There are new articles available, click to refresh the page.
Before yesterdayHorizon3.ai

FBI Targeted by Russian Hackers in Latest String of Attacks Against U.S. Government Websites

23 November 2022 at 20:45

ClearanceJobs: 11/18/22

“With the rise in successful cyber attacks against the United States government and its federal agencies, many are right to wonder whether the public sector’s approach to cybersecurity is in need of a serious change.”

Read the entire article here

The post FBI Targeted by Russian Hackers in Latest String of Attacks Against U.S. Government Websites appeared first on Horizon3.ai.

Cloud security isn’t guaranteed because a provider is well-known, expert says

23 November 2022 at 20:37

SC Media: 11/14/22

Brad Hong, customer success manager at Horizon3ai, said he and his team constantly see huge blast radii in attacks and penetration tests originate from the smallest misconfiguration, or even lack of configuration, allowing attacker’s to simply log-in to public facing environments.

Read the entire article here

The post Cloud security isn’t guaranteed because a provider is well-known, expert says appeared first on Horizon3.ai.

Russian Software Found in Smartphone App Used by CDC and U.S. Army

14 November 2022 at 20:16

ClearanceJobs: 11/14/22

“After being branded as an American company, the revelation of Pushwoosh being a Russian-originated software firm comes as yet another embarrassment to Apple and Google in the privacy domain,” explained Taylor Ellis, customer threat analyst at Horizon3ai.

Read the entire article here

The post Russian Software Found in Smartphone App Used by CDC and U.S. Army appeared first on Horizon3.ai.

Holiday Season Threat Awareness

23 November 2022 at 15:33

As we approach the holiday season, it is important that our customers stay vigilant and continue a regular cadence of autonomous pentests. Although it’s the time of year for holiday cheer, we’ve seen cyber threat actors (CTAs) take advantage of lackadaisical company manning and low staff.

In September 2020, “the SolarWinds (major software company) hack, one of the biggest cybersecurity breaches of the 21st century” and was considered a highly lucrative target for CTAs based on its privileged access to IT systems. Specifically, the SolarWinds Orion IT monitoring software was targeted, allowing access to hundreds of thousands of organizations around the world to include portions of the US Government. Currently, nearly 30% of Horizon3 customers still use or have used SolarWinds applications in their networks, and two years later with 7% still finding the SolarWinds Orion API Authentication Bypass Vulnerability (CVE-2020-10148) in their pentests.

According to open-source research, below is the SolarWinds hack timeline:

Log4Shell: 2021’s worst holiday gift

Another example of a large-scale holiday season attack includes the Log4Shell remote code execution (RCE) vulnerability (CVE-2021-44228) that was surfaced right before Christmas in late 2021. On  December 9, 2021, this new vulnerability was discovered in the Apache Log4j open source library, which is used in most of the developed java applications. Due to the proliferation of Log4j in java, “the number of devices that could potentially be affected by the security vulnerability is approximately 2.5 – 3 billion.” CTAs can exploit a vulnerable application by sending a crafted user input to it, hoping that the application will log their arbitrary code as input and allow them persistent access, as well as lateral movement. One year later, 64% of Horizon3 customers using NodeZero are still experiencing the CVE-2021-44228 vulnerability in their environment.

According to open-source research, below is the Apache Log4j timeline:

  • December 9, 2021 – Original vulnerability disclosed and first patch (2.15.0) was made available
  • December 14, 2021 – Second vulnerability disclosed and second patch (2.16.0) was made available
  • December 18, 2021 – Third vulnerability disclosed and third patch (2.17.0) was made available
  • December 28, 2021 – Fourth vulnerability disclosed and fourth patch (2.17.1) was made available

At the end of the day, attackers care greatly that we want to take some time off and enjoy our families, because that is when we are at our weakest. CTAs use these “down times” to take advantage of low staffing and chaos surrounding the holidays to deploy new tactics, techniques, and procedures (TTPs), while also focusing on targets with the biggest bang for the buck.

Remaining vigilant throughout the holiday season will help ensure your systems and networks are secure, which is why adopting an autonomous approach to proactively finding those attack vectors can save your security team its most critical resource: time. Incorporating a regular pentest cadence will get you results quickly, so mitigations and verifications are timely, giving you much needed time to enjoy the holidays!

Albert Martinek is a Customer Threat Analyst with Horizon3.ai.

The post Holiday Season Threat Awareness appeared first on Horizon3.ai.

Higher Education Organization Improves Cybersecurity Posture with NodeZero

16 November 2022 at 20:18

When the director of technology for a higher education organization went looking for a better way to identify and prioritize security weaknesses on the school’s servers and networks, his first interaction with Horizon3.ai and NodeZero started off with an impressive bang.

