Best Practices for External Attack Surface Management (ASM) with Use-Cases

Gartner has predicted that by 2021, one-third of successful attacks on the enterprise will be through shadow IT resources and leaked sensitive information¹.

According to Verizon’s DBIR (Data Breach Investigation Report) in 2021, 70% of attacks are perpetrated by external threat actors². Based on the same report, organizations have approximately 43% of their internet-facing IPs in one network that makes them vulnerable against cyber-attacks.

External attack surface management plays a critical role to minimize or prevent such attacks.

What is External Attack Surface Management?

ASM is the process of discovering, listing, classifying, analyzing, prioritizing, and monitoring all information that can be collected on the internet and informing your organization about sensitive data by searching external digital assets.

A useful ASM solution follows your entire digital footprint over the Internet, discovering and collecting the information that relates to your company. But that could be either too much information or not useful information. That’s why instead of sharing this information with your company, it gets analyzed and classified first. After this step, the information is prioritized based on its sensitivity. Finally, monitoring is the last step.

What are the key capabilities of ASM solutions?

An effective ASM solution can do;

• Black-Box Reconnaissance: Automatically discover the external assets.
• Continuous Monitoring: Track changes and quickly alert users when a critical issue is found.
• Shadow IT Discovery: Identify any assets you were not previously aware of.
• Risk-Based Prioritization: Automatically provide an external threat assessment, identifying the most tempting issues.
• Bi-Directional API & Enterprise Integrations: Ability to integrate with SIEM, SOAR, asset management, and ticketing systems are critically important.

What are the use cases for ASM?

According to a Ponemon Institute report, 76 percent of enterprises whose endpoints were successfully penetrated were the result of zero-day exploit assaults. Zero-day attacks are predicted to increase from one per week to once per day in 2021.

A zero-day attack is the continuous threat of an undiscovered security vulnerability in computer software or an application. A zero-day exploit creates a window of vulnerability within which malicious hackers can exploit software before anybody discovers it exists or before an update is provided. As a result, a security incident occurs, during which attackers may expose critical company data on public file-sharing websites.

Microsoft Exchange Server Zeroday Attacks in 2021: Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

The vulnerabilities recently being exploited were;

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allows the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Software-as-a-Service (SaaS) is a cloud-based technique of delivering software to subscribers. Instead of acquiring and installing a program, SaaS users subscribe to it. A SaaS application may be accessed and used from any suitable device through the Internet. The program itself is hosted on cloud servers that may be located distant from the user’s location.

MongoDB Database Leak: A hacker has published ransom notes on 22,900 MongoDB databases that have been left open online without a password, accounting for around 47 percent of all MongoDB databases accessible online.

The hacker is using an automated script to search for misconfigured MongoDB databases, wipe their contents, and leave a ransom letter demanding a 0.015 bitcoin ($140) payment.

This wasn’t the first time for MongoDB, more than 28,000 servers were ransomed in a series of attacks in January 2017, another 26,000 in September 2017, and then another 3,000 in February 2019.

SSL certificates authenticate your websites or domains and are crucial for guaranteeing appropriate Internet traffic encryption and server identity verification. End users will have no means of knowing if the website they are now surfing is who it purports to be without these certifications.

Microsoft Exchange Admin Portal Blocked by Expired SSL Certificate: The Microsoft Exchange admin interface was unavailable from some browsers due to Microsoft’s failure to renew the website’s SSL certificate in 2021. Microsoft Exchange admins who attempted to access the admin portal at admin.exchange.microsoft.com suddenly found that their browsers were issuing warnings that the connection was not private due to an expired SSL certificate.

Depending on the browser, users are blocked from accessing the site as a security precaution or shown an alert that the data may not be secure. For example, Google Chrome will stop you from accessing the site altogether, while Firefox will warn you about an insecure connection.

Ransomware campaigns are becoming increasingly focused in order to be more effective. The Remote Desktop Protocol is one of the key attack vectors (RDP). Remote desktop is precisely what the name implies: the ability to control a computer from a remote location.

The number of attacks against RDP rose from 969 million in 2019, to more than 3.3 billion in 2020 – a 241 percent rise.

Through social engineering or brute force attacks, threat actors get ahold of login credentials for a remote desktop. By using this access, they can deploy specialized tools to:

• Elevate their privileges
• Leave backdoors for future use
• Gain control over wider parts of the infiltrated network
• Deploy the ransomware and leave payment instructions

TrickBot module (rdpScanDll): Bitdefender researchers have discovered a new TrickBot module (rdpScanDll) built for RDP brute forcing operations on select targets. The new module was discovered on January 30, 2021 and, based on the IP addresses it targets, victims seem to be US and Hong Kong-based, predominantly in the telecom industry.

While TrickBot is a Trojan that has been around since 2016, it started out as a credential-harvesting threat mostly focusing on e-banking, while its plugin-based design has made it much more than just a threat focused on financial data theft. Security companies and researchers have previously analyzed a wide range of modules, proving that the Trojan is still under active development and undergoing constant feature upgrades.

Javascript is a prominent technology that is frequently used for web pages and online apps.

It may be used to implement many website functions. However, this technique may introduce some security risks, which the developer and tester should be aware of.

Javascript may be used not just for good, but also for harmful activities. Javascript Injection is one of them. The purpose of JS Injection is to inject Javascript code that will be executed on the client side.

Magecart Attacks: Magecart is a hacker group. Magecart has been ramping up its attacks over the course of 2018. It uses a tactic similar to Cross Site Scripting (XSS), injecting malicious javascript that sends stolen data to an external server via an HTTPS connection (the big difference is the method of injection, conceptually the same thing is accomplished through). Same year, the group was able to compromise Inbenta, a Ticketmaster partner, and steal information from Ticketmaster International (specifically in Ireland, Turkey, New Zealand and Australia), Ticketmaster UK, Getmein and TicketWeb.

