Rarely a month goes by without the infosec industry being plagued by a new zero-day apocalypse.
Most recently in December 2021, the world was swept by a series of vulnerabilities in Log4J – a popular logging system used by thousands of systems around the world. While writing this article, the industry is dealing with yet another path-traversal vulnerability in a Centos Web Panel (CVE-2021-45467), and online play of the popular video game Dark Souls has been halted while they deal with a remote code execution vulnerability in the game.
However, by giving zero days a disproportionate amount of attention, we lose sight of the fact that most organizations aren’t being breached via a zero day.
Microsoft, Google, Apple and others frequently release fixes for vulnerabilities “under active attack.” Vulnerabilities in Log4j, or the myriad of network device flaws discovered in the last three years against F5, Citrix, Palo Alto and SonicWall, consume news cycles because the affected systems are used in large corporate infrastructure. This means compromise of these resources gives actors more access than merely compromising an employee workstation, so it’s understandable they would be addressed more urgently than say, a Google Chrome update. But, regardless of the software package, zero-day vulnerabilities are still hard to find, expensive to develop exploits against and are quickly rendered useless once they’re made public.Simply put, organizations get breached because we’re still failing to adequately train and empower users on keeping themselves safe. Phishing, social engineering, lack of two-factor authentication and even basic training around removable storage safety frequently take a back seat to zero-day obsession.
In January, the FBI released a flash alert that the financially motivated actor known as FIN7 was targeting businesses with ransomware mailed to employees on USB sticks. The risk of untrusted USB sticks has been around for over a decade – it was likely the infection vector for the Stuxnet attacks in Iran in 2010 – and it is widely understood as a “security 101” concept, but attackers wouldn’t continue to use these techniques if they didn’t work.
Don’t Underestimate Technically Simple Operations
As the world has focused on the mounting tensions between Russia and Ukraine, we’ve seen a flurry of alerts, advisories and warnings from both private and public sector advising organizations to batten down the digital hatches and prepare for an unknown level of cyber-activity. What should we be prepared for?
As Mandiant astutely pointed out:
Cyberattacks are most often leveraged as a form of information operation, meaning they are meant to manipulate perception rather than have lasting disruptive effects. Defenders often overestimate the technical capability necessary for these actors to achieve their goals and underestimate the value of technically simple operations.
The second sentence perfectly captures the problem: organizations commonly assume that because they’re dealing with an “advanced” actor, that the tactics, techniques and perspectives (TTPs) will be of a similarly advanced nature. This is flawed logic, as advanced actors will use any and all tools available to them. With a myriad of well-developed, highly advanced offensive security tools available both commercially and as open-source, actors can focus their development efforts on the ‘last mile’ tooling – wipers, remote access trojans, ransomware payloads, keystroke loggers and credential-stealing malware, point-of-sale trojans, etc.
A high-profile zero day gets attention, but its usefulness at scale is generally measured in days or weeks. Phishing, social engineering, USB attacks, credential stuffing and so on continue to work because they exist in a more complex problem space – the uncontrollable human factor. As we move further inside a network – from the eyes of an attacker, that is – many security practices from 20+ years ago are commonly ignored. Proper network segmentation, access control lists, default-deny firewall policies, tightly controlled administrative access and backup systems which are tested regularly and isolated from the rest of the network are all lessons learned the hard way…20 years ago.
Furthermore, attackers don’t need to use zero days when organizations aren’t keeping up with their patching. CISA recently added 15 more vulnerabilities to its Known Exploited Vulnerabilities Catalog; the oldest of which is CVE-2013-3900 – a nine-year old vulnerability. On January 21, CISA added CVE-2006-1547: 16 years after the vulnerability was found, it’s still being used by attackers.
Leg-0 Days: Overlooked Weaknesses
There is another threat to users which is frequently overlooked, one I jokingly refer to as the Leg-0-day. This is essentially a chain of software flaws which the vendor doesn’t consider to be a vulnerability, or it’s below their severity bar to address, yet a clever attacker can combine it with other things and make it into something more dangerous.
A perfect example are the attacks against the NTLM authentication system in Windows. Most flaws here are predicated on an attacker already having some level of access to the network, and therefore Microsoft considers these out of scope as an attacker needs to compromise the network in some other way first. This stance is understandable, as Microsoft has to prioritize certain fixes over others; however, it’s also a bit inconsistent, since Microsoft operates under the “assume breach” model – where the assumption is an attacker is already in your network.
Using NTLM as an example, this is an old and outdated authentication model, however, because it’s been around for 20+ years, Microsoft cannot simply remove it or risk breaking millions of machines. This has led to things like NTLM downgrade attacks, where attackers can trigger NTLM to downgrade the protocol version it’s using to a less secure one (not that any version of NTLM can really be called “secure” in 2022). This has directly facilitated the success of tools like Responder.py and a set of attacks using the potato moniker:
- Hot Potato (January 2016)
- Rotten Potato (September 2016)
- Ghost Potato (November 2019)
- Relaying Potatoes (April 2021)
- Remote Potato (May 2021)
- PetitPotam (July 2021)
Defending against these ‘leg-0-day’ attacks isn’t as simple as applying a patch or having users take remedial phishing training. Because there is rarely a vendor patch, remediation of these risks involves changing the way the network operates. Steps like disabling NTLM downgrade, using only SMBv3, requiring NLA on RDP servers are all merely configuration changes, but they require testing and vetting in an environment to ensure that nothing breaks. Changes like NLA on RDP servers also come with a rise in help-desk complaints – users have to type their password twice with NLA, instead of once without it.
There will never be a solution which holistically solves security in every environment, and security teams must be both capable AND empowered to perform the appropriate remediation steps, regardless of the attack vector. The concept of layered security isn’t new, but with a new zero day making the news every week or two, it’s understandable that the basics take a backseat to firefighting. Just remember: zero days are expensive; mistakes are free. Attackers will always prefer the easy and inexpensive ways to breach an organization and, fortunately, addressing these problems is low-hanging fruit.
Nate Warfield is CTO at Prevailion.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.