“I wanted to see proof of concept, and Horizon3.ai solved one of our biggest security holes because of that PoC,” or proof of concept, he says. On the first op, NodeZero was able to compromise the domain admin account.
Not just one account, in fact, but four, via an LLMNR vulnerability.

Without a lot of work, we were able to clean that up before we even licensed NodeZero – that was huge,
says their IT director.

Cybersecurity presents a complex challenge for the school, as it is spread out over several campuses and managed remotely. The director of technology is their highest-ranking technology staff member at the organization. The role oversees 400 endpoints within the organization, in addition to securing roughly 600 students on their own VLAN/Subnet during the school year.

NodeZero offers more specificity

Previous pentesting options were helpful, but often left the team chasing down vulnerabilities that turned out to not actually be exploitable.

“Often, it was just informational, and didn’t really affect your security,” he says.

With Horizon3.ai, “One of the things that really struck me was that it isn’t just the tool – and the tool is fantastic – but it’s the people around the tool who are available, in the chat, scheduling meetings. When I was running the PoV (Proof of Value) someone was there.”

He was also sold on NodeZero by its capability to run on demand.

“What sold me on it was seeing it at work and, because we know security is a journey and not a destination, the idea of being able to continuously run scans and pentests is great,” he says.

The team now runs weekly pentests to maintain vigilant cybersecurity on their network, he notes.

Getting the most from your time

Time management and focusing effort is huge in maintaining a strong security posture. Chasing down every lead with equal time and energy isn’t helpful when we know that not every vulnerability is actionable.

“You have critical down to informational severity issues, but I believe a tool a lot more when it says this is a critical misconfiguration we have compromised – oh and by the way, here’s your hashed password,” he says. “When that’s happened, I recognized the first and last character and knew that was the password.”

Context scoring based on critical impacts helps hammer home where to best deploy limited resources to secure
the environment.

“It’s the difference between casing a house and saying how I might be able to break in – that window might not be locked, that door doesn’t seem secure. But if you can actually break in, that’s critical. It’s the difference between telling me something might happen versus something did happen.”

Easy fixes but you need to find them first

While the LLMNR vulnerability wasn’t a huge challenge to fix, discovering it was a bit of a shock, the Director of Technology explains – and that’s why regular tests are so helpful. Security is so expansive it’s hard to cover everything.

“We try to work to secure our network, but it’s possible for any organization to miss things or have little holes” in their security, he says. A solution like NodeZero can find those small gaps that leave the organization open to risks so the team can shore them up quickly and easily.

“With stuff like LLMNR, the fix isn’t hard if you have the tools to fix a lot of machines at once,” he says. It’s identifying those risks in the grander picture that is the real struggle.
NodeZero helps uncover what you don’t know, he says, and tells you how to fix it so you don’t spend time researching the answer.

“You’re not chasing your tail following a large list of vulnerabilities,” he says. “It cuts down the task of securing your network because you’re starting at the critical, most impactful things. You get a view of things you just aren’t going to have without a pentest.”

Since starting to incorporate NodeZero into their security profile, other features, such as external pentesting, have been released and added to the solution’s usefulness.

“There’s a lot of tools out there that just hand you the tool and you’re on your own,” he says.

“The support, being able to set up a time to answer a question, it’s all been helpful. They work with us as opposed to saying ‘We got ‘em, on to the next account.’”

Download as PDF

The post Higher Education Organization Improves Cybersecurity Posture with NodeZero appeared first on Horizon3.ai.

NodeZero Host Virtual Machine

26 October 2022 at 18:52

The NodeZero Host virtual appliance is a small virtual machine based on a pre-configured Ubuntu 20.04 installation. It’s designed to execute NodeZero pentests and bundles tools that facilitate pentest execution, as well as debug and maintenance.

Downloads

IMPORTANT:Always verify that the files you download come from Horizon3.
VMWare / VirtualBox importable OVA
download
sha2567e1489f394a3d5d0c3d89916c2b6d5bea8e9df0fbed6cbfd45b8f5c0132cfae1

Specs

The NodeZero virtual machine comes pre-configured to use these resources:

  • 2 x CPUs
  • 8GB of RAM
  • 40GB of disk
  • Bridged network adapter

Installation

Installing the virtual machine is a matter of importing the OVA file from the download link above into your virtualization environment. We provide the following set of steps as an example to use with VMWare’s vSphere client or with VirtualBox.

VMWare vSphere

vSphere client is one of VMWare’s virtual environment management solutions. You can find more information on the client itself in VMWare’s documentation.

NOTE:The following steps are for vSphere client version 7.0.3.00500.

