Rantings of a Cyber Security Analyst - (February 2023 Edition)

It is 2023, a brand-new year. Firstly, I would like to wish everyone a successful year ahead and, hopefully, a year where everyone upgrades their security and is better protected.

Based on what I am seeing, the threat landscape for this year will be the same, with ransomware groups being the very active. This is unfortunate, as it is still a very effective attack with profitable gains and high success rates.

The general tactics are still the same, where threat actors search for exposed and vulnerable systems as their entry points. However, it is to be noted that the techniques have been refined, as threat actors use various hands-on keyboard methods, legitimate tools and even drivers signed with stolen, legitimate digital certificates. And they are really good at these, with comprehensive understanding of different command lines and actions that can be performed with this limited initial access.

Prior to the holiday season, I have been warning customers about signs of attempts to breach into public facing servers running vulnerable builds of MSSQL. Yes, the same threat that I have been talking about since 2022 July. There are even situations where I identified compromised administrator accounts using just the high-level telemetry data I have, without any access into complex XDR tools. It is unfortunate as the consoles of these customers actually provided this information and more. It is just because no one logged into these consoles to check.
Unfortunately, some of these warnings fell on deaf ears and eventually escalated into a ransomware attack.

There seems to be a failure to understand that even if the security solution blocks an exploitation attempt on a public facing server, there is still risk involved. Threat actors, as I have seen, are not that easily dissuaded by this. Even if the exploit failed, this informs the threat actor that there is a public facing server with MSSQL on it. The common next behaviors I see are attempts to directly log into the MSSQL service, through brute force of the “sa” account or attempting to identify other services that are open on the server, such as RDP. In this case here, I would say the vulnerability acted as a beacon for the threat actors, flagging out potential targets for them to poke around for weaknesses that they could exploit. A single password that “defends” against unauthorized entry is the weakest form of protection.

In a previous article, I mentioned about the concept of 5 Ws 1 H. This should be applied at this time. Questions on why is this server public facing, what services are accessible from public and so on. Identification of all these helps to identify the risks. Again, in most cases, the initial detections, even if mitigated by the security solution, that trigger should have already started an investigation.

My wish for 2023 would be for organisations to admit there is lacking in security knowledge and capabilities in majority of environments. Executive levels need to acknowledge there is a real need, regardless of company size, to incorporate some form of security expertise, not products, into their strategic planning.
IT staff need to acknowledge that they do not have the skillsets to protect the environment. Knowing how to install security products does not make anyone a security personnel.
Tough questions needs to be asked, such as what risks the company faces with these assets (There is no such thing as zero risk) and what are the strategies to reduce these risks.
Question if the team has any remediation plans for the various scenarios. It is fine to admit the lack of such capabilities, but it is important to acknowledge these gaps and for the executive leadership to allocate budgets to either hire such skillsets or have them outsourced.

The idea of “set and forget” security no longer applies. Adoption of AI helps to reduce the “heavy lifting” but is not a silver bullet against all forms of attacks. Security teams need to be updated on the latest trends of attacks and methods threat actors use to overcome security controls.

Have you heard of aswarpot.sys or mhyprot2.sys? How about Huorong Sword?
These are legitimate drivers and software used by threat actors to disable existing security controls. We still see them in use, but they may get phased out by the adversaries as more methods of detecting these abused drivers and applications become available.

So, for 2023, the new year resolution for business executives should be to include security into their strategic business planning. For those who are keen and have strong interest in security, I encourage you to take up courses and read up more from open sources of attack trends and methods. Be curious and ask questions. This would be the perfect basis to start your journey as a security personnel.

Biography

Harvey Goh

Harvey Goh is a cyber security specialist having been in the cyber security industry for over 15 years as a technical personnel. Currently he is working as part of Sophos’ Managed Threat Response team. He is also a member of AiSP CTI SIG, EXCO and volunteer at CSCIS CTI SIG.

Views and opinions expressed in this article are my own and do not represent that of my places of work. While I make every effort to ensure that the information shared is accurate, I welcome any comments, suggestions, or correction of errors.