Insider Lab

Detecting compromised accounts in Microsoft 365 with InsiderSecurity’s free CASUAL tool

Introduction

In today’s digital age, cybersecurity is of paramount importance, with organizations facing an ever-evolving landscape of cyber threats and attacks. InsiderLab (our team of cybersecurity experts) conducts in-depth research and analysis of historical and emergent cyber threats, empowering organizations with the foresight needed to proactively safeguard their digital landscapes.


Amid recent events, the InsiderLab team has scrutinized the tactics and exploitation methods employed by high-profile threat actors. Through tireless investigations, InsiderLab has uncovered critical insights that shed light on the world of cyber threats. These findings not only raise awareness but also provide a comprehensive understanding of the evolving threats that organizations face today.


In this report, we focused on high-profile attacks, particularly those involving compromised Microsoft 365 accounts and studied the tactics used by these attackers. Each case study provides a unique window into the world of cyber threats, offering insights into the cunning methods employed by cyber adversaries and the vulnerabilities they exploit. Furthermore, InsiderLab released a free tool to aid in identifying similar classes of attacks.

Case Study 1: Microsoft Storm-0558 SaaS Breach

Uncovered in 2023, the threat actor behind the STORM-0558 attacks successfully accessed their victim’s Microsoft Exchange Online and Outlook accounts, completely bypassing 2FA (two-factor authentication). Notably, various U.S. government entities endured the brunt of the STORM-0558 onslaught.

These attackers were known to conduct their activity behind the SoftEther proxy VPN service, thereby masking their true IP addresses.

This was uncovered eventually discovered when the victims’ Microsoft 365 audit logs revealed that an unusual application was used to access the emails. In the blog provided by CISA (Cybersecurity and Infrastructure Security Agency), it was reported that the log entry for the ‘MailItemsAccessed‘ operations contained an unusual AppID. While it is difficult to define what is unusual, keeping track of what is typical would be useful in detecting these deviations.

For example, if the user typically uses the Outlook Express email client or Outlook.com to access their emails, a log entry with an unusual AppID (application identities) would attribute the access to a different application type, indicating a deviation in email access behavior.

The following illustration shows the difference between a threat actor and a legitimate user in accessing Exchange Online. The threat actor uses additional services such as a VPN and the Microsoft Graph API as shown in steps 1 to 3, while the legitimate user typically only uses a web browser as shown in step 4. This approach taken by the threat actor leaves an unusual AppID and client IP address in the audit trail.

Microsoft Storm-0558 SaaS Breach Path

Case Study 2: SolarWinds SUNBURST Attack

Moving on to another case study, we will discuss the SolarWinds SUNBURST Attack. Uncovered in 2020, the threat actor behind the SUNBURST attacks leveraged the Microsoft Graph API to perform data exfiltration. This SUNBURST attack impacted various government entities and major players within the technology sector.

The attackers searched for existing cloud applications with email access privileges, or alternatively, escalated the permissions of pre-existing applications. This cunning maneuver is meticulously documented in this research article , spotlighting the attacker’s utilization of the ‘Mail.ReadWrite’ permission within an existing cloud application to gain access to victim email content via said application.

Furthermore, an alternate strategy observed in a separate attack involved the dispatch of phishing emails by attackers. These deceitful communications were tailored to dupe victims into unwittingly granting consent to install malicious cloud applications. If the victim falls for this trick, attackers would be able to access the victim’s email and files via the malicious cloud application.

The following illustration describes the additional services such as the Graph API and the tainted enterprise application. The attacker would access victims’ emails as shown in step 1 to step 3, whereas the legitimate user would simply access the email directly via a web browser as shown in step 4. The attacker’s approach leaves an unusual AppID in the audit trail.

SolarWinds SUNBURST Attack Path

Case Study 3: LAPSUS$ Attacks

Now we turn to the LAPSUS$ Attacks, discovered in 2022. The attacker behind this mysterious name targeted many victims, including major tech companies. The attacker is known to access cloud resources via a VPN. A comprehensive account of this method is described in this Microsoft report, where the threat actor employs NordVPN as their conduit to hide their true IP addresses.

The attacker also added an email transport rule to forward emails from their victims to their own account.

The following illustration describes additional services such as the VPN service the attacker would use to access victims’ emails as shown in step 1 to step 2. The attacker’s approach leaves an unusual client IP in the audit trail.

LAPSUS$ Attacks Path

Threat Detection with CASUAL Tool for Compromised Accounts

Given the ongoing high-profile breaches in Microsoft 365, our team is proud to introduce CASUAL (CloudAuditSearchUAL) —a user-friendly tool designed to uncover hidden cyber anomalies in the audit trail. Download CASUAL here.

CASUAL analyzes log entries in the Microsoft 365 Unified Audit Log (UAL) and produces a JSON file that contains the following information about accesses to Microsoft 365:

  • Unique geolocations
  • Unique application identities (AppID)

With this invaluable information in hand, the security team gains the upper hand, conveniently identifying:

  • Identities accessing the cloud service from an extensive array of unique geolocations
  • Identities engaging with the cloud service through a wide range of distinct applications

Now, let us move from theory to practice.

To generate a list of identities that have accessed Azure AD and their unique geo-location within the past 90 days, execute the following command:

./ual_tool.ps1 -ops ADLogin -analyze IP -days 90

The following output shows an actual result with an identity that has accessed Azure AD from over 3 unique geo-locations.