After downloading and verifying the most recent NodeZero-####.ova file from the downloads section above, follow these steps to import and launch the NodeZero virtual machine.

  1. Log into your VMWare vSphere client.
  2. Select Deploy OVF Template from the Actions menu.
  3. Select the Local File option
  4. Click the UPLOAD FILES button to locate the OVA file downloaded in step #1.
  5. Click Next.
  6. Give your VM a name if you want it to be different from the default, and select a location to deploy to.
  7. Click Next.
  8. Select the compute resources you’ll be using.
  9. Click Next.
  10. Verify the import settings are correct and that the signature is from Horizon3.
  11. Click Next.
  12. Select the storage destination.
  13. Click Next.
  14. Select a network to use.
  15. Click Next.
  16. Review your selections
  17. Click Finish.
  18. To launch the VM, select it from the list on the left and click the Power On button.

VirtualBox

After downloading and verifying the most recent NodeZero-####.ova file from the downloads section above, follow these steps to import and launch the NodeZero virtual machine.

  1. Open VirtualBox.
  2. Click on Tools.
  3. Click on Import.
  4. Enter the location of the OVA file.
  5. Click Continue.
  6. Click Import wait for it to complete.
  7. Make sure you use a bridged network adapter:
    • Select the newly imported NodeZero virtual machine from the list on the left.
    • Click Settings.
    • Click Network.
    • Check that Attached to: says Bridged Adapter.
    • Check that Name: is the name of the adapter connected to your internal network.
    • Click OK if you had to change anything.
    • NOTE:There are known issues with VirtualBox network bridges over wireless adapters in newer MacOS versions. If you’re experiencing connectivity problems, consider using a wired connection instead.
  8. Select the NodeZero virtual machine from the list on the left.
  9. Launch the VM by clicking Start.

Usage

Connecting

If using vSphere, once you power on the virtual machine, the client interface gives the option of using a web console or a remote console for your first login.

If using VirtualBox, after starting the VM, a new display window appears that shows the operating system load screen.

With either system, once the OS fully loads, you’ll see a login screen that looks like this:

Username and First Login

When first launching the NodeZero virtual machine, SSH password access is disabled until you login and update the default password.

  1. Login with these credentials:
    • Username: nodezero
    • Password: nodezero
  2. When successful, you’ll see a prompt like the one below:
    You are required to change your password immediately (administrator enforced)
    Changing password for nodezero.
    Current password:
  3. Enter the password from step #1 and hit enter.
  4. Next you’ll see a prompt for New password:, enter a secure password that you’ll use from now on and hit enter.
  5. Next you have to confirm the password Retype new password:, enter the same password from step #4 and hit enter.
  6. You are now logged in with a successful password change. Make sure to keep that password for use in the future.

Once the login process completes, you’ll see an Enabling SSH password authentication message. At this point you can continue working through the vSphere or VirtualBox consoles, but you can also use an SSH client to connect to the IP address shown on the login screen.

Using SSH

To connect over SSH with Linux or MacOS, simply run the command below, replacing IP_ADDRESS with the one shown in the login screen.
$ ssh [email protected]_ADDRESS

If you’re using Windows, then you’ll use a client like PuTTY to connect. Simply fill out the Host Name (or IP Address) field with the address shown in the login screen.

Configuration with the n0 command

This virtual machine comes with a simple script that helps adjust basic settings and other maintenance tasks. It’s available under the n0 command, and running it presents you with a menu:

$ n0
1) Check environment
2) System info
3) Configure Static IP
4) Configure network proxy
5) Update
6) Version info

The following sections provide more information on what these options do.

Network configuration

Options #3 and #4 in the n0 command menu allow you to adjust network settings as follows.

Switching between DHCP and Static IP assignment

By default the NodeZero applicance comes with DHCP enabled. But if you need to switch to static addressing, you can use option #3 and follow the prompts to configure a new IP address, Subnet, Gateway and DNS nameserver.

If you ever need to switch back to DHCP, you can use the same option.

Configure a network proxy

You’re also able to setup a proxy server for HTTP and HTTPS traffic. Simply select option #4 and follow the example in the prompt when entering the URL. Note that you’ll have to log out and back in before this change takes effect.

Checking things are working

Option #1 of the n0 command menu checks that the system is ready to execute a pentest. It verifies we have access to the correct amount of resources and the right commands. It’s the same as running the Host Check Script.

Option #2 provides system information and can serve as a way to check your current settings. You’ll find details on the processors, memory, disk and network configuration.

Running a NodeZero pentest

  1. Log into the Horizon3 web portal
  2. Schedule a new pentest following your usual process.
  3. Copy and paste the launch / curl command from the portal into the shell of a NodeZero virtual machine.
  4. Pentest starts executing.

