You are on the Cert-IST public site
Cert-IST recommendations based on Cert-IST review of vulnerability and attack in 2020

Date :March 07, 2021

Publication: Article

This article is a continuation of the report we published in February about the vulnerabilities and attacks seen in 2020. For each key trend identified in this report we hereby describes recommended mitigations The aim is not to establish a security guide or to list good security practices, but to focus on some specific points. Most of the recommendations listed in this article are simple and already widely adopted. In fact, the article could have been titled : Simple rules first!

 

The cyber threat induced by the Covid-19 crisis

The Cert-IST report shows that one of the issues with the Covid-19 is the security weaknesses that could have been induced by the rush to deploy telework. Our recommendation is not to consider the solutions that have been put in place in a hurry as definitive: it is necessary to review what has been done to enable telework, decide on the level of security achieved and tighten security where necessary.

One of the problems commonly experienced is the use of split-tunneling on teleworker laptops (rather than a mandatory tunnel that sends all network traffic toward the company). Generally, split-tunneling was chosen to limit the network traffic load for the company. But this also means that the teleworker is no longer protected by the filtering solutions that screens outbound network traffic (and block access to malicious sites), and left exposed to attacks (e.g. when a booby-trapped email is opened and tries to download a malware).

 

Ransomware's attacks against companies

Ransomware attack is a major risk for companies. There are many in-depth security measures to reduce this risk (e.g. network segmentation, privileged accounts management, infrastructure monitoring, etc.). But we have chosen just 3 specific measures that can greatly reduce the risk of a successful ransomware attack.

To protect against intrusions into company’s internal network:

  • Quickly patch devices exposed on Internet (VPN servers and Appliances connected to Internet, etc.) when new vulnerabilities are discovered. The objective should be to patch immediately if an exploit is available on Internet. This measure is already applied by most companies for all identified edge devices. And this means that if a crisis situation happens, the effort can be focused on identifying and dealing with unofficial solutions (shadow-IT) that could exists.
  • Prevent infection of desktop computers by blocking direct network traffic to Internet, and filtering the Web traffic passing through web proxies, to prevent access to dangerous sites on Internet. For example, a content filtering system (based on categories) can be used, or a PDNS service (protective DNS, see for example this recent joint announcement by the NSA and CISA). The most sensitive companies also often completely prohibit access to websites that are not strictly necessary (Internet access is only allow for a list of authorised sites).

To detect a successful intrusion before a piece of ransomware is deployed within the company: several feedbacks recommend monitoring the alarms generated by the antivirus system already in place in the company. It is indeed common for attackers to inadvertently generate alarms when trying to stop antivirus software or when using hacking tools that are detected by the antivirus software (e.g. detection of tools such as Mimikatz or PasswordDump).

 

Attacks against VPN access and exposed Appliances

The Cert-IST report shows that in 2020 a lot of attacks targeted VPN servers or Appliances directly connected to Internet. And we noticed that some of these Appliances seemed to be weak (they seem "hard on the outside but weak inside").

On this matter, we have two recommendations:

  • For Appliance vendors: improve the robustness of the Appliances.
  • For companies using these Appliances: do not expose the Appliance administration interfaces on Internet, even if they are password protected (and the password is strong). These interfaces are often web pages and there may exist vulnerabilities in the web server that allow authentication to be bypassed (e.g. through directory traversal or SSRF vulnerabilities). It is well knows that RDP access must not be exposed unprotected on Internet, and even SSH access exposed on Internet is now considered as dangerous; the same applies to Appliance administration interfaces: they must not be exposed unprotected on Internet.

 

Orion SolarWinds and Supply-chain attacks

The Orion SolarWinds attack detected in December 2020 by the US government showed several things that we will not address in these recommendations, such as the level of sophistication that a State-sponsored attack can have, or the difficulties of protecting against supply chain attacks.

But it also showed that the attackers were often targeting Office 365. Attacks against Office 365 are likely to increase in the future. Our recommendation for this chapter is therefore to strengthen the monitoring of Office365 cloud infrastructures by collecting logs and implementing anomaly detection rules.

 

DDOS attacks

The annual review shows that DDOS attacks are still present and that no company is safe from a sudden attack (associated with a ransom note) with a 150 Gbps flow. It is therefore important to assess the impact of temporary unavailability caused by a DDOS attack (the attack lasts from a few hours to a few days) and to consider whether or not it is necessary to rely on an external anti-DDOS service to manage this situation.

 

State-sponsored attacks are not always sophisticated

There is no simple measure to protect against sophisticated attacks. But not all State attacks are necessarily sophisticated, and in 2020 we have seen two types of State attacks:

  • Sophisticated attacks, such as the Orion SolarWinds attack,
  • Simpler, but systematic attacks, often attributed to China (which is probably not the only one, but seems to be a very active actor).

This second category of attacks is based on attack programs or technical details already published on Internet. The know-how of the attacker is first to know how to "weaponise" an exploit (make it operational) and second to know how to use it at a large scale. It should be noted that these State attackers are often ahead of cyber-criminals and are the only ones we have seen in 2020 using vulnerabilities in SharePoint or Exchange (which require expertise that cyber-criminals do not seem to master yet).

Our recommendation here is therefore the same as the one we gave above about ransomware: it is important to be able to patch quickly vulnerabilities that affect equipment exposed on Internet. When an exploit is available on Internet, exposed equipment should be patched immediately.

 

Technical developments observed in 2020

Regarding the technical developments seen in 2020, our main recommendation is to pay attention to the vulnerabilities that affect the Microsoft ecosystem: Exchange, SharePoint and IIS.

For Exchange, it must be considered that the attacker is always able to steal at least one email account and its password. If this data is sufficient to log into a mailbox from Internet (i.e. there is no 2FA protection) then:

  • The victim's emails are within reach of a successful phishing attack
  • The Exchange server itself becomes a server exposed to attacks from the Internet and must therefore be kept up to date accordingly (see recommendation on patching exposed equipment).