Practical steps to help mitigate the risk of Zero-Day vulnerabilities. A presentation delivered to the College IT Conference 2024.
As a presentation on YouTube: https://youtu.be/0VlDxDBj6GE
By James Preston of ANSecurity.
Personal blog at myworldofit.net.
- Understand the common elements in some recent Zero-Day vulnerabilities.
- Be familiar with 5 methods to help prevent attacks that start with a Zero-Day exploit.
- Be able to take some immediate steps to help reduce the risk of impact from Zero-Day vulnerabilities.
- A vulnerability (perhaps under exploitation) in a system that is unknown to its owners, developers, or anyone capable of at least mitigating it if not full remediation.
- Once made public the extra scrutiny of such a system normally leads to more vulnerability discoveries.
- Multiple known and Zero-Day vulnerabilities are often chained together to perform an attack.
- Rarely the biggest actual issue to worry about (looking at those who havenโt setup MFA for everything yet!) but they do make great headlines.
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228
- 'JNDI lookup can be exploited to execute arbitrary code loaded from an LDAP server'
- Existed unnoticed since 2013.
- Privately disclosed.
- Widely used, not always easy to determine if in use on 'appliances'.
- Simple to exploit, lead to trivial remote code execution.
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
- 'Our immediate advice is to upgrade your PaperCut Application Servers to one of the fixed versions listed below if you havenโt already.'
- Reported to Papercut by Trend Micro as already under exploitation.
- Commonly Internet accessible.
- Unauthenticated attacker could perform remote code execution on a PaperCut application server.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
- 'If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.'
- Under active exploitation at time of discovery.
- Some researchers are now attributing to Chinese state actors.
- Following discovery, the threat actors started using alternative exploits.
- Threat actors bypassed authentication and delivered web shells to the appliance.
- Evidence of credential capture.
- https://www.shodan.io
- https://www.shodan.io/search?query=ip%3A129.67.0.0%2F16%2C163.1.0.0%2F16
- https://account.shodan.io/billing - go grab a one-time 'member' tier
2023 Data Breach Investigations Report
- Using breached credentials is by far the most common method of access into an organisation.
- But exploiting a vulnerability (zero-day or otherwise) still makes the top 3.
- Hide
- Not the best option but it will buy you time.
- Does your service appear on Shodan.io listed as that service?
- Block access from and to known malicious
- It's already known to be malicious - why wouldn't you block it?
- Restrict opportunities for execution
- Block file transfer, sandbox, block unrecognised file execution.
- Strictly control network traffic
- Why is that server reaching out to threatactor420.com?
- Limit the overall impact/scope
- Ok youโve been compromised, lets prevent lateral movement.
- Casual.
- Do not take much to stop.
- Determined - low skill.
- Hiding probably won't work.
- Determined - high skill.
- Realistic probability will have access to an exploit before you've patched.
- Nation State/Advanced persistent threat.
- Highly likely will have access to an exploit before you've patched.
- Limit the scope of inbound connections.
- By country (either deny known bad or permit only countries with a legitimate reason to access).
- By IP address block.
- Just JANET - https://bgpview.io/asn/786#prefixes-v4.
- Just Oxford/Cambridge - https://help.it.ox.ac.uk/ip-addresses or https://help.uis.cam.ac.uk/service/network-services/ip/cam-ip-ranges.
- Specific IPs or specific ranges.
- Port knocking.
- Palo Alto Networks NGFW - https://live.paloaltonetworks.com/t5/community-blogs/knock-knock-who-s-there/ba-p/417975.
- Where possible publish a VPN or VPN web portal to present services.
- Block inbound connections from 'unfriendly' countries.
Do you really need to allow inbound connections to your student meals booking system from Afghanistan?
- Use the blocklists from your firewall vendor.
- https://iplists.firehol.org/?ipset=firehol_level1 - really powerful and highly trustworthy.
- Watch out for the RFC1918 addresses that are included!
- Start and maintain information sharing partnerships.
- Outbound URL filtering with deny access to known malicious categories.