Staying up to date

You can use the n0 command menu’s option #5 to perform an OS and tools update.

The post NodeZero Host Virtual Machine appeared first on Horizon3.ai.

Penetration tester Horizon3.ai identifies Fortinet exploit source, assists those checking for potential attacks

2 November 2022 at 19:30

SiliconANGLE: 11/02/22

“We want to be to have a tool that can be used to exploit our customer system safely to prove that they’re vulnerable, so then they can go and fix it,” said James Horseman (pictured, right), exploit developer at Horizon3.ai.

Read the entire article here

The post Penetration tester Horizon3.ai identifies Fortinet exploit source, assists those checking for potential attacks appeared first on Horizon3.ai.

Russia-Ukraine Conflict Heightens Wariness of Nation-State Attacks as 64% Of Businesses Believe They Have Been Targeted

21 October 2022 at 19:27

CPO Magazine: 10/21/22

Well over half of the respondents not only believe that they have already been targeted by nation-state attacks, but have made changes to their cybersecurity practices due to the Russia-Ukraine conflict.

Read the entire article here

The post Russia-Ukraine Conflict Heightens Wariness of Nation-State Attacks as 64% Of Businesses Believe They Have Been Targeted appeared first on Horizon3.ai.

Verifying Credentialed Access to Your Hybrid Cloud Sprawl Matters More Than Ever

1 November 2022 at 22:03

Over the few years, the number of assets in our environments has exponentially expanded. This is because of:

  • Cloud adoption and migration
  • Work-from-home options
  • Company growth and expansion

Let’s start with the cloud. Are you there already? Are you moving there? Are you moving back? Why?

Everyone is talking about infrastructure and environments, the cost, the speed – but core to all that incredible capability remains our credentials. The shared security model for our cloud environments is heavily based on credentialed access, which begs the larger question: do you understand the reach (blast radius) in your cloud account if an attacker obtained a credential for a specific user or role?

Why does this matter?

  1. Statistics show companies are accelerating and growing their cloud environments:
    1. REF: https://www.grandviewresearch.com/industry-analysis/cloud-computing-industry
    2. REF: https://www.insiderintelligence.com/content/consistent-growth-cloud-spending-defies-down-economy
  2. Research indicates attacker trends are conducting malware-less attacks and living off the land more and more:
    1. REF: https://www.crowdstrike.com/resources/reports/overwatch-threat-hunting-report/
    2. REF: https://securityintelligence.com/articles/credential-stuffing-attacks-2021/
  3. Autonomous decision-making platforms make this attack vector easier and faster than ever to execute:
    1. REF: https://www.horizon3.ai/

See what we did there?

Background

We’ll start with what is currently the most commonly used cloud service option available, Amazon Web Services (AWS). There are two main types of identities in AWS: users and roles. To authenticate to AWS as a user you must have either:

  • the username and password for that user, or
  • a set of AWS API keys for that user

Roles operate a little differently and are instead assumed by other AWS services, users, or roles. To assume a role, one only needs to know the account ID and the name of the role. As roles are discovered, these roles could be assumed, allowing attackers to pivot and expand their reach within an AWS account.

Even more interesting is that roles in one AWS account can be assumed by users or roles in another AWS account. This may be common if multiple AWS accounts are tied to a single AWS Organization or in some severe cases any other (unrelated) AWS account.

Credentials

NodeZero, our autonomous attacker, has multiple vectors through which it can discover AWS Account IDs and AWS roles needed to use these new capabilities just like a human cyber threat actor.

NodeZero Discovers AWS Account IDs through:

  1. Active or expired AWS keys associated with the account. The user may inject keys when configuring an op, or NodeZero may discover keys during an op.
  2. An AWS account ID specified by the user when configuring an op.
  3. AWS credentials that have permissions to see other accounts linked in the same AWS organization. The user may inject credentials when configuring an op, or NodeZero may discover credentials during an op.

NodeZero discovers AWS roles by:

  1. Using brute force tactics to find valid role names.
  2. With an AWS credential that has permission to list roles in an AWS account.

Now for the fun part: chaining these discoveries together.

Attack Path #1

BLUF: In this environment, the cloud domain had a role in its AWS account which was misconfigured to allow any AWS user or role in any AWS account to assume this role.

Using the AWS account ID, NodeZero first enumerates common roles resulting in the discovery of this particular role. NodeZero then attempts to assume this role using its AWS CloudZero keys. Due to the misconfiguration, the ‘assume role’ request is successful and AWS returns AWS temporary keys. This allows NodeZero to then log in with the now compromised role.

Furthermore, with this credential and role, NodeZero was able to compromise AWS services like Beanstalk and Route 53, which could allow an attacker to spin up additional cloud services and instances (e.g., high-end GPUs for crypto-mining or password cracking) on the company dime.

