Windows Servers Vulnerable to IKE Exploit


Title: CVE-2022-34721

78ResearchLab recently published a proof of concept for a new exploit affecting almost all versions of Windows Server.

The vulnerability was found in the implementation of IKE version 1 extensions.

Despite version 2 being widely available and used, both v1 and v2 are accepted by default on Windows Servers. Successful exploitation of this vulnerability would lead to remote code execution (RCE) on the target server.

This may allow a malicious actor to read and modify sensitive information stored on the server and potentially use it as a pivot point in order to further compromise a network.

David Stubley, MD of 7 Elements says;

Patches should be applied as soon as possible in order to prevent compromise. There is a window of opportunity to patch as the POC is not easily usable, but with these things that is likely to change and become stable exploit code that can be used by lower skilled malicious actors.

 

Microsoft have released patches for supported versions of Windows and 7 Elements would recommend applying them as soon as possible.

Microsoft often releases patches on the second Tuesday of the month in what is known as “Patch Tuesday”. Allocating time to apply and test these patches every month is recommended.

REDCENTRIC ACQUIRES 7 ELEMENTS

Following the announcement that 7 Elements Ltd has been acquired by Redcentric, I wanted to introduce myself and Redcentric and let you know how this exciting development will further complement and expand the services 7 Elements currently delivers.

Redcentric is a managed service provider that delivers highly available network, cloud and collaboration solutions that help public and private sector organisations succeed. We’ve built the business through our owned multiple UK data centres, national 100Gb MPLS network and dual 24/7 network operation centres and can show a strong performance with revenues growing, strong profit margins and excellent cash generation. Our customers include HowdensHaysThe White CompanyChannel 4 and a number of NHS and public sector organisations including NHS Digital.

Our immediate focus is to maintain the high level of customer service that 7 Elements delivers today, providing a seamless experience for you. It’s important to us that we retain and build upon the knowledge, technical capability and high standards of service delivery that the 7 Elements team currently provides, as this was a key driver in our decision to acquire it.

Whilst 7 Elements is now a key part of the Redcentric group, enhancing our network, cloud and collaboration portfolio, it will continue to operate as a separate business entity and all current points of contact for you will remain.

Given our commitment to maintaining the high level of customer service, professionalism and capability that you are accustomed to, we’d love to hear from you and answer any questions you may have.

Please contact Redcentric on email@redcentricplc.com and we’ll come back to you as soon as we can.

Kind regards,

Peter Brotherton

CEO, Redcentric

7 Elements Moves Office

7 Elements is excited to announce our move to 4-5 Lochside Way Edinburgh Park Edinburgh EH12 9DT.


As part of our move, we would like to advise all of our clients to update their records and note a change in our office phone number, which from now will be +44 (0) 131 516 7264

 

ScotSoft 2021

As a sponsor for this year’s ScotSoft conference, we would like to share a message from the amazing team behind the day and encourage you to join in on the day:

The countdown is on – only a few days until #ScotSoft21! We’re extremely excited to welcome you all virtually to our event platform and see you interact and network with some of the amazing speakers and other delegates that we have signed up.

Don’t forget our physical YSE dinner takes place in the evening – one of the first opportunities we’ve had to bring Scotland’s digital sector together again for well over a year and we can’t wait to welcome you all again.

 

The event, which is free to attend, will start on Thursday morning (7th Oct) at 08:30, and our own CEO, David Stubley, will be speaking at 14:05 as part of the Cyber track. David will be taking a look at the top ten critical security risks to web applications found in 2021 and how to build mitigation strategies.

You can still get your ScotSoft tickets here.

SMTP Multipass

In July 2020 7 Elements discovered a vulnerability in Rackspace that exposed all its global hosted email customers to the potential malicious use of their email domain by unauthorised actors. Malicious actors had the ability to leverage multiple accounts and pass security checks designed to detect spoofed emails. This was utilised in the wild to conduct targeted phishing attacks.

7 Elements has called this the “SMTP Multipass” attack.

The vulnerability was the result of how the SMTP servers for Rackspace (emailsrvr.com) authorised users. When this vulnerability is placed within the context of Rackspace’s guidance on customers specifically authorising these SMTP servers to send email on their behalf via DNS entries (denoting the use of SPF records), it can be used to form a viable attack vector.

