Categories
Cybersecurity Advisories

CVE-2023-27997: Fortinet Patches Critical RCE Flaw in Fortigate SSL-VPN Devices

Fortinet has patched a critical security flaw, tracked as CVE-2023-27997, in its SSL VPN devices that could be used by a threat actor to achieve remote code execution without authentication. By sending a carefully crafted request to the SSL VPN, an attacker can exploit this vulnerability and effectively execute arbitrary code on the compromised system even if the MFA is activated. The flaw affects every SSL VPN appliance, and the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Further details about the vulnerability have been withheld.

Fortinet devices are commonly targeted by threat actors because they are among the most popular firewall and VPN devices in the market. SSL-VPN flaws have historically been exploited just days after patches were released. According to a Shodan search, over 255,000 Fortigate firewalls can be reached from the Internet. Since the vulnerability affects all previous versions, the majority of those devices are likely exposed.

How to Patch a Vulnerable Fortinet Fortigate Product

Visit the Fortinet Support site frequently and apply newly released patches to keep your Fortigate VPN secure. To update your device:

  • Check the firmware version: Check the “System Information” section of your device’s dashboard to see the current firmware version.
  • Find the latest firmware: Go to the “Download” section after logging into the support site. In the product list, look for Fortigate VPN and select your Fortigate model. To view all available updates, click the “Firmware Images.” Look for and download the patch addressing CVE-2023-27997.
  • Apply the patch: On the Fortinet Fortigate VPN dashboard, navigate to System > Firmware > Update > Upload File, then select the downloaded patch file. After the update, make sure to test your VPN. Check that all functions are operational and the device is stable.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

  • As always, if we detect activity related to these exploits, we will alert you if warranted.
  • Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

Mitigation

Users are strongly urged to apply the security updates released by Fortinet before the Proof of Concept is released publicly.

Resources & Related Articles

Categories
Cybersecurity Advisories

CVE-2023-34362: MOVEit Transfer Zero-Day Vulnerability Actively Being Exploited

June 15th, 2023 Update: Progress has released patches for the newly discovered vulnerability tracked as CVE-2023-35708.

June 9th, 2023 Update: Additional vulnerabilities have been discovered that could potentially be used by a bad actor to stage an exploit. All MOVEit Transfer customers must apply the new patch, released on June 9. 2023. Details on steps to take can be found in the following knowledge base article.

All MOVEIt Cloud customers, please see the MOVEit Cloud Knowledge Base Article for more information.

Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer software. MOVEit is developed by Ipswitch and is a managed file transfer software that encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics, and failover options. 

Technical Details 

Tracked as CVE-2023-34362, the vulnerability is a severe SQL injection flaw that enables unauthenticated remote attackers to gain access to the application database and execute arbitrary code. According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS.  

The observed exploitation is a webshell disguised with filenames such as “human2.aspx” and “human2.aspx.lnk” in an attempt to masquerade as a legitimate component of the MOVEit Transfer service named human.aspx. On compromised systems, human2.aspx is located in the wwwroot folder of the MOVEit install folder. The webshell allows an attacker to obtain a list of all folders files, and users within MOVEit. In addition to this, it can download any file within MOVEit and insert an administrative backdoor user into MOVEit which would give attackers an active session to allow credential bypass. 

The webshell’s access is protected by a password, so attempts to connect to the webshell without the proper password results in the malicious code showing a 404 Not Found error. Automated exploitation is heavily indicated since the same webshell name was observed in multiple customer environments. Initial compromise may lead to ransomware exploitation, as file transfer solutions have been popular targets for attackers including ransomware threat actors. Currently, there is no proof-of-concept (PoC) for CVE-2023-34362. 

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions. 

Attribution 

Microsoft has attributed attacks to an affiliate of Clop ransomware under the name of “Lace Tempest” (aka TA505 and FIN11). In recent reports, the Clop Ransomware Gang confirmed that they are behind the MOVEit Transfer data-theft attacks. A Clop representative additionally confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday. This is a common tactic for the Clop ransomware operation, which has performed large-scale exploitation attacks during holidays when staff is at a minimum. Clop did not share how many organizations were breached in the MOVEit Transfer attacks, but stated that victims would be displayed on their data leak site if a ransom was not paid. If affected by the MOVEit Transfer data leaks, Clop is now taking a different approach by telling impacted organizations to contact them if they wish to negotiate a ransom. 

SecurIT360 SOC Managed Services    

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:   

MDR Services   

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.  

EDR Services   

  • In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.   

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything. 

