, and they want to know what the network looks like.

That saves them time; it means they’re less likely to get caught.

They don’t have to map out your network if someone has already got a blow-by-blow diagram.

On the other hand, your customer data… that may go to a second party.

Your supplier details may go to a third party.

Your financial records and your bank account details… those may go to a fourth party, who knows?

So it’s easy to say, “Oh, ransomware! The majority of attacks are ransomware (it’s somewhere around two-thirds), so the minority one-third? Those are lesser crooks, the ones who, as you say, live in the basement.”

But I don’t think that’s a reasonable inference to make at all.

I think that you could argue, for many businesses, that the final result could be worse.

Just think about it: their goal is not to hold your business to ransom, it’s to know everything about you.

And, as we know, when data breaches happen, often that doesn’t just put your business at risk.

It could directly put your staff at risk, too.

For example, if the crooks now have Social Security Numbers, pension fund passwords, tax details, all of that stuff, they could then go after those people as individual victims if they want.

And if they’ve got data about your suppliers and your customers, then there could be a knock-on effect for other people.

They could even do things like… if you make software, they could steal your code-signing keys and sell them to a fifth party, who then use those keys to sign malware.

So the non-ransomware crooks may be aiding and abetting a whole range of other subsequent cybercrimes, not only ransomware.

[WRY TONE] And on that cheery note, Doug….

DOUG.  [LAUGHS] Let’s tell the good people where to go to download.

This report is available for free, and you can get it at: https://sophos.com/playbook2022

Or you can read the highlights on Naked Security:

Now, this next story. Paul, this is interesting!

We talked a little bit about the Microsoft “Follina” bug last week.

This is similar.

This is search URL handling in Windows.

And the question here is, “Is this a feature or a zero-day?”

DUCK.  I wrote this up on Naked Security in the aftermath of the so-called Follina vulnerability.

That’s where you can have a URL buried in a Word file, and when you open the Word file, it causes the Microsoft Diagnostic Toolkit to open.

And it tells that toolkit, “Hey, the diagnosis involves you running this PowerShell code for me.”

So, clearly, that’s what you might call an extreme risk, created by the fact that there’s this magic URL that you probably didn’t expect.

(Who knew that you’d ever need to have an automatically accessed link in a Word document that could help you run the Microsoft troubleshooting tool if you wanted it? Surely you could just go and run it yourself?)

And in the aftermath of that, because there are so many of these special proprietary URLs – what’s called in the jargon a URL scheme, the bit up to the first colon.

So, smtp: is for email, and ldap: is for directory services lookups.

When you go into the Windows Registry, actually, there’s a whole slew of these URLs that either start or end with ms, for Microsoft.

You can quickly see, “Oh my golly, they’ve got special URLs for Word files and Excel files and PowerPoint files. I wonder how many of these diagnostic toolkit-type problems are just sitting there waiting to be uncovered?”

And of course, the Follina story caused a whole lot of people to go looking.

And this person found something. I called it a zero-day (sort of), because I think they were stretching things to look good by calling it a zero-day.

But it is a reminder how easily features turn into bugs.

In this case, the special URL is search-ms: – that’s the URL scheme.

Instead of just doing a web search and bringing you to what is obviously a web page with search results in, this researcher discovered that if you use the dedicated search-ms: URL, then you can populate a file Explorer window with a list of files of your choice.

Somehow, this Explorer window is magically opened up and just happens to offer a load of files from somebody else’s server.

You ought to notice that, because it’s as bad an idea to open those files as it is to download random stuff from a random web page…

…but, to be fair to the researcher who figured this out, it is nevertheless believable.

It’s got the Windows Desktop impimatur, primarily because it doesn’t come up in your browser.

So it doesn’t look as though, “Hey, this is a web search.”

And the other thing is that you can customise what it says at the top of the window, so you could display reassuring text that isn’t in a web page.

DOUG.  If I could see one of these files, and I don’t have View File Extensions turned on by default…

…could I be made to think that I’m clicking on some sort of document when it’s actually an executable?

DUCK.  I think that’s an excellent point!

It’s something that has been a real bugbear of mine for, I think, at least two decades!

