Month in Breaches:
September 2020

Cybersecurity News / Month in Breaches

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. In this issue, ransomware attacks continue to plague the global threat landscape. Part of protecting our clients is also promoting good security practices and raising awareness of current security trends, boosting your overall understanding of current breaches.

Zerologon Vulnerability

Zerologon has a critical severity with a CVSS score of 10 out of 10. It is a privilege-escalation vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol (MS-NRPC) which allows an attacker to gain administrative privileges to access the Active Directory domain controllers of the company. MS-NRPC is a remote procedure call (RPC) interface that is used by Windows for user and computer authentication on domain-based networks. The vulnerability exists as Netlogon allows authentication of computers to the domain controller and change the Active Directory password. Impersonation of the computer may be performed by an attacker to change the password for both the domain controller and Active Directory. Therein gaining full control on the Windows domain.

The first phase of patches has been released last August but is only available to some Windows Server versions that still receive security updates. Therefore, it is necessary to immediately update the domain controllers with the patches released by Microsoft in August. According to Microsoft, “The updates will enable the Domain Controllers (DCs) to protect Windows devices by default, log events for non-compliant device discovery, and have the option to enable protection for all domain-joined devices with explicit exceptions. CTRL Group also insist on maintaining strong patch management to secure all loose endpoints with the most recent patches.

FortiGate VPN Default Configuration Leads to MITM Attack

According to a recent report, the default configurations of Fortinet’s FortiGate VPN appliance could open organizations to man-in-the-middle (MitM) attacks. It was found that the FortiGate SSL-VPN client only verifies whether the certificate required for client authentication purposes was issued by Fortinet or by some other trusted certificate authority. Thus, an attacker could easily present a certificate issued to a different FortiGate router without raising any flags. This will lead to a man-in-the-middle attack using which they could inject their own traffic and communicate with devices inside the organisation, including point-of-sale and data centres. Shodan revealed that more than 200000 businesses are using default configurations and could be easily breached.

Fortinet does not consider this particular issue to be a vulnerability. According to them, the users have the full ability to manually change and replace the default certificates to secure their connections appropriately. Each VPN appliance and the set-up process provide multiple clear warnings in the GUI with documentation offering guidance on certificate authentication and sample certificate authentication and configuration examples. Hence, CTRL Group suggest considering these warnings seriously to avoid exposing your organisation to risks.

LockiBot Password Stealer Trojan

LokiBot is an information stealer trojan-type malware designed to collect data from widely used web browsers, FTP and email clients. It typically enters systems without the user’s consent. This Virus specifically targets Windows and Android operating systems. A main feature of LokiBot is to record sensitive data. LokiBot gathers the information mainly from web browsers be it passwords, login credentials, bank details etc, and continually tracks user’s activity. Once this information is accessed, it is immediately saved on a remote server controlled by LokiBot’s developers.

To avoid such infection by Lokibot, use network scanners and review your network. It is paramount for users to be very careful while browsing the internet – and particularly before opening or clicking any email attachments. Software patches and updates are something that does a lot of protection to our network. Make sure you have scanning tools to see if your network is fully patched. While downloading software make sure you download from official sources only, using direct download links. Additionally, installing antivirus/antimalware only from trusted developers and keeping it up-to-date is important to decrease the chance of malware infection.

Related Articles

Cyber Compliance / Cyber Advisory, Cyber Compliance
Cyber Regulations and Australian Compliance Overview 2022
Read more
Cybersecurity / Incident Response
Incident Response – Be Prepared
Read more
Cyber Breach and Cyber Incident response and cyber insurance are fundamental to an organisation's cybersecurity.
Cyber Insurance / Incident Response
Are you Cyber Ready for Cyber Insurance?
Read more