Attack Path #2

This path is much like the previous, but instead of a common role, NodeZero could have discovered a credential elsewhere in the environment (even on-prem), but here a credential was injected to verify the blast radius of a particular credential.

Note: This might be the most valuable perspective in securing your cloud, hybrid, and on-prem environments!

NodeZero was injected with a credential we will call ‘assumable-user’ to keep our stories straight. During the pentest operation, NodeZero found a role in the AWS account that could be assumed by assumable-user. NodeZero then attempted to use that credential to list AWS users and roles, however, assumable-user did not have the required permissions. NodeZero then used the injected credential’s AWS keys to discover the AWS account ID. Using the account ID, NodeZero attempted to brute-force common AWS roles.

In this case, NodeZero discovers the Audit role and then attempts to assume this role with the assumable-user credential. The assumable-user successfully assumed the Audit role, and NodeZero surfaced this weakness to the customer.

What’s interesting here is that the role name can be complicated, so users have another opportunity to confound and limit an attacker.

But they often don’t.

Attack Path #3

If a role was given a complicated name, this will drastically limit the ability for an attacker to assume a role, and therefore compromise additional services in an organization’s private cloud. However, this defensive measure can be circumvented when a credential is compromised.

While it is unlikely an attacker, or even NodeZero, would be able to brute force a complex named role quickly and without drawing attention, if a credential is compromised elsewhere which has access to this AWS account, an attacker can list the roles for that credential in a target account and then easily assume a role now that it knows the name.

The Fix

Horizon3.ai recommends the following steps:

  1. Find your hybrid cloud assets, especially those keys stored in reachable files and misconfigured accounts and credentials, and discover attack paths leading them deeper.
  2. Fix keys, roles, and credentials and the access to critical data each of them has, especially those on your production cloud environments which could impact your business and brand.
  3. Verify your security posture by attacking your hybrid cloud environments, and level up your game by injecting a credential just to see what impact an attacker could levy on your cloud

 

Conclusion

Credentials are the new RCE – even more so now in our sprawling cloud and hybrid environments. By continuously attacking your cloud environment, you can start fighting through the sprawl and attacking back to find, fix, and verify what matters most.

The post Verifying Credentialed Access to Your Hybrid Cloud Sprawl Matters More Than Ever appeared first on Horizon3.ai.

2022 HMG Charlotte IT Executive Summit

27 October 2022 at 21:57

Date: November 10, 2022
Time: 8:00 am – 4:00 pm EST
Location: Charlotte, NC
Partner(s): HMG Strategy; SIM Charlotte

Description: HMG Charlotte is focused on strategic planning at an executive level. At this event, you will learn about insightful approach’s to DEI and how to identify impactful technologies.

The post 2022 HMG Charlotte IT Executive Summit appeared first on Horizon3.ai.

Black Hat Europe 2022

27 October 2022 at 20:21

Date(s): 12/5/22 – 12/8/22
Time: 10:00 am – 6:00 pm GMT
Location: London, UK
Booth #: 424

Description: Join CEO Snehal Antani for his session ‘Credentials are the new RCE’. Learn how attackers are using OSINT and password spraying to breach organization perimeters without ever needing a CVE – and hear real-world stories of how NodeZero does this at scale.

The post Black Hat Europe 2022 appeared first on Horizon3.ai.

OpenSSL Critical Vulnerability: Should You Be Spooked?

26 October 2022 at 18:52

On Tuesday, October 25 a new OpenSSL hot-fix release was announced which will patch a critical vulnerability that exists within the v3.0.X branch. OpenSSL 3.0.7 will be released on Tuesday, November 1 and in tandem the details of the vulnerability and its associated CVE will be made public.

OpenSSL is an open source project that provides easy to use cryptographic functions and is used to secure communications around the world. Put plainly, the internet runs on OpenSSL.

This blog will speculate as to the nature of the coming vulnerability and the likelihood of it being weaponize-able from an exploit developer’s perspective.

What’s Affected?

Nearly every *nix distribution uses OpenSSL. Thankfully, the lion’s share of OpenSSL usage still resides on the maintained v1 branch of the project and this vulnerability only effects the v3 branch. We have identified several major linux distributions on the v3 branch:

  • Ubuntu 22.04

  • CentOS 9

  • Fedora 9

Several distributions and appliances we’ve check that are on the v1 branch and not effected:

  • Amazon Linux AMI

  • vCenter

  • Fortinet FortiGate

To asses what version of OpenSSL is being utilized by your system you can run the following:

openssl version

Other installed applications may bring in their own dependencies outside of the system install locations so a more thorough search should be done for any non-standard services.

