This CISA Alert reviews many weak security controls and the techniques and procedures routinely used for initial access. This Alert was co-authored by cybersecurity authorities of the United Kingdom (NCSC-UK), Canada (CCCS), New Zealand (NCSC-NZ), the Netherlands National Cyber Security Center, and the United States (CISA, NSA, and the FBI).
The following techniques (in MITRE ATT&CK format) were commonly used to implement the tactic (MITRE ATT&CK Tactic TA0001) to gain initial access to victim networks:
- Exploit Public-Facing Application [MITRE ATT&CK Technique T1190]
- External Remote Services [MITRE ATT&CK Technique T1133]
- Phishing [MITRE ATT&CK Technique T1566]
- Trusted Relationship [MITRE ATT&CK Technique T1199]
- Valid Accounts [MITRE ATT&CK Technique T1078]
Threat actors are able to exploit many of the following poor configurations, poor security practices, and weak security controls in order to utilize these initial access techniques as described in the Alert:
- Multi-Factor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers. With Remote Desktop Protocol (RDP) as one of the most common infection vectors for ransomware, MFA is a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly administrators, from an MFA requirement.
- Incorrectly applied privileges or permissions, and errors within access control lists. These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects.
- Software is not up-to-date. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices.
- Use of vendor-supplied default configurations or default login usernames and passwords. Many software and hardware products come “out of the box” with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit. Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup. These default credentials are not secure—they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software. Network defenders should also be aware that the same considerations apply for extra software options, which may come with pre-configured default settings.
- Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.
- Strong password policies are not implemented. Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP.
- Cloud services are unprotected. Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even crypto jacking.
- Open ports and misconfigured services are exposed to the internet. This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. Successful compromise of a service on a host could enable malicious cyber actors to gain initial access and use other tactics and procedures to compromise exposed and vulnerable entities. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.
- Failure to detect or block phishing attempts. Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails.
- Poor endpoint detection and response. Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against.
The Alert reviews many recommended mitigations to include those associated with control access (including the use of a Zero Trust security model), credential hardening, more robust and comprehensive centralized log management, the use of antivirus programs, detection tools (endpoint and intrusion), regular search and assessment of vulnerabilities (penetration testing), and rigorous configuration management programs.
Threat Actors Leverage DNS in the Attack Chain
The song remains the same. Threat actors frequently use DNS to support malware infiltration, command and control, and attack execution. DNS is continually used to set up and execute attack chains. The attack may involve DNS queries when the victim’s system is compromised and infected. DNS is almost always used when an infected system communicates with the command and control (C&C) servers.
The role of core networking services such as DNS in network security are central to network security defense and protection. Advanced, real threat analytics such as those found in BloxOne Threat Defense, focused on DNS services, are critical to identifying and preventing many of these DNS-based attacks.
Threat intelligence is an important part of the defensive mix. Threat intelligence can bring you a very current set of malicious hostnames, domains, IP addresses that you can use such that your DNS servers can then detect and block command and control (C&C) communications to malicious destinations. Advanced techniques such as behavioral analytics and machine learning on real-time DNS queries can rapidly detect and stop zero-day DNS tunneling, DGA, data exfiltration, Fast Flux, lookalike domains, and more. Infoblox DDI (DNS, DHCP, IPAM database) data has valuable information about device activity and actionable network context (like what type of device it is, where it is in the network, who it is assigned to, lease history). This information can be used for essential visibility into ongoing attacks and for remediation strategy.
Visibility is also key. BloxOne Threat Defense leverages DDI (DNS, DHCP, IPAM database) to provide pervasive asset visibility and awareness. BloxOne Threat Defense does this by using additional contextual info on a compromised system such as location in the network, type of device and an audit trail of all activity from that system. This helps administrators quickly identify systems that are attempting to reach suspicious and potentially malicious destinations and take quick action to mitigate those threats.
The integration of data with SIEM and SOAR infrastructure can provide significant reductions in time for the detection of threats and the automation of incident response. When Infoblox detects something malicious, a new device, or virtual workload on the network, it automatically shares that event information and context with existing security infrastructures like endpoint EDR, SIEM, SOAR, and other solutions. This data can trigger the security tools to prevent access to the network or scan for vulnerabilities until it is deemed compliant with policy.
For more information on BloxOne Threat Defense: https://www.infoblox.com/products/bloxone-threat-defense/.
The full text of CISA Alert AA22-137A can be found here.
To know more, please reach out to us directly via email@example.com.
Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.
Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to firstname.lastname@example.org or (888) 282-0870.