This allows an attacker, authenticated under one customer account to send emails as another customer. Those emails would be received by the recipient, pass email security checks and be identified as a legitimate sender. Given this, malicious actors could use this to masquerade as a chosen target domain, potentially causing reputational damage.

The vulnerability was discovered by the 7 Elements team through our incident response service back in July 2020. 7 Elements engaged with Rackspace, through our responsible disclosure process, at the start of August 2020.

The Incident

Whilst supporting a client’s internal investigation into a targeted email compromise incident, our team and the client’s technical team worked together to assess inbound emails. This collaborative approach identified that the malicious actor(s) involved with the business email attack was sending emails using Rackspace customer domains. However, it was noted that when doing so the actor(s) authenticated with a user account under a different domain, successfully spoofing Rackspace hosted email customers, passing SPF controls.

By using this approach, the malicious actor was able to bypass the clients email filters and was free to choose from a large pool of suitable domains that make use of Rackspace’s hosted email offering.

This prompted further investigation by the 7 Elements team, which ultimately identified that any customer of the hosted email service was vulnerable to this issue. This was especially the case if their SPF records were set to pass emails from emailsrvr.com (as recommended by Rackspace). Based upon conversations with Rackspace, our understanding is that all customers of the hosted email service were vulnerable. Clients included US federal agencies, UK local government, military, politicians, financial organisations and high-profile individuals.

Force Multiplier

In this instance, two individual issues combine to have a greater impact. The first is the vulnerability within the Rackspace hosted email service that allows an authenticated user of the platform to send emails as any domain (including those that also use the service). The second is in how DNS entries configured by legitimate customers of Rackspace specifically authorised the affected Rackspace SMTP servers (emailsrvr.com) for the purpose of sending emails on behalf of that domain. So, any email coming from that IP on behalf of that domain is de facto authorised. The following image shows such an email:

Screenshot showing a POC email sent as another domain

In the Wild

As stated earlier, we are already aware of this vulnerability being utilised in the wild. With our internal POC scripts, it was a trivial exercise to identify vulnerable domains and then using a single account, authenticate to the SMTP server and send emails from those other domains. From an investigation point of view, as the email will appear to be legitimated (passing SPF security checks), the email headers would need to be interrogated for specific traits as outlined below:

Date: Thu, 24 Sep 2020 14:02:18 +0000
To: 7 Elements <contact-us@7elements.co.uk>
From: Finance <finance@**redacted**.com>
Reply-To: Finance <finance@**redacted**.com>
Subject: SMTP Multipass

X-Mailer: PHPMailer 6.1.7 (https://github.com/PHPMailer/PHPMailer)
Received-SPF: Pass (protection.outlook.com: domain of **redacted**.com designates
146.20.161.126 as permitted sender) receiver=protection.outlook.com;
client-ip=146.20.161.126; helo=smtp126.iad3b.emailsrvr.com;
X-Auth-ID: john@7ei.cc
Authentication-Results: spf=pass (sender IP is 146.20.161.126)
smtp.mailfrom=**redacted**.com; 7elements.co.uk; dkim=none (message not signed)
header.d=none;7elements.co.uk; dmarc=pass action=none
header.from=**redacted**.com;compauth=pass reason=100
Received: from smtp126.iad3b.emailsrvr.com (146.20.161.126) by
HE1EUR02FT008.mail.protection.outlook.com (10.152.10.77) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3412.21 via Frontend Transport; Thu, 24 Sep 2020 14:02:20 +0000

Example email header with highlighted fields of interest.

Please note, the sample headers above are from one of our test emails against a live domain (hence the redacted content). The key header fields of interest are highlighted to show the email ‘from’ and ‘to’ as well as various checks being passed. 

Specifically, to identify this exploit we are looking for an X-Auth-ID value that does not match the ‘From’ address (usually at the domain level). In addition, the sending server “emailsrvr.com” indicates Rackspace being the sender. The malicious actors we have found to be using this in the real world also made use of PHPmailer to send the email, although this would not be required to exploit the vulnerability.

For our test, we used a trial account (7ei.cc) within Rackspace to send an email as another domain that had the relevant SPF records. A malicious actor could have done the same or as with the real-life cases we have investigated use compromised accounts.