"ACCOUT_1":  {
    "Unique IP Count":  3,
    "Unique Countries Count":  3, 
    "IP Properties":  {
        "IP RETRACTED":  {
            "Count":  3,
            "Country":  "SINGAPORE"
        },
        "IP RETRACTED":  {
            "Count":  29,
            "Country":  "MALAYSIA"
        },
        "IP RETRACTED":  {
            "Count":  29,
            "Country":  "INDONESIA"
        }
    }
}

To generate a list of identities that have accessed Azure AD and their unique application accessed within the last 90 days, execute the following command:

./ual_tool.ps1 -ops ADLogin -analyze AppID -days 90

And the following output shows an actual result with an identity that has accessed Azure AD from over 7 unique application types.

"ACCOUNT_2":  {
    "Unique Count":  7,
    "AppID Properties":  {
        "4765445b-32c6-49b0-83e6-1d93765276ca":  {
                "Name":  "OfficeHome",
                "Count":  3
            },
        "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7":  {
                "Name":  "Office365 Shell WCSS-Client",
                "Count":  18
            },
        "7eadcef8-456d-4611-9480-4fff72b8b9e2":  {
                "Count":  1,
                "Name":  "Unknown"
            },
        "c9a559d2-7aab-4f13-a6ed-e7e9c52aec87":  {
                "Name":  "Microsoft Forms",
                "Count":  2
            },
        "fb78d390-0c51-40cd-8e17-fdbfab77341b":  {
                "Name":  "Microsoft Exchange REST API Based PowerShell",
                "Count":  4
            },
        "243c63a3-247d-41c5-9d83-7788c43f1c43":  {
                "Name":  "Office Online Core SSO",
                "Count":  2
            },
        "00000003-0000-0ff1-ce00-000000000000":  {
                "Name":  "SharePoint Online",
                "Count":  2
            }
    }
}

The results can be sorted further based on the value of ‘Unique Count’. This will help analysts in identifying the identity with the most unusual access pattern.

The table below lays out an array of ‘ops‘ parameters, serving as a guide for analysts seeking to uncover anomalies across numerous services:

Parameter optionsServices
ADLoginAzure AD
OD_AccessOneDrive
SP_AccessSharePoint
EXO_AccessExchange
Table1: An array of ‘ops‘ parameters

In the CASUAL PowerShell script, you can find the mapping of operations to the parameters. And since Microsoft has pledged to expose more audit log types which are previously available only to organizations with the E5 licenses, the tool will be able to provide more visibility soon.

As you navigate through the intricacies of digital security, CASUAL can be an invaluable tool, streamlining your quest to find compromised identities. We hope that this tool empowers you and facilitates a smoother and more effective pursuit of cybersecurity excellence.

Limitations of CASUAL

  1. Unusual Application types are not automatically identified
    CASUAL simply generates a list of identities discovered in the UAL and the AppIDs used by those identities. An AppID that may be considered unusual for one identity may be normal for another. For example, an account belonging to a security team member might be expected to use PowerShell to access the cloud services, but this could be unusual for someone in the finance team. It is important to apply proper context when analyzing the results. One way is to start building a baseline with the data generated by the tool.
  2. Geo-location information may be inaccurate
    The geo-location could be misreported by the IP lookup service, or unresolvable due to the lookup cap enforced. If the tool reports an identity accessing the cloud service from an unexpected geolocation, verify the location by checking the IP with a reputation lookup service.

CSX – Simplifies Cloud Security

Unlike CASUAL, CSX (Cloud Security X) is designed to overcome the limitations mentioned above, making it an essential subscription for any organization serious about its cybersecurity posture.

CSX is an innovative solution that makes comprehensive and easy-to-use cloud security available. Leveraging innovative analytics and AI, CSX enables strong security across all layers of the cloud, covering IaaS, PaaS, and SaaS. CSX was also a project awarded by the Cyber Security Agency (CSA) of Singapore on CSA’s Cybersecurity Innovation Day 2022.

CSX reduces the personnel burden in cybersecurity. It saves costs for businesses while providing strong cloud security.

By subscribing to CSX, you are equipping your organization with cutting-edge technology that leverages AI, advanced analytics, and contextual awareness to provide a higher level of security intelligence. Embrace the limitless potential of CSX to safeguard your cloud assets and maintain a strong defense against ever-evolving cyber threats.

Mark your calendar: CSX will be launched in December, bringing in a new era of simplified yet comprehensive cloud security. Are you ready to embrace the future of cloud security?

Detecting compromised accounts in Microsoft 365 with InsiderSecurity’s free CASUAL tool Read More »

InsiderSecurity Analysis for Volt Typhoon Attacks

InsiderSecurity conducts in-depth research and analysis on emerging cyber threats, so as to equip organizations with the knowledge to proactively protect themselves. In light of recent events, our Insider Lab team has thoroughly examined the methods and exploitation techniques employed by the notorious Volt Typhoon Attacks. Furthermore, we delved into the early detection strategies and practical measures to counter these threats. Here are the key findings from our investigation: 

Volt Typhoon Attacks  

On May 24, 2023, Microsoft and the “Five Eyes Alliance” cybersecurity information sharing organization released a joint cybersecurity advisory, which detailed a series of activities related to the Volt Typhoon. According to Microsoft’s blog post, these malicious activities have been ongoing since mid-2021 and have targeted critical infrastructure sectors in Guam and the United States. The sectors affected include communication, manufacturing, utilities, transportation, construction, maritime, government, IT, and education. 

What sets these attackers apart is their extensive utilization of Living-off-the-land techniques (LOLT), which prioritize stealth and obfuscation. Remarkably, the attackers refrained from introducing any discernible malware, custom code, or binaries into the compromised systems. By doing so, they successfully evaded antivirus and endpoint detection and response (EDR) solutions, enabling them to freely navigate the networks and systems. 