Indicators are provided in the Indicators of Compromise section below for your reference.  

As always, if we detect activity related to these exploits, we will alert you when applicable.   

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.    

Affected Versions 

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). 

Non-susceptible Products in MOVEit Transfer 

MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. Currently, no action is necessary for the above-mentioned products. 

Recommendations & Mitigation 

Progress has released immediate mitigation measures to help prevent the exploitation of this vulnerability. 

  • Update MOVEit Transfer to one of these patched versions:
    • MOVEit Transfer 2023.0.1
    • MOVEit Transfer 2022.1.5
    • MOVEit Transfer 2022.0.4
    • MOVEit Transfer 2021.1.4
    • MOVEit Transfer 2021.0.6
  • If updating with the above patch is not feasible for your organization, their suggested mitigation is to disable HTTP(s) traffic to MOVEit Transfer by adding firewall deny rules to ports 80 and 443. Note: this will essentially take your MOVEit Transfer application out of service.
  • If the human2.aspx file or any suspicious .cmdline script is found, it should be deleted. Any newly created or unknown file in the MOVEit folder should be closely analyzed; in addition, .cmdline files in any temporary folder of Windows should be examined.
  • Any unauthorized user account should be removed.
  • View the full recommendations here:

MOVEit Best Practices Guide 

MITRE Summary

Initial Access

  

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

CL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; begins with a SQL injection to infiltrate the MOVEit Transfer web application.

Phishing

T1566

CL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access.

Execution

  

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

CL0P actors use SDBot as a backdoor to enable other commands and functions to be executed in the compromised computer.

Command and Scripting Interpreter

T1059.003

CL0P actors use TinyMet, a small open-source Meterpreter stager to establish a reverse shell to their C2 server.

Shared Modules

T1129

CL0P actors use Truebot to download additional modules.

Persistence

  

Technique Title

ID

Use

Server Software Component: Web Shell

T1505.003

DEWMODE is a web shell designed to interact with a MySQL database, and is used to exfiltrate data from the compromised network.

Event Triggered Execution: Application Shimming

T1546.011

CL0P actors use SDBot malware for application shimming for persistence and to avoid detection.

Privilege Escalation

  

Technique Title

ID

Use

Exploitation for Privilege Escalation

T1068

CL0P actors were gaining access to MOVEit Transfer databases prior to escalating privileges within compromised network.

Defense Evasion

  

Technique Title

ID

Use

Process Injection

T1055

CL0P actors use Truebot to load shell code.

Indicator Removal

T1070

CL0P actors delete traces of Truebot malware after it is used.

Hijack Execution Flow: DLL Side-Loading

T1574.002

CL0P actors use Truebot to side load DLLs.

Discovery

  

Technique Title

ID

Use

Remote System Discovery

T1018

CL0P actors use Cobalt Strike to expand network access after gaining access to the Active Directory (AD) servers.

Lateral Movement

  

Technique Title

ID

Use

Remote Services: SMB/Windows Admin Shares

T1021.002

CL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity.

Remote Service Session Hijacking: RDP Hijacking

T1563.002

CL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access.

Collection

  

Technique Title

ID

Use

Screen Capture

T1113

CL0P actors use Truebot to take screenshots in effort to collect sensitive data.

Command and Control

  

Technique Title

ID

Use

Application Layer Protocol

T1071

CL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with the Command and Control (C2).

Ingress Tool Transfer

T1105

CL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to the download of additional malware components.

CL0P actors use SDBot to drop copies of itself in removable drives and network shares.

Exfiltration

  

Technique Title

ID

Use

Exfiltration Over C2 Channel

T1041

CL0P actors exfiltrate data for C2 channels.

Indicators of Compromise

Resources & Related Articles 

Categories
Computer & Network Security

Securing Windows: Common Misconfigurations That Give Attackers The Advantage

Introduction

In the ever-evolving landscape of cybersecurity, securing your Windows environment is paramount to safeguarding your organization and data. However, even with its built-in security features, Windows can fall victim to common misconfigurations that leave it susceptible to exploitation by determined attackers. In this article, we delve into some of the most common misconfigurations that threaten the security of your Windows systems. From non-unique passwords to inadequate endpoint protection and unrestricted PowerShell, we’ll shed light on the vulnerabilities that cybercriminals exploit to gain unauthorized access, elevate their privileges, move laterally, and take over entire networks.