Open4Sslell… do we have another Log4Shell situation on our hands?

OpenSSL is even more ubiquitous than Log4j, the Java logging library that was affected by the Log4Shell (CVE-2021-44228) nearly a year ago. But, as we’ve seen with the rash of “named” vulnerabilities as of recent like “Spring4Shell” and “Text4Shell”, a critical vulnerability is not always critical.

Log4Shell was easily exploitable in the common configuration and the nature of the vulnerability allowed for attackers to easily execute arbitrary code if run on older Java runtimes.

OpenSSL rates their security issues and we can see that in order for a critical to be issued, the vulnerability must affect the common configuration, and leading to private key disclosure or is easily exploited remotely. This combination of items for an exploit developer definitely points to it being a target of interest.

If this upcoming vulnerability is like the last critical OpenSSL vulnerability in 2016, it will be significantly more difficult to weaponize than Log4Shell. The prior CVE-2016-6309 was a Use-After-Free (UAF) vulnerability that was triggered when processing large messages and only affected a single release version. Memory corruption issues like this are not so straight forward and are increasingly becoming more difficult to weaponize on modern operating systems. Libraries reside in applications which run on operating systems – and there are marathon worth of hurdles to overcome to truly weaponize a Use-After-Free or similar bug.

Conclusion

While this vulnerability may be easy to trigger, it will probably take serious investment by an organization to weaponize. This investment will take time, and time kills access when it comes to N-days and their patch cycles.

As we all eagerly wake up from our night of trick-or-treating come Tuesday morning, I think we’ll find our industry is abuzz about this new hot vulnerability – and a week later we’ll all move on.

We’ll see.

The post OpenSSL Critical Vulnerability: Should You Be Spooked? appeared first on Horizon3.ai.

IANS Information Security Forum

21 October 2022 at 10:00

Date: November 15, 2022
Time: 7:00 am – 6:30 pm ET
Location: Marriott Marquis, New York, NY

Description: The New York Forum is designed for information security practitioners across all industries to dive deep on specific topics, share insights, and network with peers. During this one-day event you will present and interact with Forum attendees.

The post IANS Information Security Forum appeared first on Horizon3.ai.

What’s in store for the technology security landscape, and where does pentesting fit in?

18 October 2022 at 15:26

SiliconANGLE: 10/18/22

As much as companies are adjusting to new economic realities, one area in which they’re refusing to compromise is security. A major reason behind this is the constantly widening threat area, including multiple simultaneous clouds, managed solutions, and distributed workforces and infrastructures, according to Antani.

Read the entire article here

The post What’s in store for the technology security landscape, and where does pentesting fit in? appeared first on Horizon3.ai.

Horizon3 AI founder discusses MSP and reseller market dynamics in wake of partner program expansion

18 October 2022 at 15:23

SiliconANGLE: 10/18/22

“How do we build a product and a business model that enables those last-mile channel partners to make even more revenue using us to underpin their offerings and services and get them to take advantage of the trust that they’ve built over many hard years and use that trust to not only improve the posture of their customers, but have Horizon3 become a force enabler along the way?” asked Snehal Antani, co-founder and chief executive officer of Horizon3 AI.

Read the entire article here

The post Horizon3 AI founder discusses MSP and reseller market dynamics in wake of partner program expansion appeared first on Horizon3.ai.

Secure Your Fortinet Appliances Across On-Prem, Cloud, and Hybrid Networks at Scale

18 October 2022 at 14:28

Security Boulevard: 10/18/22

While unannounced zero-day vulnerabilities garner a fair bit of fear and attention, one of the greatest risks introduced to business operations are newly announced vulnerabilities, or N-days.

Read the entire article here

The post Secure Your Fortinet Appliances Across On-Prem, Cloud, and Hybrid Networks at Scale appeared first on Horizon3.ai.

Fortinet Admits Many Devices Still Unprotected Against Exploited Vulnerability

17 October 2022 at 14:26

Security Week: 10/17/22

Fortinet is concerned that many of its customers’ devices are still unprotected against attacks exploiting the recently disclosed zero-day vulnerability and the company has urged them to take action.

Read the entire article here

The post Fortinet Admits Many Devices Still Unprotected Against Exploited Vulnerability appeared first on Horizon3.ai.

Fortinet triple-whammy CVE gets PoC, deep dive explanation

17 October 2022 at 14:23

The Register: 10/17/22

A critical flaw in Fortinet’s FortiOS, FortiProxy and FortiSwitchManager has been patched, but for those of a curious nature security firm Horizon3.ai has released a proof of concept for the exploit, as well as explaining how it works.