Summary

As you can see, the main impact of this vulnerability would be with a malicious actor being able to send emails as any domain using the Rackspace hosted email solution, and one we have already seen in use by malicious actors with a focus on business email compromise attacks.

By sending email as another domain, the malicious actor can leverage the trust of that brand to coerce clicking on a link for a phishing style attack or potentially using the domain to send content that could result in reputational damage or even financial fraud though malicious invoicing-based attacks.

Disclosure Timeline

  • 20th July 2020 – Client receives phishing email using this technique to achieve business email compromise (with intent to conduct financial fraud).
  • ~30th July 2020 – 7 Elements provides assistance to client’s internal team and to collaboratively identify this technique and are able to reproduce it.
  • 7th August 2020 – After finishing up our incident response effort we confirmed with the client that they would like us to report the issue to Rackspace. This contact is made to security@rackspace.com.
  • 7th August 2020 to 25th August 2020 –  Communication with Rackspace around verifying the issue, the timeline for fixing the issue and ethical considerations of disclosure. Rackspace confirms that internally they are already aware of the exposure. Agreement to follow standard 90-day responsible disclosure window after a commitment by Rackspace to work toward fixing the issue.
  • 15th September 2020 – Rackspace provide 7 Elements with an update to advise that another party has also discovered the exploit and notified them.
  • 3rd November 2020 – Rackspace provide 7 Elements with an update to advise that customer-specific communications went out on the 29th October to advise of the issue, with a fix planned to start on the 5th November 2020.
  • 5th November 2020 – Agreed disclosure date.

 

 

Image credit: Waverley Jane Media

 

7 Elements are now a CREST accredited company

7 Elements achieves CREST (The Council for Registered Ethical Security Testers) company accreditation in recognition of our professional penetration testing services.

CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST provides internationally recognised accreditations for organisations and professional level certifications for individuals.

Company accreditation builds upon our long-term commitment to professional certifications for our testing team, many of whom hold either CREST Registered Tester (CRT) or CREST Certified Tester CCT) status.

More information on our penetration testing services can be found here.

Zooming in on security

The business landscape has undergone a sudden, drastic shift to remote access, in order to cope with the current social isolation requirements. Commensurately, the usage of video conferencing applications has skyrocketed. Perhaps the video conference tool that has most benefited from this change in business model is Zoom. The company has seen a huge boost in popularity, with reports of up to a 535% increase in traffic[1].

Wide adoption can help reduce the burden of continued operations challenges faced by a company, and a simple, reliable and flexible platform is an IT teams dream. In spite of this, a number of security concerns persist within the Zoom platform, which should be taken into account when looking to implement within an organisation’s operations.

Challenges in vulnerability remediations

The core security concerns raised around the Zoom platform to date, related to the ability to perform video-chat hijacking, insufficient end-to-end encryption, and a number of recently discovered vulnerabilities within the client installed on a user’s device. One issue previously identified within the software, related to privilege escalation on Mac OSX device, which may be leveraged to achieve malicious code execution, or in the case of a malicious actor, be used as an entry point into an organisation’s wider infrastructure. Another concern related to sensitive information disclosure that may be allow an attacker to manipulate a user into leaking their user credentials inadvertently[2].

Ever Evolving Threats

While these issues had been previously identified and were obviously a concern for people using the platform, with such a significant increase in user base, this has led to security researchers and malicious actor seeking to identify attack vectors within the software to target users. This has resulted in three Zero-Day vulnerabilities in the software being identified and publicised during the first 3 days of April 2020. The first two vulnerabilities[3] may allow an attacker to inject malicious code within a Zoom installer to achieve privilege escalation. This may be used in tandem with other attack vectors such as a phishing attack to target individuals or organisations.

Another vulnerability identified may allow a malicious actor to perform a malicious code injection attack that would give the attacker equivalent access rights to that of the Zoom application, meaning they would be able to intercept and spy on users via the microphone and web cam used as part of the chat.

The final issue, which was raised publicly on April 3rd 2020[4], related to the use of inadequate data encryption, which appeared to be an in-house implementation. It is highly recommended to avoid ‘rolling your own’ cryptography implementation and to use established and comprehensively reviewed methods that are widely available. The encryption implementation Zoom use was determined to contain flaws which in some instances may allow encrypted data that has been intercepted to be decrypted.

