CYBER THREAT ARTICLE - RANTINGS OF A CYBER SECURITY ANALYST (FEBRUARY 2023 EDITION)
Rantings of a Cyber Security Analyst - (February 2023 Edition)
It is 2023, a brand-new year. Firstly, I would like to wish
everyone a successful year ahead and, hopefully, a year
where everyone upgrades their security and is better
protected.
Based on what I am seeing, the threat landscape for this
year will be the same, with ransomware groups being the very
active. This is unfortunate, as it is still a very effective
attack with profitable gains and high success rates.
The general tactics are still the same, where threat actors
search for exposed and vulnerable systems as their entry
points. However, it is to be noted that the techniques have
been refined, as threat actors use various hands-on keyboard
methods, legitimate tools and even drivers signed with
stolen, legitimate digital certificates. And they are really
good at these, with comprehensive understanding of different
command lines and actions that can be performed with this
limited initial access.
Prior to the holiday season, I have been warning customers
about signs of attempts to breach into public facing servers
running vulnerable builds of MSSQL. Yes, the same threat
that I have been talking about since 2022 July. There are
even situations where I identified compromised administrator
accounts using just the high-level telemetry data I have,
without any access into complex XDR tools. It is unfortunate
as the consoles of these customers actually provided this
information and more. It is just because no one logged into
these consoles to check.
Unfortunately, some of these warnings fell on deaf ears and
eventually escalated into a ransomware attack.
There seems to be a failure to understand that even if the
security solution blocks an exploitation attempt on a public
facing server, there is still risk involved. Threat actors,
as I have seen, are not that easily dissuaded by this. Even
if the exploit failed, this informs the threat actor that
there is a public facing server with MSSQL on it. The common
next behaviors I see are attempts to directly log into the
MSSQL service, through brute force of the “sa” account or
attempting to identify other services that are open on the
server, such as RDP. In this case here, I would say the
vulnerability acted as a beacon for the threat actors,
flagging out potential targets for them to poke around for
weaknesses that they could exploit. A single password that
“defends” against unauthorized entry is the weakest form of
protection.
In a previous article, I mentioned about the concept of 5 Ws
1 H. This should be applied at this time. Questions on why
is this server public facing, what services are accessible
from public and so on. Identification of all these helps to
identify the risks. Again, in most cases, the initial
detections, even if mitigated by the security solution, that
trigger should have already started an investigation.
My wish for 2023 would be for organisations to admit there
is lacking in security knowledge and capabilities in
majority of environments. Executive levels need to
acknowledge there is a real need, regardless of company
size, to incorporate some form of security expertise, not
products, into their strategic planning.
IT staff need to acknowledge that they do not have the
skillsets to protect the environment. Knowing how to install
security products does not make anyone a security personnel.
Tough questions needs to be asked, such as what risks the
company faces with these assets (There is no such thing as
zero risk) and what are the strategies to reduce these
risks.
Question if the team has any remediation plans for the
various scenarios. It is fine to admit the lack of such
capabilities, but it is important to acknowledge these gaps
and for the executive leadership to allocate budgets to
either hire such skillsets or have them outsourced.
The idea of “set and forget” security no longer applies.
Adoption of AI helps to reduce the “heavy lifting” but is
not a silver bullet against all forms of attacks. Security
teams need to be updated on the latest trends of attacks and
methods threat actors use to overcome security controls.
Have you heard of aswarpot.sys or mhyprot2.sys? How about
Huorong Sword?
These are legitimate drivers and software used by threat
actors to disable existing security controls. We still see
them in use, but they may get phased out by the adversaries
as more methods of detecting these abused drivers and
applications become available.
So, for 2023, the new year resolution for business
executives should be to include security into their
strategic business planning. For those who are keen and have
strong interest in security, I encourage you to take up
courses and read up more from open sources of attack trends
and methods. Be curious and ask questions. This would be the
perfect basis to start your journey as a security personnel.
Biography
Harvey Goh
Harvey Goh is a cyber security specialist having been in the
cyber security industry for over 15 years as a technical
personnel. Currently he is working as part of Sophos’
Managed Threat Response team. He is also a member of AiSP
CTI SIG, EXCO and volunteer at CSCIS CTI SIG.
Views and opinions expressed in this article are my own and
do not represent that of my places of work. While I make
every effort to ensure that the information shared is
accurate, I welcome any comments, suggestions, or correction
of errors.