Later another breach was discovered, this time at British Airways where around 380K customers were affected. Newegg was also Magecart’s victim’s list.

It is quite convenient to use third-party libraries or frameworks. These external components make development easier, save the development team time, and frequently benefit from an active community.

Third-party components, like any other piece of software or code, are vulnerable to online exploits. Worse, the more popular a component grows, the more vulnerable it becomes to threats. Attackers used to concentrate on frequently used components from which they could launch widespread attacks.

When a security weakness in one of these components is identified, the vulnerability is normally made public, a patch is made available, and web application developers are expected to update to the patched version.

Equifax Attack: After being known for two months the company Equifax (one of US largest credit reporting companies) had a breach which leaked, amongst other things, 200 000 credit card numbers.

The attackers used the CVE-2017-5638 vulnerability which meant that unvalidated input/unchecked data could be sent into the system. The vulnerability was about Apache Struts, a third-party component The vulnerability occurs because the Content-Type is not escaped after the error, and is then used by LocalizedTextUtil.findText function to build the error message. This function will interpret the supplied message, and anything within ${…} will be treated as an Object Graph Navigation Library (OGNL) expression and evaluated as such. The attacker can leverage these conditions to execute OGNL expressions that in turn execute system commands.

Domain Hijacking or Domain Spoofing is an attack where an organization’s web address is stolen by another party. The other party changes the enrollment of another’s domain name without the consent of its legitimate owner. This denies true owner administrative access. Scammers then use the legitimate web address for any purpose they choose.

Perl Attack: The Perl Foundation announced that the domain was hijacked in, warning users to steer clear of Perl.com, due to possible connections to sites associated with malware distribution. While work is being done to recover the domain, Perl enthusiasts looking for articles on the programming language have been redirected to perldotcom.perl.org, which hosts the content previously present on the hijacked website.

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker uses the functionality of open DNS resolvers to overload a target server or network with increased traffic, leaving the host and its surrounding infrastructure unreachable.

Amazon Attacks: Distributed denial of service (DDoS) attacks are designed to knock a website offline by flooding it with huge amounts of requests until it crashes. Amazon Web Services (AWS) said the attack had fired 2.3Tbps. The previous record, set in 2018, was 1.7Tbps.

Third-Party Risk Management (TPRM) is the process of recognizing, analyzing, and controlling all of the many risks that might arise during the lifespan of your partnerships with third parties. TPRM is frequently initiated throughout the procurement phase and should continue until the offboarding process is completed.

Supply chain attacks (SolarWinds): Austin, Texas-based SolarWinds sells software that lets an organization see what’s happening on its computer networks. Hackers inserted malicious code into an update of that software, which is called Orion. Around 18,000 SolarWinds customers installed the tainted update onto their systems.

VIP attacks are directed at high-profile persons such as business leaders, politicians, and celebrities. Executives are a significant target for hackers in enterprise firms, mainly because they have access to a multitude of information. Politicians are frequently attacked for sociopolitical motives by hacktivists and state operatives. Celebrities, on the other hand, are regularly subjected to egregious intrusions into their private life for a variety of reasons.

Twitter Accounts Hack: The Twitter accounts of business leaders, artists, politicians and popular brands posted messages that instructed users to send bitcoins to an address as part of a cryptocurrency scam. Impacted accounts included those of Elon Musk, Bill Gates, Jeff Bezos, Barack Obama, Joe Biden, Kanye West, Kim Kardashian, Mike Bloomberg, Uber, Apple and even Twitter’s own official support account.

An email block is a public list of email senders (usually identified with their IP) which are considered sources of unsolicited bulk messages. Blocked emails are used by mail servers to filter out automatically all these sources, actively fighting the amount of unrequired communication.

What are the Best Practices?

1. Use Cyber Threat Intelligence platform
2. Harden HTTP Headers
3. Monitor your cloud accounts
4. Avoid Hostile Subdomain Takeovers
5. Patch your VPNs
6. Monitor your Github Accounts
7. Remove Old Web Pages
8. Hide your Google Maps API Key
9. Place Test Environments Behind a VPN
10. Hide Origin IP Address on DNS Records
11. Enable NLA Security
12. Disable Anonymous Logins
13. Check Access Permissions
14. Patch Vulnerabilities on Time
15. Prevent Unauthorized Access to Kubernetes Service
16. Restrict Access to Directory Listing Servers
17. Avoid using Telnet & Disable Port 23
18. Remove PHP Info Pages
19. Deny default access to API interface for Kubernetes
20. Limit port discoverability
21. Avoid SAP Login Page Exposure
22. Block SMB at the Network Boundary
23. Protect Sensitive Login Panels
24. Follow the Principle of Least Privilege
25. Consider Network Segmentation
26. Avoid Port Mapper Exposure
27. Secure Access to MongoDB Express
28. Create and Maintain an IP List
29. Continuously Monitor your External Attack Surface

SOCRadar Attack Surface Management

Attack Surface Management helps customers gain additional visibility and context regarding the severity of unknown external-facing digital assets in an automated manner. Through SOCRadar’s advanced internet-wide monitoring algorithms, AttackMapper provides security teams with direct visibility into all internet-facing technological assets in use as well as assets attributed to IP, DNS, Domain and cryptographic infrastructure.

Discover SOCRadar® Community Edition for free

With SOCRadar® Community Edition, you’ll be able to:

• Discover your unknown hacker-exposed assets
• Check if your IP addresses tagged as malicious
• Monitor your domain name on hacked websites and phishing databases
• Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.

References

^[1] Gartner Identifies Top Security and Risk Management Trends for 2021

^[2] 2021 Data Breach Investigations Report. Verizon