In this article, Insider Lab provides valuable insights into detecting such stealthy attackers throughout the various stages of an attack. We focus on the utilization of User and Entity Behavior Analytics (UEBA), a behavioural-based security solution designed specifically to identify threats posed by these lurking attackers within the network. 

Stage 1: Entry and Credential Access 

During the initial phase of the attack, the intruder managed to gain entry into the enterprise’s intranet by initially infiltrating the router’s management interface (step 1).  

Note: While it is uncommon for the management interface to be exposed directly to the internet, this may be necessary if the device is managed by a third party. 

Subsequently, they discovered credentials stored within the router, allowing them to access the network’s assets (step 2). 

To illustrate this stage, let’s consider a scenario where the attacker stumbled on the credential ‘RouterAdmin1’ stored within the router and utilized it to gain access to the domain servers present within the enterprise’s network. 

Note: The rationale to store access credentials (to other network assets) within the router is unclear. However, this might be necessary if specific capabilities of the router have been activated. One such example is when the router needs to retrieve specific records from the identity management server, which is typically the Domain controller. 
Fig 1. Step 1 and Step 2 of Volt Typhoon Attacks

To detect steps (1) and (2) effectively, behavioural-based algorithms can be leveraged. By monitoring deviations in login behaviour, the following three use cases can trigger alerts when the ‘RouterAdmin1’ account is misused: 

  1. Odd Server Usage 
  2. Unusual Login Time  
  3. First-Time Server Login 

Fig 2. How UEBA can Detect Step 2 of Volt Typhoon Attacks

In the ‘Odd server usage’ use case, advanced behavioural analysis can detect anomalies in the usage patterns of the ‘RouterAdmin1’ account. In the event of lateral movement, if the ‘RouterAdmin1’ account is being used to access servers in a way that deviates significantly from a user’s previous patterns, an anomaly alert will be generated. For example, if an attacker gains access to the ‘File server’ and ‘Mail server’ by utilizing the ‘RouterAdmin1’ account instead of the authorized user’s account, this would trigger an alert. 

In the ‘First-time login into server’ use case, an anomaly alert will be promptly triggered when the account logs into the server for the first time. 

In the ‘Unusual login time’ use case, an anomaly alert will be generated when the account logs into the server at a time that significantly deviates from its established login timing. 

The convergence of these anomalies will increase the risk score associated with the ‘RouterAdmin1’ entity, strongly indicating malicious activities. 

Stage 2:  Command & Control 

During stage 2 of the attack, the attacker utilizes the PSEXEC to execute commands on a remote server. PSEXEC.EXE, a Microsoft tool, enables privileged users to launch processes on a remote server. Based on the NSA’s document the attacker launches the NETSH.EXE command on the File server using PSEXEC.EXE in the Domain controller (step 3). 

C:\pstools\psexec.exe” \\{REDACTED} -s cmd /c “cmd.exe /c “netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999” 

The attacker was also observed executing the following command to establish a network connection tunnel. 

netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress={REDACTED} connectport=8443 protocol=tcp 
Fig 4. How UEBA can Detect Step 3 and Step 4 of Volt Typhoon Attacks

To effectively detect steps 3 and 4, which involve the execution of privileged actions, the following use cases can be leveraged: 

  1. Privileged Network Drive Access 
  2. Creation of New Service 
  3. New Network Service 

Fig 4. How UEBA can Detect Step 3 and Step 4 of Volt Typhoon Attacks

In the use case of privileged network drive access, an anomaly alert will be triggered when the account accesses a privileged drive such as \\SERVER\ADMIN$. This hidden drive exists in Windows servers and enables privileged users to access the \Windows\ folder of the server. The \SERVER\ADMIN$ drive is commonly utilized by tools like PSEXEC to upload binaries into the server. 

In the use case of creating a new service, an anomaly alert will be promptly generated when a new system service is created. A specific example of concern is the PSEXEC tool, which creates and launches PSEXESVC.EXE as a new system service after successfully uploading the binary. 

In the use case of a new network service, an anomaly alert will be triggered upon the detection of new network connectivity or services. Specifically, this includes instances where NETSH.EXE is utilized to establish a network proxy that listens on TCP port 9999. Moreover, the network proxy is configured to forward incoming data to TCP port 8443 at the IP address 192.168.100.100. 

The presence of the new network service listening on TCP port 9999, as well as the outgoing connection to 192.168.100.100 on TCP port 8443 can be identified by the network anomaly algorithm. 

Stage 3: Reconnaissance and Defense Evasion

In stage 3 of the attack, the attacker executed a sequence of natively available commands to gather additional information (Step 5). These commands provide various information, including network settings, account details, running processes, and more. Finally, they attempted to clear the security log in order to conceal their tracks (Step 6). 

Fig 5. Step 5 and Step 6 of Volt Typhoon Attacks

To detect steps 5 and 6 effectively, the following use cases can be leveraged: 

  1. Suspicious LOLBIN activity 
  2. Security Log Cleared 

Fig 6. How UEBA can Detect Step 5 and Step 6 of Volt Typhoon Attacks

In the use case of suspicious LOLBin (Living-off-the-Land Binary) activity, an anomaly alert will be generated when a series of native commands are executed in a pattern that closely resembles the activities typically carried out by an attacker during reconnaissance and maintaining access. 

These are the specific LOLBin commands outlined in the advisory released by the NSA pertaining to the campaign:

Fig 7. Specific LOLBin Commands in Volt Typhoon

In the use case of security log clearance, an anomaly alert will be triggered when the account attempts to clear the security event log. This deliberate action poses a significant concern as it obstructs forensic analysis and investigation, especially when the victim lacks access to the audit trail. 

This underscores the importance of forwarding the audit log to a secure and resilient log storage facility to preserve crucial evidence for future analysis. 

