Identities and Vulnerabilities 
Posted on September 28, 2020 by Aaron Miller

The Cybersecurity and Infrastructure Security Agency (CISA), a part of the Department of Homeland Security, has issued Analysis Report (AR20-268A) on Thursday September 24th, 2020. The report states that CISA became aware of a potential compromise of, as of now, an unnamed federal agency’s network. Through collaboration with the affected agency, CISA was able to determine that the impacted agency’s environment had been compromised:

“The cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts, which they leveraged for Initial Access [TA0001] to the agency’s network (Valid Accounts [T1078]). First the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file (Data from Information Repositories: SharePoint [T1213.002]). The cyber threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server (Exploit Public-Facing Application [T1190]).

CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials. It is possible the cyber actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability—CVE-2019-11510—in Pulse Secure (Exploitation for Credential Access [T1212]). In April 2019, Pulse Secure released patches for several critical vulnerabilities—including CVE-2019-11510, which allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.

After initial access, the threat actor performed Discovery [TA0007] by logging into an agency O365 email account from 91.219.236[.]166 and viewing and downloading help desk email attachments with “Intranet access” and “VPN passwords” in the subject line, despite already having privileged access (Email Collection [T1114], Unsecured Credentials: Credentials In Files [T1552.001]). (Note: these emails did not contain any passwords.) The actor logged into the same email account via Remote Desktop Protocol (RDP) from IP address 207.220.1[.]3 (External Remote Services [T1133]). The actor enumerated the Active Directory and Group Policy key and changed a registry key for the Group Policy (Account Manipulation [T1098]). Immediately afterward, the threat actor used common Microsoft Windows command line processes—conhost, ipconfig, net, query, netstat, ping, and whoami, plink.exe—to enumerate the compromised system and network (Command and Scripting Interpreter [T1059], System Network Configuration Discovery [T1016]).”

What does this mean?

The attacker had acquired usernames and passwords to multiple users’ Microsoft 365 accounts and domain administrator accounts, possibly through a known vulnerability for Pulse Secure (its existence was first reported in April of 2019), which they then used to gain access to the agency’s environment. The foot in the door and the keys to all the locks. Using these credentials, the attacker was able to view emails and download attachments that contained unsecure transmission of further credentials and access, in which they began their full discovery and comprise of the agency’s environment via Active Directory. I recommend reading the report in full as I’m only skimming the surface, though it should be an eye opener to some.

How can I address this?

Here are a couple of items that can be rectified almost immediately by change of behavior, process, and use of maintenance windows.

  • Known Vulnerabilities
    • Patching and keeping current with your solutions’ updates and vulnerabilities is key to keeping a secure and healthy environment.
      • While understanding this was a potential vector for acquiring the credentials it does not change the fact that when we look up CVE-2019-11510 we see that it’s been in circulation since April 2019.
    • Communication of credentials via email and instant messaging
      • Keep credentials out of all plain text communications.
      • Leverage encrypted messaging if there is an absolute need to communicate this information.

Identity Protection

One item that jumped out at me from the report was the compromise of the agency’s Microsoft 365 accounts and how identity protection would have helped by providing risk detection and remediation.

Identity protection allows organizations to accomplish three key tasks:

  • Automate the detection and remediation of identity-based risks.
  • Investigate risks using data in the portal.
  • Export risk detection data to third-party utilities for further analysis.

With this report in mind, at a risk detection and remediation perspective, the IP Addresses from the MICROSOFT 365 sign-in by the attacker would meet the classification criteria of Atypical Travel. Remember from the report “the threat actor performed Discovery [TA0007] by logging into an agency O365 email account from 91.219.236[.]166” when we look at that IP Address, we get a return from Budapest. The second address coming from New York.

Another way Azure identity protection could mitigate risks of this nature is leveraging Microsoft’s leaked credentials offering included with Identity protection. Microsoft finds leaked credentials in a variety of places, including:

  • Public paste sites such as pastebin.com and paste.ca where bad actors typically post such material. This location is most bad actors’ first stop on their hunt to find stolen credentials.
  • Law enforcement agencies.
  • Other groups at Microsoft doing dark web research.

The requirement to utilizing this feature is to ensure that your Azure Active Directory Connect service is configured with Password Hash Synchronization. To get the full picture on sign-in risks, I would recommend reviewing Microsoft’s documentation which includes a table of the risks it’s constantly evaluating, that table can be found here.

Maximize Detection During Attack Stages with Identity Protection

Identity protection is only a piece of the security puzzle. Utilizing the Azure Security Center & Sentinel stack to its fullest with solid patching, vulnerability awareness, and keeping credentials out of plain text communications will greatly reduce your environment’s attack surface.

If you need assistance with your Microsoft environment or the security around it, EDCi can help, give us a call!