Common Misconfigurations

To ensure Windows systems are hardened against attacks, it is crucial to be aware of the common misconfigurations that can inadvertently expose your environment to potential threats. In this section, we will explore the top misconfigurations that can compromise your system’s integrity and provide an open invitation to threat actors. Each misconfiguration represents a potential point of exploitation. By understanding these misconfigurations and taking proactive steps to address them, you can fortify your Windows security posture and thwart the advances of malicious adversaries. Let’s dive in and unravel these vulnerabilities to strengthen our defenses and ensure the safety of our organizations and data.

1. Non-Unique Local Admin Passwords

Meme: "Generic local admin What could possibly go wrong" - All Templates - Meme-arsenal.com

Using non-unique local admin passwords makes it easier for threat actors to gain unauthorized access and move laterally in your environment.

Using the same password for all the local admin accounts in the environment is a serious risk because of how easy it can be for threat actors to obtain the password and/or the password hash. The risk here is that if a threat actor is able to obtain the password (or even the password hash!), they can then use that to pivot to other machines in the network that are also using the same account and password. This can result in devastating effects, because if a threat actor compromises Sally in Accounting’s PC, obtains the password, and then uses that to pivot to the Accounting database server where all the PCI data is stored, now you have a very serious security incident on your hands.

  • Mitigation: The good news is that you can completely eliminate this risk by making all local administrative accounts have a unique password. What’s even better is you can do this for FREE with Windows LAPS. LAPS is really great, easy to implement, and is a great control if you currently don’t have anything similar in place. You can read more about that here: Windows LAPS overview

2. Lack of Patching 3rd Party Software

You said patching was complete Test determines that was a lie - Maury Povich Lie Detector Test | Make a Meme

Neglecting to promptly apply patches and updates to third-party software exposes your system to vulnerabilities that threat actors can exploit. These vulnerabilities are commonly used to execute arbitrary, malicious code that can allow a threat actor an initial foothold or elevate their privileges in your environment.

Third-party software is ripe for attack because threat actors realize it’s harder to patch than Microsoft Windows systems themselves. There’s more manual effort and additional tools required to ensure these software applications are kept up to date. A common example is when programs such as Adobe Reader are installed. Adobe can be configured to update automatically, but this can often be overlooked. This results in Adobe Reader (which is commonly exploited) going unpatched for months or years at a time.

  • Mitigation: The best way to mitigate this risk is to first develop an inventory of the software in your environment. Keep that inventory up to date, then implement a process to check that software for updates. Sometimes this is a manual effort, however, there are commercial tools that can be used to update these software applications. I don’t want to recommend commercial solutions in this blog post, but if you do a Google search for: “3rd party patch management software” you will find unlimited results. Do some research, demo the products, pick one, and get to patching.

3. Poor Firewall Configuration

Say firewall problem one more time - Meme - MemesHappen

Improperly configured firewalls create security gaps that allow unauthorized network connections and can compromise system integrity. This misconfiguration often arises from allowing unnecessary inbound and outbound connections or mismanaging firewall rules. Threat actors can exploit these openings allowing them to move laterally in the environment, download additional malicious payloads, and more.

Another common misconfiguration during security assessments and penetration tests is having the Windows firewall disabled. Doing so allows for unrestricted network communication both to/from the internet and to/from other devices on the network. Without a firewall in place, there’s not much that’s going to stop a threat actor from moving laterally in the environment if they can communicate with the device and have valid credentials.

  • Mitigation: Implement a hardened firewall configuration and manage it centrally. You can do this for free with Group Policy, or you can use commercial tools to assist in this. There really should be no reason that workstations and laptops, and servers need to have open multi-direction communication. The hard part here is mapping your network and determining which connections are required for things like remote management and support. However, doing so and implementing strong firewall configurations will pay huge dividends. Imagine if a threat actor does gain access to a workstation on the domain, but because of your hardened firewall configuration, they literally cannot go anywhere else in the environment, EVEN if they get another set of credentials. This talk by Jessica Payne is a wonderful example of how to configure the Windows Firewall to thwart attackers.

4. Insecurely Installed Software

 

Installing software from untrusted sources or failing to validate software integrity can introduce malware or compromise system integrity. However, that’s not the only risk here. Many times, software will install itself and configure unnecessary and overly permissive rights on the system.

A common example of this is when software installs to C:\Program Files\SuperCoolSoftware and at the end of the installation it configures the permissions on the SuperCoolSoftware folder such that “Everyone” is able to modify any file, folder, or subfolder within the SuperCoolSoftware directory. This hinders the integrity of not only the software but also the operating system itself. Many times, this is abused to elevate privileges or execute malicious code.