And that is this almost pathological desire of Microsoft not to tell you the true names of files.

And it’s not just Microsoft: there are Linux applications that do it; there are Mac applications that do it…. “It’s called mydocument, but you don’t need to know what the extension is. The system will sort that out for you.”

And of course, what that means is that if an attacker deliberately puts two dots in the file name and gives a name ending .txt.exe, for example, then if you have extensions turned off, the file will come up as though it really is showing you the extension.

And you’ll think, “Hey, it’s telling me the full story, so it must actually be a .txt file.”

You forget the fact that the real extension is a second extension, at the end, that you can’t see.

So by default, I think you could much more easily be tricked than just landing on a website.

But I still don’t think this is a zero-day, and even calling it a vulnerability might be a bit of a stretch.

Nevertheless, it *is* one of potentially many, weird Microsoft URLs that you might want to consider deleting from the registry yourself, if you’re a home user, or across your network if you’re a sysadmin. (You can use Group Policy.)

These search-ms: URLs seem likely to be much more trouble than they will ever be worth.

But it’s not for me to make that decision for you, so the article helps you understand why you might want to remove something that Microsoft obviously thought was a tremendously good idea at the time…

..and probably has been really useful to several people [LAUGHTER], maybe as many as three or even six people in the past.

DOUG.  There’s some advice there, most of which we touched on already, so you can go over and read that in the article: Yet another zero-day (sort of) in Windows Search URL handling, on Sophos Naked Security.

Now, let’s talk about a real zero-day, this time in Atlassian’s Confluence Server.

DUCK.  Yes, Atlassian is a very well known company, perhaps best known for JIRA, which lots of companies use… what would you call it, a ticketing system?

Confluence, I suppose, is their discussion forum; their commercial-Wiki-kind-of-thing.

It’s written in Java… I think you know where this is going, if you remember Log4Shell!

I don’t know the details of the bug, because, obviously, Atlassian didn’t want to blurt it out before they had the fix ready.

But it does seem that there was text you could add to a URL so that, when you accessed the Confluence server… it was ${ [dollar/squiggly bracket], just like Log4Shell.

There were obviously some characters, if you put them in the URL, that when they were consumed or used by the server (I’m guessing!) they weren’t treated literally.

They were treating ${...} as, “Inside here is a kind of command that lets attackers do things that really you wouldn’t let them do if you knew they was coming in from outside and weren’t trusted users.”

It looks like that’s what the problem was: that people could make legitimate-looking requests, and then the server would go and do something bad.

And for better or for worse, this bug was found by a threat response company – out of the US, I think – called Volexity.

They were doing a threat-hunting gig, like the ones that John Shier looked into to get the stats in his report (which are all anonymised by the way – nobody’s named and shamed).

Unfortunately, Volexity wrote it up and they said, “Hey, we’re not going to tell you exactly how this works, but wow! We were looking into an attack that was unfolding, and this company kept getting webshells dropped into Java Server Pages. And when we looked, guess what we found? There was an 0-day in Atlassian’s product! Oh, and by the way, we told them.”

So Atlassian responded in what I think was a calm and effective way.

They didn’t keep publishing PR platitudes.

They said very little – they just said, “Yes, there’s a bug. No, we’re not going to give exact details. Here’s the CVE number. Here are some mitigations that you can use over the next two days. By the end of the day of 03 June 2022 Pacific Daylight Time, we’ll have a fix out.”

They said what they were going to do, in plain and simple English, and they went away and did it.

And they did indeed get the fix out on 03 June 2022.

So: Patch early, patch often!

And Atlassian said, “If you’re one of those companies that takes 17 weeks of committee meetings to decide to go through an official update but you actually want to get the fix out, here’s a way you can do it by hand.”

You have to delete two Java archive files (.jar files, product modules) and replace them with updated ones.

And there’s an extra little .class file (a compiled Java file) that you insert to complete the temporary fix.

So I thought that was a good response, given that it was a zero-day.

It was a difficult situation for Atlassian, because the company that found it and reported it to them couldn’t resist getting their own 15 minutes of fame by telling everyone about it before the fix was available.

