Author's Posts

Hello All. I wanted to pass on these pretty good technical details on the vulnerabilities affecting Microsoft Exchange on-premise:

After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:

Following web shell deployment, HAFNIUM operators performed the following post-exploitation activity:

  • Using Procdump to dump the LSASS process memory:

  • Using 7-Zip to compress stolen data into ZIP files for exfiltration:

  • Adding and using Exchange PowerShell snap-ins to export mailbox data:

  • Using the Nishang Invoke-PowerShellTcpOneLine reverse shell:

  • Downloading PowerCat from GitHub, then using it to open a connection to a remote server:

HAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.

Our blog, Defending Exchange servers under attack, offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog Web shell attacks continue to rise.

Read more

Hello All. As many of you may have heard, this new 0-day vulnerability affecting on-premise Microsoft Exchange servers is the latest in a string of problems that caused bad days for a lot of companies. Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

Some details on the HAFNIUM group from Microsoft are as follows:

The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today’s Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server. We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.

In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments.

HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.

The vulnerabilities mainly target flaws related to a deserialization vulnerability in the Unified Messaging service and arbitrary file write vulnerabilities:

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Makes those organizations that did not trust M365’s Exchange Online to want to re-think their e-mail plans for 2021. Just Saying.

Read more

Hello All. So WordPress can be a great CMS platform and allows you to put a pretty nice site up fairly quickly. Most recently I was working on a WordPress breach and wanted to take the opportunity to remind folks about some of the controls they should put in place to avoid having any security-related issues. Hopefully everyone finds this information useful. Please drop me a line if you think I should add anything to this list.

WordPress Core Updates

It goes without saying that you should keep this up to date. Much like updating Windows, when updates come out, be sure to get them installed. WordPress development team are pretty diligent at getting updates out as soon as possible when a vulnerability is identified. At the time of this post,  version 5.6.1 is the current version (released on Feb 3, 2021) – it was a maintenance release for the 5.6 branch. Please see the following for release notes and an idea of the frequency of updates – http://bit.ly/3aChahk and http://bit.ly/3jhIB44

Two-Factor Authentication

If you run a WP site today, you will know from your logs that there are automated bots from all over that try to brute force there way into your WP admin page. I recommend installing a two-factor authentication plugin. There are many, and for the most part are free. Check out Duo which allow up to 10 free users, or Google Authenticator..

Logging

So if you are new to WP, I would recommend installing a site security plugin to ensure that you can track when people log in, when changes occur to your site, etc. This is key so that if something occurs on your site, you will receive an email to notify you. A couple of good plugins are Sucuri Security, WP Security as well as a tool called Activity Log. There are more, but these are the ones I have seen to work well. Here are a few screenshots:

Activity Log will provide a log of any changes to the site including date/time, who made the change, source IP, the type of change (i.e. Post) and the page that was updated.

Sucuri is another really good tool. It does all kinds of things from a security perspective, but from a logging perspective, it is very similar to Activity Log:

It also has the option of sending emails such as this when activity occurs:

Plugin Security

This is a VERY key component and what typically gets people in a lot of trouble. Installing whatever plugin the see and not thinking about the outcome. You have to understand, some of these plugins are pretty benign, but a number of them need write access at times to the file system, etc. This can be very dangerous. My rules of thumb when it comes to plugins are:

  • KISS – keep it simple stupid – only install the bear minimum number of plugins. Be smart here, if you don’t need it, don’t install it.
  • Review your plugin install base regularly – if you no longer need it, get rid of it.
  • Where did your plugin come from – you want to check a few things. First, I don’t normally trust plugins that are not on the WordPress.org site. If they haven’t made it there, I would be suspicious. Now, that is not to say that all plugins on the WordPress site are safe, but it is a start.
  • What is the install base of the plugin – typical mainstream plugins have 500k+, 1M+ installs. Anything in the 20k or below, well, try and find an alternative. This means the plugin may be relatively new and could have a number of unidentified vulnerabilities.

vs. 

  •  Last update – another important thing to look at is how often the plugin is being updated and what version of WordPress is supported. This could mean the plugin has gone stale and no one is actively supporting it. Very bad if a vulnerability is identified. The WordPress site will actually warn you when it has been a long time since the plugin was updated.

  • Did it make the “bad” list – ok, this isn’t at the bottom of the list because it is the least important. Trust me, this one is equally important if not more important. Make sure you do a bit of research on the plugin before installing. Sites such as WPScan WordPress Vulnerability Database catalog over 20k known plugin, theme and core WP vulnerabilities.  The site gives you a wealth of information. And who knows, maybe they’ve fixed that plugin you want to use.

  • Back it up – Before you install any plugin, make sure you back up your site. There are many plugins and methods you can use to easily backup your site. Given you don’t necessarily know what the plugin is doing when you install it, backups are key.

Final thoughts on plugins – When in doubt, don’t use it. I also tend to look at things like the rating and comments left by people on the WordPress site, whether their is support for the plugin, etc.

Reverse Proxy / Cloud Proxy

Another good idea would be to look into a reverse or cloud proxy. Essentially what happens here is a server or cloud service is placed in front of your WordPress site and the traffic can be screened prior to hitting your site. You can do geo-blocking from here, block certain common attack attempts (i.e. login brute-force) and many of the cloud services also block based on intelligence (i.e. known bad plugins, etc.).

If you are running your own server, you can stand up an Apache server running the mod_security module. Here is a good site on how to do that – http://bit.ly/2Lp2WYU and more details on mod_security and WordPress – http://bit.ly/2YLSrle.

Now if you can afford the $9.99 / month, I would highly recommend looking into Sucuri’s Web Application Firewall. These guys are WordPress experts and their cloud-based proxy works  very well.

Backups

I highly recommend you ensure you have regular backups of both the WP database as well as the WP files (i.e. plugins, core, themes, etc.). You never know when something will happen and having a good safe backup to restore to can be a lifesaver.  Sucuri have a good service, as well as VaultPress. If you want to do it on the cheap, a simply tarball of the files and a mysqldump of the database will do.

Encryption

In this day and age, SSL is considered normal best practice. I would recommend installing SSL at a minimum to protect you while you are in the admin console of WP, although it doesn’t hurt to just push everything to SSL. There are a number of plugins out there to facilitate this (i.e. Really Simple SSL). SSL certs are fairly cheap, but if you want to go the free route, services like Let’s Encrypt will work, however, be aware their certs need to be renewed normally every 90 days. There are lot’s of sites out there that explain how to install these – here is an example. 

Final Words

There are a bunch of other items I didn’t include in this post – given I could probably write a book about this. You still need to ensure your underlying infrastructure is sound, the version of PHP installed is safe, you aren’t exposing services on the server or your cloud host is reputable and safe.  Here is another good source for WP security – https://www.wpbeginner.com/wordpress-security/

Read more