Read the entire article here

The post Fortinet triple-whammy CVE gets PoC, deep dive explanation appeared first on Horizon3.ai.

Horizon3.ai’s NodeZero Takes Top Honors in the TMC 2022 Cloud Security Excellence Awards

20 October 2022 at 14:00

Businesswire: 10/20/22

NodeZero was named a winner for its ability to continuously assess an enterprise’s internal and external attack surface, and how it reveals the many ways in which an attacker could leverage harvested credentials, misconfigurations, dangerous product defaults and exploitable vulnerabilities to compromise systems and data.

Read the entire article here

The post Horizon3.ai’s NodeZero Takes Top Honors in the TMC 2022 Cloud Security Excellence Awards appeared first on Horizon3.ai.

The Undeniable Effectiveness of Password Spray

20 October 2022 at 13:59
One of the most effective techniques NodeZero employs for initial access is password spray. It’s a primitive technique, basically guessing passwords, and when it works it feels like magic. Yet we see it work time and time again in various pentests conducted by NodeZero. In this post we’ll talk about what password spray is and walk through how NodeZero weaponizes this technique in internal and external pentests. We’ll then provide practical tips for defenders to guard against this common attack.

Background

In a traditional brute force attack, an attacker targets a single account and tries to repeatedly guess the password for the account until he/she succeeds, or gives up. This type of attack rarely works unless the account happens to have a really weak password.

In a password spray attack, an attacker starts with a list of users and a shortlist of probable weak passwords. The attacker tries (i.e. “sprays”) each password, one at a time, against all all users in an attempt to compromise at least one account. Attackers usually limit the rate of their attempts to avoid causing account lockouts. Attackers know that, once they’ve compromised at least one account, they can abuse that account’s access to enumerate deeper and potentially compromise more accounts, assets, and data.

A password spray attack has a much higher chance of success than a traditional brute force attack because it only requires compromising one account out of many possible accounts. In large organizations especially, the odds are high that there are going to be some users with weak passwords who would be susceptible to password spray.

Password spray is tracked as MITRE ATT&CK technique T1110.003. APT-28 (Fancy Bear), APT-29 (Nobelium), and APT-33 (Elfin) are examples of well-known threat actors who have used this technique. But this is not a technique just reserved for nation-state threat actors. Microsoft has estimated in the past that password spray attacks account for nearly one third of account compromises. Many spraying toolkits, such as crackmapexec, are readily available, making password spray a point-and-click operation for any level of attacker.

How NodeZero Weaponizes Password Spray

Username Enumeration

The first step for an attacker executing a password spray attack is compiling a large list of users. The larger the list, the more likely the attack will succeed.

NodeZero uses about a dozen different methods to gather usernames, both internally and externally. These methods include scraping user information from social media and exploiting misconfigurations in commonly used applications such as Jira, Jenkins, ManageEngine ADManager Plus, and WordPress. In internal pentests with older domain controllers, anonymous access over SMB is an especially powerful misconfiguration for attackers because it can lead to directly enumerating all domain users. If NodeZero already has a regular domain user credential in hand, it uses that credential to enumerate other domain users.

These username enumeration misconfigurations are often thought to be medium or low severity issues to fix, but they can be really valuable for attackers when used in conjunction with password spray.

Here’s an example of a weakness raised by NodeZero after exploiting a Jira misconfiguration to enumerate all users:

And the associated proof for the weakness showing the list of users that were scraped:

Password List Generation

With a list of usernames in hand, the next step for an attacker is to come up with passwords to spray. NodeZero generates probable passwords to spray based on commonly known breached passwords, context-specific terms such as the company name or domain name, or a custom dictionary supplied by the user.

Attackers know that most companies have set up a password policy to enforce a minimum password length of 8 characters, password complexity rules (including lowercase, uppercase, digits, and special characters), and periodic rotation of passwords. Password complexity and rotation policies have ironically led users to creating more predictable passwords such as passwords starting with an uppercase letter, ending in 1!,, or containing seasons and years. NodeZero optimizes for these cases to maximize the likelihood of success.

In addition to spraying probable weak passwords, NodeZero also attempts to spray any passwords it finds organically during the course of a pentest, just like a real-world attacker would do. These are passwords that may be found through unintended data exposure or exploitation, and they may not necessarily be weak. This form of password spray is used to exploit password reuse across multiple accounts.

Password Spray Execution

In internal pentests, NodeZero conducts password spray against domain controllers in the hope of landing a domain user for initial access. If it already has a domain user in hand, NodeZero will further conduct targeted password spray against privileged domain users in an attempt to compromise the entire domain. In real-world pentests, NodeZero has fully compromised organizations through password spray alone.