So I think this is a good story, Doug.

It’s kind of an “All’s Well that Ends Well” situation.

Unless you’re still dithering about patching…

…so, don’t delay; definitely do it today!

DOUG.  All right. that’s Atlassian announces zero-day hole in Confluence Server – update now on nakedsecurity.sophos.com.

And as the sun begins to slowly set on our show for this week, it’s time to hear from one of our readers on the “Windows Search” URL-handling story.

Reader Bill writes:

“Yuck, I just went into the registry to see what other ‘undocumented features’ there are in HKEY_CLASSES_ROOT. What did I find? Job security!”

Which tickled me to no end when I read that.

DUCK.  I think that reflects the spirit of the researcher who said, “Oh, I think I found another zero-day.”

It just goes to show that when somebody finds a way, like with the Follina bug, to exploit what used to be considered a feature, you shouldn’t be surprised.

And it’s not a bad thing if that spurs a whole load of researchers to seek *their* 15 minutes of Fame by saying, “Hey, let me go and look at all this other stuff.”

I think what Bill was getting at there is that when it comes to magic registry settings that let URLs trigger behaviour that isn’t in any book anywhere, and isn’t in the Official Guide to all Types of URL You Ever See in the Whole World…

…when you get very long lists like that, of things that people thought were a feature at one time, well, that is a reminder.

Sometimes, in coding and in cybersecurity, Douglas, “Less is very much more.”

DOUG.  Absolutely!

And again, thank you for that comment, Bill.

DUCK.  Right on the head.

DOUG.  Nailed it!

DUCK.  Yes, it made me laugh as well.

But after laughing, I thought, “It’s not really a joke.”

DOUG.  Yes, he’s right!

And if you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com; you can comment on any one of our articles; or you can hit us up on social: @NakedSecurity.

That is our show for today – thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you, until next time, to…

BOTH. Stay secure!

[MUSICAL MODEM]

News

SSNDOB Market servers seized, identity theft “brokerage”” shut down

by

SSN is an abbreviation that’s specific to America, and DOB is shorthand that’s specific to the English language.

Nevertheless, their meanings are widely known throughout the world, not least because of their widespread use in reports and discussions about identity theft and cybercrime.

SSN is short for Social Security Number, which is effectively a US national ID number, and DOB translates into date of birth.

Ironically, of course, an SSN doesn’t actively identify you – it’s really just a label that can be used as a unique identifier for record-keeping purposes.

In other words, simply knowing someone’s SSN doesn’t prove you are that person.

Unfortunately, however, knowing someone’s SSN (or the equivalent personal identifier in your country) is a good starting point if you’re an identity thief, because it can often be combined with other personal information to get past identity checks.

The theory is that if there’s, say, a 1% chance that you’ve figured out someone’s SSN and a 5% chance of guessing their DOB, then there’s only a 1% × 5% chance (that’s 0.01 × 0.05 = 0.0005) of getting both of them right, and that multiplied-together chance of 0.05% chance represents odds of just 1 in 2000.

Roll in other personal details such as a passport number, a scan of a driving licence, precise home address, phone number and so on…

…and, in theory at least, you can keep trimming the probability down until it’s as good as certain that the only way someone could provide all the data you’re requesting is if they were, indeed, the true owner of the the SSN they presented to start with.

This theory, of course, is bunkum.

You can only multiply probabilities together as we did above if they are completely independent of each other, such as two consecutive coin tosses.

But the probabilities that someone can “guess” both your SSN and your DOB correctly are not independent.

For a start, you need to factor in the probability that if they’e found a way to discover your SSN, then they may have found a similar way to discover your DOB at the same time.