Auto triage of security alerts 

In the previous sections, we discussed the use cases for detecting stealthy attackers in a network. While one can try to use a SIEM (Security Information and Event Management) solution to implement some of these use cases, there are significant limitations to consider when using a SIEM solution for such use cases. 

For example, monitoring Event ID 1102 can help detect the clearing of security logs, while Event ID 5145 can identify privileged network drive access. However, enabling these alerts in a SIEM may overwhelm the security team with numerous alerts, including many that are benign or unrelated to malicious activity. 

To address this challenge, UEBA (User and Entity Behavior Analytics) will be an effective approach. UEBA continuously triages and compares activity against the historical behavioural of entities. The security team is only notified when behavioural changes linked to relevant use cases are detected, minimizing alert fatigue. 

By leveraging UEBA, security alerts are analyzed in the context of an entity’s overall behaviour, allowing for a more accurate and targeted detection of suspicious activities. This approach significantly reduces the number of false positives and focuses attention on the most relevant alerts, improving the efficiency and effectiveness of the security team’s response to potential threats.  


 

Fig 8. UEBA send a security ticket to users

Summary and Recommendations 

The attacker’s patient execution of the campaign, relying on the operating system’s limited tools and living-off-the-land (LOL) techniques, emphasizes the need for proactive security measures. To safeguard your organization against such threats, we recommend implementing the following measures: 

  • Restrict direct internet access to the router’s management interface 
  • Maintain credentials stored in the router at lower privilege levels 
  • Implement comprehensive authentication and authorization measures for both intranet and internet-facing assets 
  • Establish a secure and centralized location for forwarding and storing audit logs 
  • Take a proactive approach by continuously monitoring audit logs for any abnormalities related to identity, network, and assets. Detecting anomalies early can help mitigate potential threats before they escalate 

How can InsiderSecurity help? 

Fig 9. A timeline chart showcasing the detection at each stage of the Volt Typhoon attack with InsiderSecurity’s Automated UEBA

InsiderSecurity’s Automated UEBA (User and Entity Behavior Analytics) powered by AI and advanced user behaviour analytics provides early detection of various security risks, including hijacked accounts, insider threats, and compromised servers. By leveraging our Automated UEBA, organizations can effectively detect all the above-mentioned attack pathways. 

Through continuous monitoring and analysis of user behaviour, InsiderSecurity identifies suspicious activities, anomalous patterns, and deviations from normal behaviour. This allows for the proactive identification of potential security incidents and timely response to mitigate risks. 

InsiderSecurity’s Automated UEBA goes beyond traditional rule-based approaches, utilizing advanced machine learning algorithms to detect complex and evolving attack techniques. By analyzing user behaviour, account activity, network traffic, and other relevant data sources, our solution provides enhanced visibility into potential threats and helps organizations stay one step ahead of adversaries. 

Elevate your security posture and protect your organization from sophisticated threats. Contact us now to schedule a consultation and discover how our advanced security solutions can help you stay ahead of evolving cyber risks. Don’t wait until it’s too late – act now to secure your future. 

InsiderSecurity Analysis for Volt Typhoon Attacks Read More »

Lessons From Recent Cloud Data Breaches

Cloud Security is an evolving area in which many companies are still finding their footing. Navigating a cloud environment can be challenging for cybersecurity teams who are unfamiliar with how security changes in a cloud environment. Examples of this can be increased automation, a shared security responsibility model, faster change management, and so on.

Cybersecurity teams can learn which areas to focus on by upskilling their cloud knowledge via certifications, adopting cloud-native best practices, and by studying cloud data breaches within the industry. By analyzing these incidents and understanding what vulnerabilities led to these control failures, companies can ensure they are not exposed in a similar way.

Let us look at a few of the most notable cloud data breaches of recent years and what lessons we can learn from them.

Accenture

Accenture, a well-known name in the IT consulting industry, revealed that a popular ransomware group had compromised them in 2017. As a consequence of a cloud misconfiguration, Accenture inadvertently left four of its AWS S3 buckets to be publicly accessible. As a result, hundreds of gigabytes of sensitive client and company data were exposed. This data included more than 40,000 plaintext passwords, sensitive API data, decryption keys, authentication credentials, user data, and customer information. Hackers released some of this data on the dark web. 

In August of 2021, Accenture again fell prey to an attack via the LockBit ransomware.  Attackers exfiltrated over six terabytes of data and demanded that a $50 million ransom payout be made. The compromise also affected Accenture customers.  

Accenture admitted in its financial report that  
“In addition, our clients have experienced, and may in the future experience, breaches of systems and cloud-based services enabled by or provided by us.” 

A few of the key lessons that can be taken from this incident are:  

  • Deploy cloud security tools to detect misconfigurations in the cloud environment. These misconfigurations are usually how attackers gain a foothold in an environment.  
  • All major cloud providers like Microsoft Azure, Google, and AWS have guidance on how to protect against ransomware. These should be studied and adopted.  
  • Insider threats are a genuine cause for concern. Employees with access can be targeted and potentially bribed by attackers with million dollar budgets. 
  • Partners and customers of Accenture were compromised as part of this attack, and hence it is essential to assess the risk of third-party access in a cloud environment.  

Cognyte 

Cognyte, a cybersecurity analytics firm, faced industry scrutiny after a misconfiguration led to over 5 billion user records being exposed over the internet. Even worse was that this database contained data about previous security incidents as part of Cognyte’s intelligence service. A misconfiguration of this database led to it being exposed over the internet without any authentication in place. Thankfully this was discovered by a security firm and informed to them proactively. 