Here’s an example of the attack graph generated from a successful password spray of a domain user in an internal pentest. In this case NodeZero scraped users off an ManageEngine ADManager Plus instance and guessed the password for the “santani” user using a password derived from a company name.

NodeZero raised the following weakness with proof of access:

In external pentests, NodeZero conducts password spray against Azure AD in the hope of landing an Azure AD user to access Microsoft365 services or backend Azure services such as the Azure Graph API. NodeZero uses a new public IP address each time it sprays in an effort to evade detection.

Here’s an example of an attack graph NodeZero generates from a successful password spray of an Azure AD user in an external pentest. In this case NodeZero scraped users off an externally accessible Jenkins instance and guessed the password for the “santani” user. NodeZero went on to access the user’s Microsoft365 Outlook mailbox.

NodeZero is designed to be safe to run in production environments. To minimize the possibility of locking out users, NodeZero throttles the rate of password spray to two attempts an hour. In real-world pentests, the time it takes for NodeZero to be successful at password spray can range from less than hour (a single spray attempt) to several days.

Tips for Defenders

There are two approaches for defense against password spray: one is increasing the level of effort for an attacker to succeed, and the second is putting controls in place in case an attacker does succeed. Both approaches are important. There is a tendency to scrutinize specific users and their passwords, but the reality, especially for large organizations, is that there are always going to be some users who choose predictable passwords that a motivated attacker will be able to compromise.

Increasing Attacker Difficulty

To increase the level of effort for attackers to succeed at password spray, we recommend implementing a password policy that is configured to:
  • Ban certain terms and their variants from appearing in passwords. These terms include dictionary words, known breached passwords and company-specific terms such as the company name. This is important because it makes attackers have to think outside the box to come up with passwords to spray. Consider using Azure AD Password Protection.
  • Do away with password complexity and password rotation policies. For a long time people who were advised that password complexity is important and passwords need to be rotated, but this advice has only led to people creating more predictable, easier-to-guess passwords. Our guidance on this is in line with the latest guidance from NIST Special Publication 800-63B.
  • Enforce a minimum password length – we recommend at least 12 characters. This is higher than the NIST-recommended minimum of 8 characters.
  • Set a relatively low account lockout threshold, but not too low. A lower account lockout threshold makes it so attackers have to spend more time conducting the spray. At the same time, if it’s too low, regular users may end up calling the IT helpdesk often after mistyping their passwords, and it’ll also enable attackers to easily perform a denial of service (DoS) attack against the organization. We recommend a threshold between 5 and 10 attempts before lockout.
Additionally:
  • Monitor application and domain controller logs, and setup alerts for login failure events happening across many users within a short window of time.
  • Fix any misconfigurations related to username enumeration, especially ones that yield a full snapshot of all users in the domain. Note that motivated attackers will still be able to compile a list of users, but it’s better to make it harder.

Other Controls

Multi-factor authentication (MFA) is a must-have for any external exposed endpoints. And if there’s an endpoint that doesn’t support MFA, it should not be exposed externally under any circumstances. The advantage of MFA is that, even if an attacker succeeds at password spray, he/she will have another hurdle to get through before fully compromising an account.

For internal networks, MFA won’t help much because there are many lower level endpoints using non-MFA protocols such as SMB, RPC, LDAP, and Kerberos that an attacker can spray against.

We also strongly recommend adhering to the standard principle of least privilege, ensuring all users are provisioned with only the access they need. Security is about defense in depth, and it’s important to minimize the blast radius – a single user being compromised should not instantly cascade into the rest of the organization also being compromised.

Try NodeZero

Finally, to truly get an idea of how well your organization can stand up to a password spray attack, you can run an internal or external pentest with NodeZero. Not only will NodeZero identify whether it was able to successfully execute a password spray attack, you’ll also be able to test your defenses and see what NodeZero is able to do with the credentials it acquires from the attack. Check out the free trial here!

The post The Undeniable Effectiveness of Password Spray appeared first on Horizon3.ai.

Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows

14 October 2022 at 18:27

Dark Reading: 10/14/22

James Horseman, exploit developer at Horizon3.ai says public data from GreyNoise—which tracks Internet scanning activity hitting security tools—shows the number of unique IPs using the exploit has grown from the single digits a few days ago, to over forty as of Oct. 14.

Read the entire article here

The post Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows appeared first on Horizon3.ai.

Attackers Exploiting Critical Fortinet Authentication Bypass

14 October 2022 at 18:26

Decipher: 10/14/22

“An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures. Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work,” James Horseman of Horizon3.ai, an offensive security firm, said in an analysis of the flaw.

Read the entire article here

The post Attackers Exploiting Critical Fortinet Authentication Bypass appeared first on Horizon3.ai.

❌
❌