Slow start, but a rapid response

While Zoom have acknowledged the presence of these issues and have announced publicly that they are in the process of resolving them, concerns persist about the nature of their ongoing security activities and processes. Security researchers have been critical previously of the response times between disclosure of bugs and remediation by the company. On March 30th 2020, New York’s attorney General, Letitia James, contacted the company requesting an outline of the security measures that Zoom are undertaking to resolve these issues, as well as safeguard the platform, particularly due to the swell in its user base[5]. Zoom published an open letter on their public blog detailing the steps they have taken already, as well as steps they will be taking over the next 90 days to improve the security posture of the platform as a whole.[6]

The steps highlighted will include a freeze on new features to allocate developers to resolving open security issues and platform hardening. They intend to engage with third parties such as security architects and penetration testing firms to perform audits and security assessments on the platform, enhancing their existing bug bounty platform and employing methods of transparency with users to allow them to understand what is done with their data, and whom it may be shared with. They have also released security fixes for Mac OSX and Microsoft Windows clients to remediate a number of the vulnerabilities publicised.

In reality, while the flaws raised publicly so far are concerning, they should be considered in context. Many of them require at least a low privileged user account on local devices, which may significantly reduce the likelihood of a successful device compromise, unless another attack is successful to gain that initial access. In the matter of the encryption implementation, the significant resources required for a successful attack to be performed make it a fairly low risk attack vector, and the majority of users would be unlikely to be legitimate targets.

Conclusion

As with any adoption of new conferencing technology during this period of change, organisations should ask themselves if they are comfortable with what is being discussed over the conferencing platform and what adverse impact could intentional or unintentional disclosure of that content cause the business.

Further consideration should be given to any risks that the installation of software could bring to the integrity of end point devices. While Zoom are now clearly in the headlights, and will undoubtably take additional steps to assure organisations that they can deliver, so the increased attention is likely to result in further security concerns being identified.

 

Matthew Linney (Senior Consultant)

 

References:

[1] https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing

[2] https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/

[3] https://objective-see.com/blog/blog_0x56.html

[4] https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

[5] https://www.digitaltrends.com/news/new-york-attorney-general-is-latest-to-question-zooms-privacy/

[6] https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

 

 

Scottish Business Hub

The team here at 7 Elements are proud to be a supporter of the Scottish Business Hub.

The hub, created by ScotlandIS with support across industry, offers as many of Scotland’s digital technologies resources as possible to businesses either free of charge or at discounted rates. It provides Scottish businesses with essential digital tools to support rapid transformation at this challenging time.

As part of this we will provide free cyber incident triage calls for all SMEs within the Scottish business economy during #COVID-19. This could range from advice and guidance on how to deal with a ransomware attack or business email compromise, through to a hacked web site or computer virus.

Further information on our approach to cyber incidents can be found here: https://www.7elements.co.uk/services/incident-response/

If you have an ongoing cyber incident call our triage team on 0131 235 2901

Keeping the Show on the Road

With the onset of the current COVID-19 pandemic, causing huge operational shifts for organisations, their IT operations will have to adapt in kind. Not only will organisations need to maintain their current legacy operations, they may need to leverage new tools to enable remote working. As a result, tools such as VPNs to access internal resources, or new cloud environments may be deployed to allow for operations to continue. Malicious actors, such as those focused on ransomeware or business email compromise may take any opportunity presented to them to cause negative impact. Given this, it is paramount that organisations take the time to ensure that they continue to maintain good cyber security hygiene while managing the wider risks associated to both employees and the wider business by COVID-19.
The following guidance looks at a number of core cyber security controls that should be maintained to help organisations weather the current storm.

Vulnerability Management

The first of these priorities should be to ensure that organisations continue to download and install software security updates upon release. A comprehensive patching policy, that includes operating systems and third-party software must be a cornerstone of an organisations security policy. Ensuring that potentially exploitable vulnerabilities within software are minimised and resolved as soon as possible can significantly reduce one of the primary attack vectors malicious actors will seek to target.
On some occasions, security patches may introduce bugs into the operation of that software. As a result, it is recommended that where the business has capacity, it should install these patches in a test environment to verify the stability of the software once the patches are installed, before issuing to the wider estate.