A few of the critical lessons that can be taken from this incident are:  

  • Misconfigurations remain one of the biggest threats to cloud security. Without controls to detect and remediate such mistakes, a company can face a similar situation to Cognyte.  
  • It is difficult to secure that on which you have no visibility. Make use of cloud security tools to identify all cloud resources and their security posture.  
  • Passwords are simply not enough to secure a cloud environment. Implementing multi-factor authentication would have mitigated the impact of this exposure and is something all companies should implement.  

Kaseya

Kaseya, a popular IT management software provider based in the U.S., was compromised in July 2021 by a Russian Hacking group. The attack was similar to the supply chain compromise of SolarWinds in which a popular software is compromised and used as a jumping point to access more environments. While the company shut down its SaaS servers and notified customers, it was not enough to contain the blast radius of the attack as customers found themselves receiving ransomware instead of Kaseya’s regular software updates. The situation was severe enough for the FBI and cybersecurity firms like Mandiant to get involved.  

A few of the critical lessons that can be taken from this incident are:  

  • Supply chain attacks can be highly devastating as many other parties are compromised along with the initial victim. Attackers are smart enough to realize that compromising the software supply chain can be easier and result in higher payoffs than attacking companies head-on.  
  • Patching remains as essential as ever, as the Russian Group was able to compromise Kaseya by exploiting unpatched vulnerabilities.  

Raychat

Raychat, a famous Iranian chatting application, was compromised in February of 2021 due to a misconfigured database similar to Cognyte. Over 267 million personal details of its customers were accessed and then deleted by a bot. The misconfiguration meant that no advanced technical skills were needed, and the attacker could simply access the database and destroy it without any controls detecting or stopping the malicious activities.  

A few of the critical lessons that can be taken from this incident are:  

  • The common theme of misconfigurations once again shows up in this case. If Raychat had implemented controls to detect and remediate this weakness in time, the entire data breach could have been avoided.  
  • Continuous monitoring of a cloud environment is essential. An attacker accessing a cloud database should be detected due to its suspicious nature. However, the lack of such controls meant Raychat was not aware while the attack was taking place.  

Lessons learned

By analyzing these incidents, we can pick up some common themes in nearly all of these incidents. These are lessons to ensure that our cloud environments do not contain the same weaknesses:  

  • Misconfigurations are a crucial risk, and it is essential to have controls in place that can detect and mitigate these weaknesses. 
  • Visibility into cloud resources is critical, as cloud environments change rapidly.  
  • Continuous monitoring of cloud resources is needed. Suspicious activities like logins from suspicious locations and data exfiltration should be detected. Cloud Security Monitor provides such automated, continous monitoring.  
  • Multi-factor authentication is a best practice that should be implemented in both the cloud and on-premise. 
  • Supply chain risk can be a blind spot in cloud environments. It is useful to do a risk assessment of the software supply chain and implement controls to protect against its compromise.  

Lessons From Recent Cloud Data Breaches Read More »

InsiderSecurity Analysis for CVE-2023-23397 Microsoft Outlook Vulnerability 

CVE-2023-23397 Threat Overview 

InsiderSecurity carries out research and analysis on the latest cyber threats to help organizations stay ahead. InsiderSecurity analysed the possible exploitation techniques for the recent Outlook vulnerability, as well as methods for early detection of such exploits, both for this specific vulnerability and future similar vulnerabilities. The following are our findings:

Microsoft recently released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. The CVE-2023-23397 vulnerability in Microsoft Outlook has generated significant concern due to its high severity score of CVSS 9.8.  It affects everything from Microsoft 365 apps for enterprise to Outlook 2013 SP1. This exploit has caught the attention of a hacking group linked to Russia’s GRU military intelligence agency that is using it to target some European organizations in government, transportation, energy, and military sectors.  

Companies have to quickly patch their Outlook software and implement measures to detect if they have been compromised. As companies may already be compromised, it is not sufficient to simply block access to port 445 on the internet. 

Stealing the Net-NTLM hash 

CVE-2023-23397 allows the attacker to steal the Net-NTLM hash from the victim, which enables an attacker to assume a victim identity and to move deeper into the organisation.  
The attacker steals the Net-NTLM hash by tricking the victim into accessing an UNC path \\Attacker_IP_Address. The ‘leaking’ of Net-NTLM hash through this mechanism is not new, nor is it considered an actual vulnerability by itself, as it is a feature which allows Windows machines to communicate with one another. 

The safer Kerberos authentication is typically used by machines within the same domain. However, when a user wants to communicate with a machine belonging to a different domain or with a machine known only by its IP address, the Kerberos authentication would not work, hence, the user’s authentication type will be downgraded from Kerberos to NTLM, and the user’s Net-NTLM hashes will automatically be sent to the destination. 

For instance, if a user attempts to access the following UNC paths, the Net-NTLM hash will be sent (and therefore leaked) to an attacker. 

\\Attacker_IP_address 

\\Attacker_hostname.In_another_domain 

How is CVE-2023-23397 exploited 

The impact of CVE-2023-23397 is equivalent to the impact of a successful Net-NTLM based attack. In all attack paths, the attacker sends a malicious email to the victim, causing the victim’s machine to send their Net-NTLM hash to the attacker. Once the attacker steals the Net-NTLM hash from the victim, they could proceed with either of the attacks described in the slides: 

  1. In attack path 1, the attacker could gain high privileged access to Windows domain server of interest by relaying the Net-NTLM of the privileged user to the domain server. This could be done by targeting a privileged user to send their Net-NTLM hash to a pre-compromised machine belonging to a clueless employee within the network. This is also known as NTLM-Relay attack. 
  1. In attack path 2, the attacker could attempt to recover the password from the stolen Net-NTLM hash through offline password cracking, allowing the attacker to login into the company’s network via VPN and move laterally from assets to assets. This could work because the password for all the services available to the victim could be synchronized and centrally managed by an identify provider (i.e. – Domain controller). Multi-factor authentication (MFA) will reduce the possibility of this attack path.  
  1. In attack path 3, the same password recovery technique described in attack path 2 would be used which allows the attacker to login into the victim’s cloud account. The attack could then continue to search for valuable data or secrets stored in the cloud and perform cloud-based attacks. MFA will reduce the possibility of this attack path too. 

