Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. CTRL Group’s security analysts continue to see zero-day vulnerabilities and breaches in March 2022.
LAPSUS$ Breached Microsoft, Authentication Firm Okta and more
LAPSUS$ group, a well-known threat actor has claimed to be behind the hacks of the breached organisations Microsoft Corporation, the large Authentication Firm “Okta”, Nvidia and Samsung in the past month with large amounts of data being stolen and leaked. Notoriety seems to be the aim behind this group with money incentives coming second. LAPSUS$ group has an unusual approach when it comes to breaching companies compared to other threat actors. They do not install malware on breached environments, does not encrypt data with the use of ransomware in most cases and has barely seen to extort a victim. This group aims at compromising accounts through combinations of stolen credentials, social engineering and what is an unusual method, offering large amounts of money publicly to purchase credentials for certain privileged accounts and / or company VPN / Citrix access.
Through access of privileged accounts, LAPSUS$ has been able to laterally move through a companies’ network and gain access to large quantities of sensitive data that they then leaked publicly after exfiltration to their telegram channel that hosts 46,000 users. Despite this being their main objective, there has been cases where they have been destructive of a companies’ network and cloud environment by wiping systems and destroying thousands of VM’s.
Unfortunately, there a no known IoC’s nor TTP’s that are unique to LAPSUS$ Group as malware is not used by this group. To help mitigate attacks from similar threat actors and attempts CTRL Group recommends the following:
- Ensure MFA is enabled throughout your network for user’s signing in and accessing any part of the network / features.
- Employ network segmentation and strict access controls to limit the ability of lateral movement if a login is compromised, service is compromised or part of the network.
- Constantly patch systems when updates are pushed out to help protect against new vulnerabilities and exploits that could lead to lateral movement.
Ensure that least privilege access or now known as Zero Trust network architecture is deployed to ensure that privileges only necessary to perform objectives are assigned. This will help to limit any compromised accounts being used to increase privileges and access parts of a network that is not necessary for that user / laterally move gaining further access.
Access7 Critical Supply Chain Vulnerabilities
PTC, the American computer software and services giant, has announced on March 8th, 2022 that seven security vulnerabilities have been disclosed in their Axeda solution, including a cloud platform that allows device manufacturers to establish connectivity to remote monitor, manage and service a wide range of connected machines, sensors, and devices, collectively dubbed as “Access:7”. The Access:7 vulnerability could be weaponized to gain unauthorized access to over a 150 device models belonging to over 100 different manufacturers, affecting several industries, prominently healthcare (55% of impacted device vendors) and IoT (24%). Three of the vulnerabilities have been rated Critical in severity.
Successful exploitation of the flaws could allow attackers to remotely execute malicious code to take full control of devices, access sensitive data, modify configurations and shut down specific services in the impacted devices. Since the Access:7 vulnerability relates to a solution sold to device manufacturers that did not develop their own in-house remote servicing system, this supply chain vulnerability affects many downstream manufacturers and devices, potentially resulting in disastrous consequences, especially given the high percentage of healthcare organisations utilising Axeda solutions.
CTRL Group recommend scanning your environments to determine if any of the affected products are currently in use (see full list of products in the link above). If one or more products from the list exists in your network:
- Since unlike traditional remote management software for networks, Axeda is pre-installed in devices, it cannot be patched by you. However, CTRL Group recommends contacting your product’s specific manufacturer and ask them to patch the relevant devices to Axeda agent version 6.9.1 build 1046, or 6.9.2 build 1049, or 6.9.3 build 1051, if they haven’t already done so.
- Enforce segmentation controls to mitigate the risk from vulnerable devices.
- If the relevant devices in your network cannot be patched, or until they are patched, restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control.
Monitor all network traffic for malicious packets trying to exploit these vulnerabilities. Monitor for and block any known malicious traffic.
The full list of affected devices and models can be found here: https://www.cybermdx.com/access7-affected-devices/.
Google Chrome Zero Day (CVE-2022-1096)
When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution.
CVE-2022-1096 is the second zero-day vulnerability addressed by Google in Chrome since the start of the year, the first being CVE-2022-0609, a use-after-free vulnerability in the Animation component that was patched on February 14, 2022.
CTRL Group recommend updating the Google Chrome application to the latest stable version 99.0.4844.84 for Windows, Mac, and Linux to mitigate any potential threats.