  • Mitigation: Regularly review your Windows endpoints for this misconfiguration by checking the permissions that are configured after the software has been installed or updated. This commonly affects the C:\Program Files and C:\Program Files (x86) folders, but this can pop up in many other places. You can use PowerShell’s Get-ACL cmdlet, icacls.exe in a cmd prompt, or even the Sysinternals tool AccessChk.

5. Weak Endpoint Protection

Weak endpoint protection, such as outdated antivirus software or disabled security features, exposes systems to various malware attacks and compromises. While this misconfiguration often arises from neglecting to update antivirus definitions, disabling real-time scanning, or using outdated security software versions. This is also a result of not using an enterprise-grade endpoint protection product.

The fact of the matter is that traditional antivirus is no longer acceptable or suitable for enterprise use. It’s trivial to bypass antivirus signatures and even heuristic detections. Due to the increased ease of obfuscation and the ability to eliminate known signatures in malicious payloads, antivirus alone is not enough.

  • Mitigation: Consider investing in a true endpoint protection product that goes beyond traditional signature-based detection. The advanced endpoint protection products on the market today can scan memory regions for malicious content and can scrutinize API calls that are commonly used by malware. Furthermore, these products have enhanced telemetry gathering capabilities, such that even if an alert does not immediately fire, an analyst can dig into the suspicious events and look deeper into what was potentially happening on a given system. Lastly, these endpoint protection products can orchestrate various security tasks, such as disconnecting the machine from the network so it cannot be used to infect other machines, isolating an attack.

6. Insecure Services & Tasks

Misconfigured or unnecessary services and tasks on Windows systems can provide threat actors with the ability to elevate their privileges or execute code as SYSTEM, which is an account that has some of the most permissions on a Windows system. There’s a variety of ways tasks and services can become misconfigured, and we talk a lot about those here: Hidden Danger: How To Identify and Mitigate Insecure…

This misconfiguration typically occurs as a result of insecurely installed software, which we discussed earlier in this article, and we often see it happen as a result of an error in configuration by IT admins. Many times services and tasks are configured to run with a domain account because the software that’s running the service needs domain permissions. More often than not, the domain accounts configured to run these services and tasks have elevated permissions in the domain, such as Domain Admin rights. If a threat actor is able to hijack the service/task then they could execute code or use it to elevate their privileges in the domain.

  • Mitigation: Review all tasks and services for insecure configurations such as unquoted paths, and insecure service binaries, and check the permissions of domain accounts that are used. Implement least privilege for domain accounts that are used in services and tasks to reduce the risk they present if abused. It’s also a good idea to monitor when services and tasks are modified, especially those that execute with elevated privileges.

7. Unrestricted PowerShell

Just a friendly reminder.... CMD != Powershell

Allowing unrestricted usage of PowerShell, a powerful scripting language and automation framework in Windows, can introduce significant security risks. This misconfiguration typically occurs when system administrators or users have unrestricted access to execute any PowerShell command or script. Threat actors can leverage this unrestricted access to execute malicious scripts, download and execute payloads, or perform unauthorized actions on the system.

There are numerous ways threat actors can abuse PowerShell for their nefarious deeds, such as using PowerShell version 2 to avoid logging and security measures such as Windows Antimalware Scanning Interface (AMSI). PowerShell is also commonly used by threat actors to download additional malware. This is commonly done using what’s called encoded commands, which are base64 encoded blobs that contain code to download and execute a secondary malicious payload. Despite strong security controls to prevent and detect PowerShell abuse, it’s still heavily utilized by threat actors, including ransomware groups.

  • Mitigation: The best defense against PowerShell abuse, like everything else, is layered controls. Eliminate PowerShell version 2 in your environment, then implement logging and monitoring. Start with ScriptBlock and Module logging, and make sure those logs make it to your SIEM or your MSP for monitoring and alerting. Many times, malicious PowerShell stands out like a sore thumb and can be a great way to detect an attack early on in the chain. Implementing Constrained Language Mode and Application Control can also be strong defenses against PowerShell abuse. Constrained Language Mode (CLM) can be used to restrict what cmdlets and elements of PowerShell can be used. Application Control can be used to limit which users have access to PowerShell.

Conclusion

While common misconfigurations can pose severe risks to Windows systems, the power to defend and protect your systems, networks, and data lies in your hands. By addressing these common misconfigurations you can proactively fortify your defenses. With a commitment to ongoing vigilance, education, and adopting a security-first mindset, you can confidently navigate the ever-changing cybersecurity landscape and empower yourself as a formidable defender of your Windows environment.

Resources