Detection strategies  

There are a number of approaches to detect successful Net-NTLM based exploits due to the CVE-2023-23397 or similar vulnerabilities. These include 

1.  Detecting for TCP connections made to port 445 (SMB) and port 80 (WebDAV) in both internal (Attack path 1) and external IP (Attack path 2 and 3) addresses, especially for new destination IP addresses not observed in the past. 

2.  Successful login from accounts made from a new location, whether from cloud and on-premise (Attack paths 1,2 and 3)

3.  Detecting for NTLM authentication from accounts that do not usually perform NTLM authentication. Successful Net-NTLM-Relay attack has been observed to be chained with NTLM hash dump which will lead to pass-the-hash attack. 

4.  Monitoring for changes in server access patterns, where a compromised account is used to access servers in a suspicious manner. 

Behaviour analytics can detect such changes and enable users to detect Net-NTLM exploits, even if the exploit is due to newly discovered vulnerability. 

The above are some of the use cases we have in InsiderSecurity solutions, and we hope these tips are useful for the community. So, gear up and get ready to hunt down these attacks like a pro. And always remember to stay safe out there! 

Avoid Similar Attacks with InsiderSecurity

Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company to uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the Cloud Security Monitor for ensuring cloud data security. 

Automated UEBA establishes baselines of data access behaviour and alerts on abnormal activity. It detects insider threats, backdoors and advanced attacks by leveraging machine learning and advanced user behavioral analytics.  

InsiderSecurity protects your critical data wherever it resides—on-premises, in the cloud and the hybrid environment. 

InsiderSecurity Analysis for CVE-2023-23397 Microsoft Outlook Vulnerability  Read More »

Cybersecurity Code-of-Practice (CCoP) 2.0: Complying with InsiderSecurity

Why choose InsiderSecurity for CCoP 2.0

InsiderSecurity products are built for compliance

  • Ease of use, especially useful for small IT teams
  • Automated review of account activity saves hours in monitoring
  • Built-in workflow that support governance and audits

Do you also know:

  • InsiderSecurity is used and trusted by Singapore CII today
  • InsiderSecurity is IMDA accredited
  • InsiderSecurity is an award-winning Singaporean technology company that has its engineering and technical support teams in Singapore

What is Cybersecurity Code-of-Practice (CCoP) 2.0?

The Cybersecurity Code-of-Practice (CCoP) 2.0 refers to the Cybersecurity Code of Practice for Critical Information Infrastructure 2.0, which is an updated version of the CCOP 1.0 released in 2018. The CCoP 2.0 published on 4 July 2022. It specifies the minimum cybersecurity requirements that organizations operating Critical Information Infrastructure (CII) must implement to ensure the security and resilience of their IT or OT system and/or network infrastructure, including physical devices and systems, software platforms, and applications of the CII.

The primary objective of CCoP 2.0 is to enhance the defensive capabilities of organisations against the sophisticated tactics, techniques, and procedures (TTPs) employed by cyber attackers. It seeks to impede their progress of attacks and improve the agility to tackle emerging risks in domains such as cloud, AI, and 5G. Additionally, it facilitates coordinated defenses between the government and private sectors to promptly identify, discover, and respond to cybersecurity attacks and threats.

Whom will CCoP 2.0 affect?

The designated CII sectors, which are responsible for the continuous delivery of essential services in Singapore, are Government, Energy, Water, Healthcare, Banking & Finance, Transport (encompassing Land, Maritime, and Aviation), Media, Infocomm, and Security & Emergency Services.

How does InsiderSecurity meet CCOP 2.0?

InsiderSecurity helps to meet key CCoP 2.0 requirements that are challenging and tedious to comply with. As a leader in automated analytics, InsiderSecurity’s solutions are especially useful for smaller IT teams. InsiderSecurity solutions are used in Singapore CII today. 

InsiderSecurity meets CCOP2.0 in the below two areas: 

  • Database security
    InsiderSecurity’s simplified database monitoring flags out data access anomalies. InsiderSecurity saves manpower in monitoring.
  • Monitor for anomalies in user behaviour patterns
    InsiderSecurity’s automated log analysis flags out anomalies in behaviour patterns and detects early signs of breach. With InsiderSecurity, the user does not have to manually review high volume log events or alerts. InsiderSecurity makes sense of the logs and saves manpower in monitoring.

Which CCOP2.0 requirements are addressed by InsiderSecurity?

