The Good, the Bad and the Ugly in Cybersecurity – Week 34

The Good

This week updated guidance was released from CISA (Cybersecurity and Infrastructure Security Agency) on “Ransomware-Caused Data Breaches”. As the stakes continue to rise, along with the ransom amounts, CISA is hoping organizations “adopt a heightened state of awareness” and implement the variety of recommendations provided in the guidance.

In terms of prevention specifically, the guidance touches on backups, BCP (business continuity planning) and technical exposure mitigation (audit exposed RDP, conduct regular vulnerability scanning). The prevention section also covers cyber hygiene, patching, pentesting and the like.

For organizations that find themselves needing to respond to a ransomware-related breach, the final section in the guidance includes operational planning, triage practices, forensics, and both internal and external communication plans. In addition, the new document provides links to numerous related resources.

Ebook: Understanding Ransomware in the Enterprise
This guide will help you understand, plan for, respond to and protect against this now-prevalent threat. It offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.

CISA’s updated guidance serves as a good “cheat sheet” or jumping-off point for sharpening your ransomware and breach response skills. We encourage all to review the guidance and apply these safe practices where required.

The Bad

It was not too long ago that stories were circulating about Ring security cameras, baby monitors, and similar “smart” devices being hacked and used to frighten, eavesdrop, or worse. A similarly impactful flaw to another Video Surveillance as a Platform service was recently discovered and disclosed by FireEye.

The vulnerability, CVE-2021-28372, affects devices associated with the Kalay IoT platform (ThroughTek). The flaw is specific to the SDK (software development kit) and therefore potentially affects a limitless number of devices. This bug allows attackers a very straightforward way to hijack the connection between devices and the Kalay cloud. Attackers can masquerade as a ThroughTek device by presenting a valid 20-byte UID (Unique Identifier). Armed with this knowledge (and the correct IDs), attackers can force their way into the communication stream and intercept credentials or force challenges on the devices to cause users to supply them.

A joint alert was posted by FireEye and CISA (Cybersecurity and Infrastructure Security Agency) on August 17th. The vendor, ThroughTek, has provided multiple solutions based on various versions of the SDK. Versions 3.1.10 and above are recommended to enable AuthKey and DTLS. For previous versions, the same steps are recommended but preceded by an upgrade to SDK 3.1.10 or above.

IoT devices are only going to become more prevalent, and it is vital that consumers – both businesses and personal – are mindful of the security (or lack thereof) with some of these devices. Always take the time to familiarize yourself with the vendor and any potential patches for anything you plan on connecting to your network.

The Ugly

This past week brought the latest chapter in the ongoing saga revealed through the joint efforts of researcher Orange Tsai (DEVCORE Research Team) and ZDI (Zero Day Initiative). We have previously covered ProxyLogon and ProxyOracle. The ProxyLogon flaw was heavily exploited as part of the widespread attacks on Exchange servers earlier this year. To add to these previous vulnerabilities, we now have details of the follow-up, ProxyShell. Technically speaking, ProxyShell consists of three separate flaws, tracked by CVE as follows:

CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability

Stringing these three flaws together in exposed environments will allow an attacker to establish persistence and quickly execute malicious PowerShell commands. Upon successful exploitation, an attacker could potentially take full control of exposed Microsoft Exchange servers.

Proof-of-concept code is currently available for ProxyShell along with thorough documentation. While Microsoft has released patches for all of these CVEs across the April and May monthly releases, the researcher notes that “Exchange Server is a treasure waiting for you to find bugs…I can assure you that Microsoft will fix more Exchange vulnerabilities in the future”.

These are high-severity flaws, and the waves carrying these flaws into our data centers are getting larger and more difficult to predict and control. Knowledge is a powerful tool, and we encourage all to stay up to date on this style of vulnerability specifically. Good hygiene and preparedness, along with a properly configured and modern endpoint security platform, will keep your environment safe from these attacks.