Data Backup

Another priority should be ensuring that all sensitive and important business data is adequately backed up. A robust backup mechanism, that stores current data for a short-term in one location, before appending to a longer-term, more comprehensive back up solution would ensure that multiple disaster recovery scenarios are prepared for. Especially in terms of dealing with ransomware attacks.
In the event of sudden data loss, the short term backups can be rolled out, reducing the need for operational downtime. Equally, in the event of a breach, the data can be rolled back from the longer term solution to a time before the breach occurred, removing the potential for loss of data integrity and providing a measure of non-repudiation.
Consideration should be given to ensuring that any new technology deployed (such as cloud based solutions) to enable the organisation deal with changes to working patterns are included within their backup requirements. A key question to ask, would be “Do any changes we have implemented altered where our sensitive data is held?”

Changes to the network perimeter

Due to the current government advisory of social isolation, the number of remote workers within organisations has skyrocketed. This places higher burdens on the existing remote access solutions such as VPNs to access internal resources, or forces organisations to deploy new solutions to allow access remotely. This can pose a number of risks, such as exposing services to the internet that may not have been appropriately configured. Another issue may relate to the use of outdated software if this solution has been in place for some time. Any new or existing software should be deployed to adhere to recommended good practices, such as those provided by the National Cyber Security Centre (NCSC) as part of their End User Device Security guide. https://www.ncsc.gov.uk/collection/end-user-device-security?curPage=/collection/end-user-device-security/eud-overview/vpns

Robust Password Policy

Another significant security control that must remain a focus is a robust password policy, with multi-factor authentication enforced where possible, especially where new services are being stood-up in short timescales. Modern password cracking ‘rigs’ designed to attempt to bruteforce password hashes, cloud computing resources that can be scaled up as needed to target user accounts in a number of ways or generic password guessing/brute-forcing attacks are all common attack vectors. Enforcing a strong password requirement, such as those laid out by NCSC (https://www.ncsc.gov.uk/collection/passwords/updating-your-approach) or the National Institute of Standards and Technology (NIST).
An example of NCSC’s current advise on user password creation is to allow users to use three random words as a password. That should be easy for a user to remember, but difficult for an attacker to guess, while typically being of a sufficient length to make password cracking very difficult.

Enable MFA Everywhere

Multi-Factor Authentication (MFA) can further reduce the likelihood of a successful account compromise. Other solutions may be to use enterprise Single Sign-On (SSO) solutions that are designed to reduce the number of passwords a user must remember, while allowing for access to multiple applications and services. This can allow for a stronger password to be set without the confusion of multiple passwords to manage.

Phishing Awareness

With the increase in remote working, comes the decrease in the ability for the workforce to communicate face to face. As a result, the number of emails received is likely to increase. While email security is a fairly broad topic, with a number of security controls that can be implemented, it is often the human factor that leads to issues. Phishing attacks have become more and more sophisticated, with methods to evade technical controls constantly being discovered. As a result, training plans that aid all users with identification of potentially malicious emails, as well as the process to report them, is often a crucial piece of the puzzle. This training will need to be ongoing to ensure that emerging threats and trends are taught to staff to help them with this.
 

Conclusion

While organisational IT operations are forced to change and evolve due to the current challenges faced by society, the core security practices we have laid out should not be neglected and ignored. They are as crucial to an organisations ongoing security now as they were a year ago. Many organisations will already have these practices implemented, while a number will still need to adopt them. Whether just rolled out, or implemented and in use for several years, auditing and security testing is vital to verifying that the controls implemented do as intended, and identifying any gaps in the control.

David Stubley (CEO) and Matt Linney (Senior Security Consultant), 7 Elements

7 Elements expands with new office

2020 is already proving to be a good year for the team, as 7 Elements continues to grow with the addition of a new office in Leicester.

The technical team based out of the new office will be led by Senior Security Consultant, John Moss, who said, “We have a great technical team working from our new office, a number of which are graduates of the cyber security course here at DMU and I am really excited to continue to build local relationships.”

The team has already hit the ground running, with recent engagements ranging from penetration testing of a business with over 15,000 clients and 30 million users, as well as incident response capability as part of multi-million pound cyber breach.

“As we enter our 10th year, the company continues to grow in strength, with the addition of our managed vulnerability service Clarus – https://clarussecurity.io and now a permanent team in Leicester to manage the increased demand in England for our security testing and incident response services.” says CEO David Stubley.