CCoP 2.0 Requirements Clause InsiderSecurity
5.2 Account Management 5.2.1(d) Establish mechanisms and processes to monitor the activities of each account, including behavioural patterns, for any anomalies and to trigger an alert for investigation when any anomaly is detected; Yes
5.13 Database Security 5.13.4 The CIIO shall monitor databases in a CII for anomalous activities and trigger an alert for investigation when any anomaly is detected. Yes
5.13.5 The CIIO shall monitor for bulk queries that exceed a predetermined threshold of data to be retrieved and trigger an alert for investigation when any such bulk query is detected. Yes
6.1 Logging 6.1.1 The CIIO shall generate, collect and store logs of the following: Yes
(a) All access and attempts to access the CII and the activities during such access, including application and database activities, and access to data in the CII; Yes
6.2 Monitoring and Detection 6.2.1 The CIIO shall establish and implement mechanisms and processes for the purposes of: Yes
(a) Monitoring and detecting all cybersecurity events in respect of the CII; Yes
(b) Collecting and storing records of all such cybersecurity events (including, where available, logs relating to the cybersecurity event); Yes
(c) Analysing all such cybersecurity events, including correlating between cybersecurity events, and determining whether there is or has been any cybersecurity incident; and Yes
6.2.2 For the purposes of monitoring and detecting cybersecurity events, the mechanisms and processes established by the CIIO shall include: Yes
(b) Establishing the normal day-to-day operational activities and network traffic in the CII, and using this as a baseline against which the CIIO is to monitor for deviations and anomalous activities; and Yes
(c) Ensuring that alerts for further investigation are triggered for all deviations and anomalous activities that are detected. Yes

CSA has also provided more clarification via their Responses to Feedback Received dated July 2022. The below compliance table outlines how InsiderSecurity meets the CSA responses on CCoP 2.0:

CSA responses on CCoP 2.0InsiderSecurity
11.4 The CIIO is expected to monitor the behavioural patterns of user accounts within the CII environment and to trigger an alert if a CIIO detects suspicious behaviour patterns or behaviour patterns that deviate from the expected baseline.Yes
11.12 The intent of the clause is to facilitate early detection of any unauthorised access and malicious activities performed by the privileged accounts. The CIIO should log privileged account related activities such as login attempts, configuration changes etc.Yes
11.41. The CIIO should log and monitor all application access and activities to detect any unauthorised access or malicious activities to the application. Following the feedback, CSA has revised the clause to provide clarity.Yes
12.15. Examples of the components of the threat hunting include having data to baseline normal traffic to find outliners, develop hypothesis based on tools and framework, and investigate and analyse potential threats to discover any new malicious patterns in the data and uncover threat actor’s TTPs.Yes

What are the InsiderSecurity products that meet CCOP2.0?

InsiderSecurity’s Database Activity Monitor (DAM) discovers data access anomalies early before there is serious data loss. Some of its key features are:

  • Easy Deployment and Reduce Operation Cost
    By leveraging on machine learning and AI, Database Activity Monitor does not require the user to configure complex, error-prone database rules. Database Activity Monitor works practically out-of-the-box.
  • Automated monitoring for suspicious data activity
    Automatically detect suspicious database administrator activities, data theft and unusual network activities in the databases.
  • Save manpower
    With smart algorithms making sense of events 24/7, customers only need to review high-risk accounts and activities instead of long, complex reports.
  • Built for compliance
    Features for IT governance and support for audit.

InsiderSecurity’s Automated UEBA flags out anomalies in behaviour patterns and detects early signs of breach. Some of its key features are:

  • Stop Internal Threats
    Continuous, automated monitoring of all user behaviours to uncover suspicious user activities early, before there is any serious data loss
  • Automated Threat Detection
    Detect automatically and save on manpower.
  • Advanced Sensors
    Provide visibility needed to catch Advanced Persistent Threats (APTs)
  • Built for compliance
    Features for IT governance and support for audit.

About InsiderSecurity

InsiderSecurity is a Singapore-based cybersecurity technology company that has garnered industry recognition and awards. Founded by a team of cybersecurity experts, InsiderSecurity provides cutting-edge user behavior analytics to detect internal cyber threats early.

InsiderSecurity is a two-time winner on CSA Cybersecurity Innovation Day, in 2020 and 2022, and has also been listed in the ASEAN 40 under 40 for its groundbreaking cybersecurity innovations. InsiderSecurity is the only company accredited by Singapore Government in the area of User and Entity Behavior Analytics. This means that InsiderSecurity met IMDA’s high standards for deployment in enterprises and government agencies.

InsiderSecurity solutions are used by large enterprises and government agencies today.

Complying CCoP2.0 with InsiderSecurity

For more information on how InsiderSecurity can help you meet your compliance and security needs

Contact Now

Cybersecurity Code-of-Practice (CCoP) 2.0: Complying with InsiderSecurity Read More »

Uber Data Breach

Insights from the Uber Breach: Ways to Prevent Similar Attacks 

Uber Technologies disclosed it was investigating a cybersecurity incident after reports that hackers had breached the company’s network. An in-depth analysis of the attack reveals how the attack occurred and ways organizations can prevent similar incidents in the future. The security industry, however, is still abuzz following this incident, with experts concerned about how an allegedly 17-year-old attacker hacked Uber’s IT infrastructure and acquired sensitive data.  

Experts at InsiderSecurity dissected the attack and came up with hackers’ progression along Uber’s killchain, starting from the initial access, discovery, lateral movement, and data exfiltration. This breach is a reminder that threats are always present and evolving, hence we must do our utmost to learn and adapt to the ever-changing threat landscape. Therefore, based on the Uber incident details, we provide a list of effective strategies organizations can use to identify and mitigate similar incidents in the future.  

What and How Did the Attack Happen? 