- Command and Control, Hacking, Malware, Newly Registered Domains, Parked, Phishing, Unclassified/Unknown.
- Alert on attempts to access something malicious (even if just once a day).
- Install anti-malware everywhere!
- Yes on Linux as well ๐.
- Establish a baseline of what is permitted.
- File hashes, file publishers, signed scripts, avoid filenames.
- Prevent the execution of everything else.
- Alert on attempts to execute something new (even if just once a day).
Resources:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview
- https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/ServerProtection/ServerConfigureLockdown/index.html
- https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/ServerProtection/ServerConfigureLinuxRTD/index.html
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/Sysinternals/SysmonForLinux
For when you can't:
- Look for integrity checkers.
- Often run on-bootup on modern operating systems.
- Consider which systems might not have a regular reboot.
- Run at times of high risk, before performing system upgrades, and consider running at regular intervals.
- Based on
- IP Address
- Domain
- URL
- Application
- Protocol/Port
- Where possible also
- User
- Device health
- Without performing decryption (where possible) you simply don't have visibility into what's coming into and leaving your services.
- Decryption works with TLS 1.3.
- Inbound decryption works with practically everything you are likely to deploy.
- Outbound decryption works on Linux and even some 'appliances'.
- Grants anti-malware protections to machines that don't/can't have an agent installed on.
https://ubuntu.com/server/docs/security-trust-store
So let's download some web shells!
"Deny by default" egress traffic restrictions are a best practice to follow for any servers, not just those running impacted versions of Log4j instances.
https://www.mandiant.com/resources/blog/log4shell-recommendations
- DMZs! Why did they ever go away?
- Make use of client firewalls.
- Deny access to management interfaces on the local subnet.
- Permit management access from jump stations in a dedicated bastion network.
- Bonus points - wrap network level access into that bastion network up in MFA!
- User based policy.
- Internal IDS/IPS โ same level of strictness as inbound.
- Normally internal is more lax.
- https://www.youtube.com/watch?v=InPiE0EOArs - Amazing video on configuring the Windows firewall
- Can't install AV/EDR/UEBA agents.
- No access to underlying Operating System detailed logging.
- Although you can import CAs (for decryption) they are not supported for outbound connections.
- A threat actors dream with lots of CPU and RAM to play with.
Download the URL logs, use a PivotTable within Excel (or even better some PowerShell ๐) to process and produce a list of previously seen URLs.
Build out an allowed URL list, create policy to permit access to those addresses and block all others.
Perfect for blocking an outbound connection to a threat actors C2 service.
Inbound decryption to the appliance from all networks (external and internal) allows the firewall full visibility into what's being uploaded.
So lets upload a web shell!
As the firewall sees the file go through it identifies it as spyware and is placed to block the connection while also alerting the administrator.
- Can install agents, certificate authorities, pretty much anything on!
- Full access to the underlying operating system.
- May give the threat actor more room to move.
- Block known malicious IP addresses.
- Permit broad (not country restricted) inbound access to the main institution website.
- A series of geo-blocks.
- Permit all other inbound access to additional websites.
- Geo-allow rule for VPN service.
- Consider having a form or similar which staff can submit travel plans to for allowing broader inbound access when needed.
- A rule to drop all other inbound traffic.
- Don't let that small foothold spread.
- Detect brute force attacks.
- Detect further exploit attempts.
- All of these would be very noisy indicators that something is going wrong.
Our firewall policy permits access on all applications and ports to our web server.
So why is my SSH connection not going through?
Ah! A network level authentication profile.
Lets try something that can pop an authentication prompt. That's better!
MFA prompt time!
Prompt finished, and now into the services as expected.
- Consider how widely accessible your services need to be, consider geo-blocking and geo-allowing.
- Leverage trustworthy block lists, see how many hits you are getting.
- Install your anti-malware agents on all your servers - including Linux.
- Restrict outbound and internal traffic from services that permit inbound connections from the Internet to the minimum required for their function.
- Consider inbound/internal decryption to get the best value out of existing investments.