blog

Cyber Threat Briefing: Real-World Cyber Threats

Written by Cyber Security Associates | Oct 3, 2023 4:15:00 AM

Ransomware attacks have been taking up a large proportion of the news headlines, but that doesn’t mean there haven’t been plenty of other threats and security issues happening in the world. From security holes in Microsoft Azure, to a woman in Florida deleting crucial business data after being fired, the fifth episode of our live Cyber Threat Briefing sees Adversary Simulation Lead, Aaron Dobie, and Risk Advisory Senior Director, Craig Moores, delve into the lessons organizations can learn from these real-world threats, including the importance of Endpoint Detection and Response (EDR).

Remote VM takeover

Our session began looking at the high-profile issue in Azure’s Open Management Infrastructure, which allowed remote takeover and privilege escalation on Linux virtual machines (VMs). Essentially, any Linux VM that was set up through Azure had a separate management framework installed. This implementation itself had vulnerabilities. If the authentication token was removed, yes, the service would still respond but instead of operating in a ‘low user’ context, or declining to process the request, it would process the request as root. A root account or root (full) privileges means that you can read and write any files on the system. So, in this case, an unauthenticated remote attacker could run code with full privileges on your virtual machine.

Aaron explained that this issue is an interesting one as it only affects virtual machines that are deployed by users. Referring to the Shared Responsibility Models, everything up to the virtual machine is managed by Azure and then everything above that is managed by end-users. But the challenge here is that Azure was essentially injecting additional software into the operating system that users weren’t aware of, and it wasn’t automatically patching this either. Microsoft has since given guidance on how to update it, but it’s still a manual process for users. This can obviously be a significant challenge if you’re a large company and have an estate with, say, 20,000 virtual machines in the cloud.

Trust, but verify

We often trust large third parties, such as cloud providers like Azure, to manage things on our behalf in a safe and secure way, particularly if there’s a piece of software we don’t know is there. Craig mentions that there’s a lot of discussion around continuous compliance at the moment, and around technologies that assure you that things are staying safe and secure. If third parties can bypass those fundamental things, where does that leave us? You need to trust, but verify, Aaron explains. We do have to put a reasonable amount of trust in cloud providers because they are providing so much of the stack, but as users we need to do everything in our power to validate that they are in fact doing what we think they are doing.

Insider threats

Our session then moved on to uncover the recent news that a woman in Florida, who had just been fired, deleted vast amounts of files causing enormous internal damage to the company. In the few hours between getting fired and being escorted out of the building, other employees witnessed the woman repeatedly hitting the delete key on anything she could find. It ended up costing the company more than $100,000 to remediate and recover as many of the documents as possible.

Often, we speak about third-party threats and the importance of tying those into an organization’s risk methodology and approach, but how do we deal with insiders? Well, the insider threat is, unfortunately something that will never go away. Users need to have access to things in order to do their jobs and for the business to function. There is always the risk that someone will do something to compromise business activities, even if by accident. Instead of dropping coffee, you might accidentally drop all the tables in the SQL database, but the impact is potentially much, much higher.

Companies can utilize ‘user monitoring’ functions that come with things like Endpoint Detection and Response (EDR) products. This is all about understanding what users actually do on a day-to-day basis and putting in blocks when things are out of step with the expected norm. This is obviously great, but requires fairly significant investment in, firstly, the EDR product itself and then tailoring it to accurately reflect what’s in use within your network. But then you will have a baseline control, enforcing least privilege across the whole network so that not everyone has access to everything that everybody uses. You have gates in place that limit the potential damage, so even if somebody does accidentally do something, they can’t cause business-wide impact.

The malicious insider

But, as was the case with the Florida example, it’s not always an accident. You could have disgruntled employees or those that have changed roles but retained levels of access they didn’t necessarily need. When they do then leave, they may have access to things that they shouldn’t have, which leaves the potential attack vectors that little bit wider. Aaron explains that the heuristics of EDR essentially allow you to learn user behaviors, and these behaviors can be used to help understand what controls we need to have in place to protect ourselves.

So, effectively you collate all of this data about end users, what they do and how they’re doing it, and you can use that information to implement or acquire other products that enforce standard use cases. Privileged Access Management (PAM) solutions are great, for example, as you can make sure that user passwords are only valid for however long is required to perform the action, meaning that even if a user does lose their password, it doesn’t matter because that password was only valid for a very short period of time.