In some countries, the local equivalents of SSNs are far from random. In South Africa, for example, the country’s national ID numbers are constructed from data including your DOB (in the abbreviated form YYMMDD), gender, and citizenship status, together with a sequence number that depends on how many other people were born on the same day as you. In other words, if you already know someone’s ID number then you have about a 50-50 chance of figuring out their DOB correctly, given that there is no one still alive who was born in the 1800s. Of course, if also you know roughly how old they are, you can be pretty sure whether they were born in this millennium or the last, so you’ll know whether their real DOB starts 19xx or 20xx. In such cases, if you know someone’s ID, the probability of “guessing” their DOB is effectively 100%. Likewise, if you know their DOB, their gender and where they were born, you can almost certainly predict 8 digits of the 11 digits required to construct their 13-digit ID number yourself. (The 12th digit is almost always 8, and the 13th digit is a checksum computed from the others.)

SSNs rarely get breached on their own

As you can imagine, data breaches where crooks get hold of personal data that includes SSNs rarely come away with just those SSNs, given that few database files include a list of SSNs and no other data at all.

When crooks penetrate company networks, for instance, they often go after HR records because employers are usually required both by law and operational necessity to collect significant amounts of personal information about each employee.

Employers typically need to retain evidence that you are who you claim, and that you’re legally entitled to seek work in the country; they need to know how to pay you; they’re obliged to report your earnings to the tax office; they may need to keep your driving licence on file if you’re expected to drive for your job; and much more.

Furthermore, as we wrote about just yesterday, data in our Active Adversary Playbook 2022 suggests that an increasing number of network intrusions aren’t about disruptive ransomware attacks, they’re about taking the time to accumulate corporate data to sell on to other crooks.

In other words, darkweb data brokers typically don’t just acquire and sell one sort of data point for each victim.

Thus the name SSNDOB Market that you see in the headline – an online data bazaar that wanted visitors to know that it sold at least matched-up SSNs and DOBs, along with other personally identifiable information (PII).

According to the US Department of Justice (DOJ), SSNDOB claimed to have PII for up to 24,000,000 Americans (though we don’t know how much data there really was, or how accurate it was).

The DOJ says that the site’s operators made more than $19,000,000 over the past few years, handing this data on to willing buyers in return for pseudoanonymous payments, typically using Bitcoin.

Unfortunately, the DOJ hasn’t arrested the suspected operators of the SSNDOB Market, but, with the help of law enforcement partners in Latvia and Cyprus, it did get a court warrant allowing it to take over the server names used by the crooked data brokers.

Visitors to any of ssndob.ws, ssndob.vip, ssndob.club and blackjob.biz will no longer end up where they were probably expecting.

Instead, they’ll see this:

This may not be quite as conclusive a result as the DOJ and its European counterparts might have hoped, but every little helps.

As David Walker of the US FBI remarked in the DOJ’s press release:

These seizures demonstrate the FBI’s strong working relationship with our international partners in disrupting malicious cyber activity Dismantling illicit marketplaces that threaten the privacy and security of the American public is a priority of the FBI.

This is also a good reminder that getting cybersecurity right on your network doesn’t just protect your company, but also protects your employees, your business partners, your suppliers, your customers, and everyone else on the internet, too.

In other words, cybersecurity represents a very attractive sort of altruism: it’s something that you do of necessity, to protect yourself and your business, but that also helps the online world stay safer as a whole.

Don’t be part of the data leakage problem, be part of the solution!

Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶

News, Phishing

Know your enemy! Learn how cybercrime adversaries get in…

by

Over on our sister site, Sophos News, we’ve just published some fascinating and informative insights into cybercriminals…

…answering the truly practical question, “How do they do it?”

In theory, the crooks can (and do) use any and all of thousands of different attack techniques, in any combination they like.

In real life, however, good risk management says that it’s smart to focus on the the biggest problems first, even if they’re not the most glamorous or exciting cybersecurity topics to get stuck into.

So, in real life, what really works for the cybercrooks when they initiate an attack?

Just as importantly, what sort of things do they do once they’ve broken in?

How long do they tend to stick around in your network once they’ve created a beachhead?

How important is it to find and treat the underlying cause of an attack, instead of just dealing with the obvious symptoms?

The Active Adversary Playbook

Sophos expert John Shier dug into the incident reports of 144 real-life cyberattacks investigated by the Sophos Rapid Response team during 2021.

What he found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.

Notably:

  • Unpatched vulnerabilties were the entry point for close to 50% of the attackers.
  • Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.
  • Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)
  • RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.

Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.

In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.

This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.

As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.

After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.

Who makes ransomware attacks so devastating?

Importantly, there are entire cliques of cybercriminality that aren’t into the outright confrontation of the ransomware gangs.

These “non-ransomware” crooks include a significant group known in the trade as IABs, or initial access brokers.

IABs don’t derive their unlawful income from extorting your business after a violently visible attack, but from aiding and abetting other criminals to do so.

Indeed, these IAB criminals could do your business much more harm in the long run than ransomware attackers.

That’s because their typical goal is to learn as much about you (and your staff, and your business, and your suppliers and customers) as they can, over as long a period as they like.

Then they make their unlawful income by selling that data on to other cybercriminals.

In other words, if you’re wondering how ransomware crooks are often able to get in so quickly, to map out networks so thoroughly, to attack so decisively, and to make such dramatic blackmail demands…

…it may very well be because they bought their very own ready-to-use “Active Adversary Playbook” from earlier crooks who had roamed quietly but extensively through your network already.

RDP still considered harmful

One bit of good news is that RDP (Microsoft’s Remote Desktop Protocol) is much better protected at the average company’s network edge these days, with fewer than 15% of attackers using RDP as their initial entry point. (The year before, it was more than 30%.)

But the bad news is that many companies still aren’t embracing the concept of Zero Trust or Need-to-know.

Many internal networks still have what cynical sysadmins have for years been calling “a soft, gooey interior”, even if they have what looks like a hard outside shell.

That’s revealed by the statistic that in more than 80% of the attacks, RDP was abused to help the attackers jump from computer to computer once they’d cracked that outer shell, in what’s known by the prolix jargon term lateral movement.

In other words, even though many companies seem to have hardened their externally-accessible RDP portals (something we can only applaud), they still seem to be relying heavily on so-called perimeter defences as a primary cybersecurity tool.

But today’s networks, especially in a world with much more remote working and “telepresence” than three years ago, don’t really have a perimeter any more.

(As a real-world analogy, consider that many historic cities still have city walls, but they’re now little more than tourist attractions that have been absorbed into modern city centres.)

What to do?

On the grounds that knowing your cyberenemy makes it less likely that you will be taken by surprise…

…our simple advice is to Read the Report.

As John Shier points out in his conclusion:

Until [an] exposed entry point is closed, and everything that the attackers have done to establish and retain access is completely eradicated, just about anyone can walk in after them. And probably will.

Remember, if you need help then it’s not an admission of failure to ask for it.

After all, if you don’t probe your network to find the danger points, you can be sure that cybercriminals will!

Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶

News

Atlassian announces 0-day hole in Confluence Server – update soon!

by

Software development and colloboration toolkit behemoth Atlassian is warning of a dangerous zero-day in its collaboration software.

There’s no alert about the bug visible on the company’s main web page, which features the company’s best-known tools JIRA (an IT ticketing system) and Trello (a discussion board), but you’ll find Confluence Security Advisory 2022-06-02 on the Confluence sub-site.

The official bug number is CVE-2022-26134.

The existence of the bug was outed by US threat response company Volexity, which claims to have uncovered the vulnerability while investigating an in-the-wild incident that “included JSP webshells being written to disk”.

Webshells revisited

You’ll remember webshells, no doubt, because they were all over the news just over a year ago during the so-called Hafnium attacks, allegedly conducted by Chinese hackers against Microsoft Exchange servers in March 2021.

Webshells are a nasty way of opening up a backdoor into a network using an attack that sometimes requires attackers to do little more than write one tiny file into part of a web server where content is stored.

In the 1990s, hackers with write access to your website would probably have got their kicks out of adding flaming skulls to your home page, and of drawing immediate public attention to the fact that they’d broken in.

But by adding a web page that includes what’s called a server-side script, today’s attackers can give themselves a secret way into your network without drawing attention to themselves at all.

That’s because a lot of web servers don’t just contain static files that get sent out to remote users when they put in the right URL.

Instead, web servers often rely on files that, when requested by a user, are executed as a program by a scripting engine inside the web server, and used to generate the actual content that gets sent back.