  1. Initial Access 
    The hackers accessed Uber’s IT environment after accessing the company’s VPN infrastructure credentials. We got this information from Uber’s September 19 security update that names Lapsus$ as the potential threat actor.  
    “An Uber EXT contractor had their account compromised by an attacker,” reads Uber’s security update. “It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web after the contractor’s device had been infected with malware, exposing those credentials.” 
    It’s important to note that Uber has implemented multifactor access control for its systems. However, according to their update, the attacker successfully logged in after the contractor accepted one of the many attempted two-factor login approval requests.  
  1. Discovery  
    The contractor whose credentials were stolen did not have privileged access to critical systems. Nevertheless, the contractor had access to a network share. This access is authorized for most internal users. Furthermore, even with restricted access, the cyber actor located a PowerShell script containing hard-corded privileged credentials for Thycotic, the target’s Privileged Access Management (PAM) solution. The PAM user credentials granted access to Uber’s secret services, such as DA, DUO, AWS, GSuite, and Onelogin.  
  1. Privilege Escalation and Access to Critical Systems   
    The hacker stole the admin credentials needed for elevated permission to different critical systems and tools. This attack is unique and worthy of attention as it shows how credential theft can lead to a breach of multiple systems. For instance, the attacker in Uber’s case accessed Slack, Google Workspace Admin, AWS accounts, HackerOne admin, SentinelOne EDR, vSphere, and financial dashboard.  
    Besides, the hacker posted a message to a company-wide Slack channel and reconfigured OpenDNS to display a graphic image on internal sites.  
  1. Data Exfiltration  
    Uber divulged that the cyber actor accessed the company’s bugs and vulnerabilities reports, but the security team had remediated the bugs. However, the hacker stole crucial information from the Slack business messaging app.   
    An excerpt from the company’s security update reads, “it does appear that the attacker downloaded some internal Slack messages as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices.”  
    Uber responded by identifying and blocking compromised accounts to ensure the attacker had no further access to systems. In some cases, the company required a password reset to restore accounts. Uber also disabled affected tools, rotated keys to reset access to internal servers, locked down the codebase, and required employees to re-authenticate to regain access.  

Lessons from the Breach and Ways to Mitigate Similar Attacks  

Uber’s security incident involved both human users and systems. Therefore, it’s worth pointing out that a single technology solution could not avoid such a breach. Instead, cybersecurity professionals and companies require a set of controls and training to mitigate similar attacks in the future.  

  1. Strengthen Security Configuration  
    As pointed out above, Uber had MFA in place for user access. That is to say; multifactor authentication is not a silver bullet in today’s cybersecurity landscape. Today, hackers have developed various methods to circumvent access control mechanisms, including MFA.
    A crucial step towards safeguarding your systems and information is to get rid of embedded credentials. Additionally, it is vital to remove standing access to sensitive infrastructure and cloud interfaces, which in turn can limit lateral movement.  
  1. Implement Cloud Security Monitor (CSM) 
    Organizations can enhance security by implementing a CSM solution that provides a clear view of their systems and networks for visibility of any unusual activity or behavior. For instance, InsiderSecurity’s CSM is a simple-to-use SaaS for enterprises to monitor their data security in cloud services like Microsoft 365. CSM provides automated monitoring of cloud user logs. The solution uses award-winning automated cybersecurity analytics and machine learning, allowing you to discover threats early before serious data loss.  
  1. Social Engineering is Still a Serious Threat  
    The fact remains that end users are an organization’s biggest security risk. According to Dark Reading’s 2021 Strategic Security Survey, 48% of participants still perceive users breaking security policies as the biggest risk, while 15% believe social engineering attacks still cannot be anticipated or prevented by current technology. As staff members and other authorized users still remain the gatekeepers of your company data, it is essential to train them to detect and report social engineering attacks like phishing to avoid credential theft.  
  1. Detect Login Anomalies from Privileged Accounts   
    Certainly, privileged accounts remain attractive targets for cyber attackers due to their access to sensitive information and systems.  In fact, data breaches and compromised privileged accounts go hand-in-hand. Therefore, you should secure your vital secrets and privileged credentials before extending the same to other data and information. Companies can monitor account use through continuous visibility and reporting that ties activities to specific users. Keep an open mind and look at admin accounts’ events from all angles to detect indicators of compromise.  
  1. Detect and Investigate Excessive Downloads  
    Excessive downloads can be categorized as risky because it indicates an insider or a compromised user who is trying to exfiltrate data. Implementing automated activity monitoring across the entire IT environment to identify unusual file download activity. For example, if a user is seen to have downloaded a large amount of data outside of their expected download behavior, an alert will be triggered. This behaviour can be learned via machine learning algorithms that capture the user’s profile within the environment.  
  1. Detect Suspicious Email Transport Rule Activities and Other Privileged Activities 
    There are legitimate scenarios for using mailbox rules that either forward or delete all emails that matches certain criteria. However, attackers are also known to add suspicious email transport rules in victims’ mailboxes so that any new email received will be forwarded elsewhere, typically to an attacker’s email account. For example, a hacker might want to collect financial data from a company. In this case, they create an inbox rule on a compromised user mailbox to forward all emails containing finance and accounting keywords in the subject or the message body to an external mailbox.  
    Malicious inbox rules are widely common in phishing campaigns and business email compromise, making it important to monitor them consistently. 
    Certainly, unexpected rule changes could be a sign of a compromised email account. Therefore, it is important to verify with the user if the mailbox rules were added intentionally in the case of updated email transport rules. 

Avoid Attacks with InsiderSecurity  

An analysis of recent incidents reveals there is no foolproof against modern frequent and sophisticated data breaches. Fortunately, implementing layered and robust security measures along with training of employees as well as the use of cloud security solutions to monitor and report anomalous activities can help mitigate attacks. Unfortunately, some firms lack the resources and expertise to implement such controls. To make matters worse, they might not know if they are breached until months later, when it is too late.  

InsiderSecurity offers advanced cybersecurity solutions and expertise needed to help your company to find cyber threats before there is any serious data loss. We offer a range of solutions, including the Cloud Security Monitor for ensuring data security in your cloud services and Automated UEBA for securing on-premise and cloud IT infrastructure.  

Insights from the Uber Breach: Ways to Prevent Similar Attacks  Read More »