If that sounds dangerous, it is, although it’s generally considered a feature, not a bug.

Indeed, server-side scripting is the background to technologies such as Microsoft’s ASP (active server pages – the name says it all!) and Java’s JSP (Jakarta Server Pages).

As Wikipedia puts it:

JSP […] is a collection of technologies that helps software developers create dynamically generated web pages based on HTML [and] other document types.

Webshells can be as simple as one line of code that does a three-step process like this:

 --> Extract text from the URL or the body of the incoming web request --> Run the extracted text itself as a script --> Send the output of the rogue script back as the reply

The webshell doesn’t even need to contain any specific malware code of its own that might stand out.

As long as the attacker can control (or even simply guess) the name of the webshell file they’ve implanted, then they can simply visit the server URL that corresponds to that file, any time they like…

…and upload new malware code for immediate execution every time.

Of course, this sort of “run anything you want any time” does tend to leave behind traces that an attacker can’t easily control and that a threat hunter can look out for, such as unexpected error messages, unusual network connections, or non-web-related processes showing up on a web server.

But those artefacts only show up as a side-effect of malicious activity that’s already happened, so the attackers have the upper hand until someone notices something.

What happened?

As you can imagine, Atlassian isn’t giving away any specific information about the bug at this point, given that it’s still working on a fix.

Fortunately, even though Volexity decided to blog about this security hole publicly rather than disclosing it privately to Atlassian and giving the company a few days to fix it quietly, both parties seem to have kept enough details under wraps that we aren’t aware of any “here’s how you do it, folks!” sample code floating around at the moment.

Atlassian is advising customers who can pre-filter incoming web data to look out for URLs containing ${, saying that blocking these “may reduce your risk”.

That makes this bug sound a bit like the infamous Log4Shell hole from the end of 2021, where text that was logged didn’t actually get logged literally if it contained special commands bracketed in ${....} characters.

If you’ve ever used the Bash shell, you’ll be familiar with this sort of “metacommand”. In Bash, the magic brackets are round, not squiggly, so that the text $(runthis) doesn’t get used exactly as it’s written, but instead gets replaced with the output generated by executing the runthis command, which is a very different and much more dangerous thing indeed.

We’re therefore guessing that this exploit is triggered by the way that Atlassian’s code processes the “query” part of URLs that don’t just have a servername and a filename, but are followed by some sort of query string, typically preceded by a question mark.

Interestingly, the characters { and } aren’t actually allowed to appear in URLs, and are supposed to be transmitted as special “escape codes” in hexadecimal instead, thus appearing as %7B and %7D respectively.

Whether this bug depends on rogue URL characters that were sent without being escaped, or whether you should be checking for ${ after the URL has been “unescaped” by your web server isn’t clear.

So, if you are going to add a temporary URL filter, we’d suggest looking out for the { character in both its raw and escaped forms, just in case.

What to do?

Atlassian has dubbed this bug Critical, and has said it will have a patch out at an “estimated time [of] EOD June 3 PDT”, which is a reassuring yet vague and tautological at the same time.

(The phrase EOD is unspecific in its own right, and doesn’t really need the word “estimated” to accompany it.)

Remember that EOD stands for end-of-day, and thus could be as late as one minute to midnight.

And 2022-06-03T23:59 UTC-7 (where PDT is short for Pacific Daylight Time, as used in June on the West coast of the US) is 2022-06-04T06:59 Zulu time, which is just shy of 8am on Saturday in the UK, and 9am in Western Europe.

In other words, be prepared to stay up late, or to get up early, because you will want to grab the patch as soon as you can.

That’s because we’re assuming that the patch is likely to reveal the nature of the attack and how to exploit it, and thus that proof-of-concept files and actual attacks will soon follow.

In the meantime:

  • Take your Confluence servers offline temporarily if that’s an option.
  • Block open access to your servers directly from the internet if you can.
  • Consider blocking URLs with ${ in them if you have a quick way to add a basic filter.

Not enough time or staff to keep on top of cybersecurity?
Unsure where to start when you spot suspicious activity?
Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶

Latest Blog

View All
go top