Hackers Can Gain Active Directory Privileges Through Vulnerability in Xerox Printers

virtual private network security, VPN safety, VPN risks, cybersecurity strategies, VPN breaches, VPN security measures
virtual private network security, VPN safety, VPN risks, cybersecurity strategies, VPN breaches, VPN security measures

Organizations beware: last week, Xerox released a security advisory for several models of the WorkCentre Multifunction and Color Multifunction printers. Thanks to a Lightweight Directory Access Protocol (LDAP) vulnerability, hackers can launch a pass-back attack against printers with weak or default credentials. This exposes the login information of Active Directory users – including those with administrative privileges – and can be used to gain further control over an organization’s network.

Deral Heiland and Michael Belton’s research on multi-function printers  and the “Pass-Back Attack” first appeared in a document published on foofus.net. Steven Campbell, a Senior Security Consultant at Securicon, frequently finds network devices using default credentials that are vulnerable to the pass-back attack vector during client assessments and uses this attack vector to discover credentials to Active Directory service accounts.

Unfortunately, the newly reported vulnerability in Xerox WorkCentre MFP’s is just one in a series of similar weaknesses impacting today’s off-the-shelf IoT devices. In this article, we’ll explain how it can be used to gain administrative access over Active Directory domains, and what you should do to protect yourself.

How it Works: Xerox Pass-Back Attack

First – after accessing an organization’s network – a malicious or unauthorized user can gain access to the Web interface for affected Xerox printers using well-known, default login credentials. Even if the username and passwords have been changed, they may be brute-forced if they are weak and easily guessable.

Figure 1: Admin interface accessed using default credentials

Next, the actor finds an LDAP connection configured on the device and changes the Server IP address or hostname to their own IP address as shown in the next figure. Since the Xerox firmware does not require a user to re-enter or validate the LDAP credentials before changing its server address, there is nothing standing in the attacker’s way.

Figure 2: Editing LDAP Connection

Next, the attacker uses a utility like netcat to listen for incoming connections and display the output in plaintext. Using the LDAP server search field, they can search for any name and connect to the corresponding account.

Figure 3: LDAP User Search

On the actor’s system, the netcat utility receives the connection and displays credentials used by the printer to reach the Active Directory Domain Controller, including domain, username and password.

Figure 4: Capturing Plaintext Credentials

In the best-case scenario, the attacker will discover an ordinary Active Directory user account that does not belong to any privileged security groups. The attacker can still use the unauthenticated user to gain a foothold in the domain, which constitutes a moderate vulnerability.

However, our own tests on client networks demonstrate that the worst-case scenario is more likely. We frequently find that the printer service account belongs to a privileged group such as “Domain Admins,” and grants the attacker full control over the Active Directory Domain. This is a severe vulnerability which requires immediate remediation.

Are You Protected?

The table below lists Xerox printers susceptible to the attack outlined above, and the corresponding firmware patch. Devices on a lower software version are still vulnerable and should be patched using the updates provided by Xerox.

Aside from installing the latest firmware update, we recommend that organizations implement two security controls across all their networked devices to prevent similar attacks in the future:

  1. Always update default manufacturer credentials with strong passwords and use two-factor authentication (2FA) whenever possible. Recently, Barracuda network devices were impacted by an LDAP vulnerability similar to the one described in this article; all users were impacted except for those enrolled in 2FA.
  2. System administrators should avoid adding printer service accounts to privileged Active Directory groups, and – in general – they should keep the number of administrative users to an absolute minimum.

Although it should be incumbent on vendors and device manufacturers to validate users before allowing them to change crucial device settings (like LDAP IP address), the truth is that today’s vendors cannot be trusted to enforce rigorous security controls. Organizations must take the initiative to strategically protect their networks. 

Bridging the IoT Security Gap

In the past, we have talked about the IoT security gap and lax controls from hardware manufacturers. Sadly, the vulnerability covered in this article is a case-in-point: today, networked devices are being pushed to market faster than they can be secured, and security is rarely a priority in development. This leaves many organizations with blind spots in their security position as a host of seemingly benign devices (like printers) provide a wide attack surface for malicious actors.

IoT and networked devices are the future – but meeting the technological needs of your business and protecting your investment are not mutually exclusive goals. As the average cost for a data breach climbs to historical highs, organizations cannot afford to be caught off guard by easily prevented security vulnerabilities. This year insure your organization against future threats by taking inventory of your IT assets and assessing them for risk.

Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our risk assessment framework

How to Survive a Data Breach: 14 Disaster Response Tips

cyber warfare, How to protect against data breaches
cyber warfare, How to protect against data breaches

Twenty years ago, data breaches were uncommon, and when they happened, they tended to be small. But thanks to digital infrastructure, a worldwide community of skilled attackers with powerful tools and a black market for personally identifiable information (PII), login credentials and financial accounts, large-scale data breaches are now a significant threat to organizations large and small.

In 2018, more than 6,500 data breaches resulted in billions of compromised consumer records. This year, 28% of organizations polled by the National Cyber Security Alliance reported a breach within the past 12 months. There’s a price to pay for negligence: the average cost of every stolen record is $242, and – according to one study – 60% of small businesses are forced to close their doors within 6 months of a cyber-attack.

Today’s businesses bear a great responsibility to their customers and shareholders. Protecting data can mean the difference between staying open and facing bankruptcy: strict security compliance is therefore required to combat the growing number of attackers both domestic and abroad.

But no matter how prepared an organization is for the worst, data breaches can still occur, and when that happens, rapid response is required to mitigate damages. In this article, we’ll share 12 tips for surviving in the aftermath.

What to Do Immediately After a Breach

In the hours after a data breach is discovered, an organization’s actions can potentially save millions of dollars. Staying focused and following strategy is paramount to survival and damage reduction.

1. Isolate the breach – locate the systems affected by a breach and – if possible – physically isolate them from both the Internet, and the rest of an organization’s network infrastructure. However far the attacker has already penetrated, this will prevent them from going any further.

2. Locate threat source study the location of a breach and determine the origin of an attack. If you aren’t already using traffic monitoring tools, start packet capture to monitor inbound and outbound traffic. Tools such as Wireshark, Snort or Bro will assist in determining type of data being exfiltrated, ports/protocols being utilized, and source and destination of files.

3. Remove threat source – when the malicious actor has been discovered, block further access through blacklisting. Analyze logs to find the attacker’s entry point, and reset any credentials used along the way.

4. Record and document – while working to eliminate the threat source, record and document any discoveries. Ensure that logs from the time of attack are preserved. Note system configurations, the type and extent of data accessed, entry point, and path of propagation for later analysis

5. Harm reduction – if login credentials were accessed by the attacker, immediately reset them and send a notification to users. Even encrypted information can be cracked, sold, and used to access user accounts.

Dealing with The Public

In the past, organizations often hid data breaches for a long period of time before informing the public, if they ever did at all. Today, emerging legislation requires publishers to disclose a breach soon after it occurs – 72 hours under GDPR. Handling it well is important for maintaining trust.

6. Seek legal counsel – before taking any other actions, prepare for the possibility of litigation under consumer privacy laws. Calculate the probability of a lawsuit, likely expenses, and decide on a course of action should defense be necessary (settlement, or fight?)

7. Inform everyone affected – if a crime has occurred – especially by insider threat – begin by informing law enforcement. Afterwards, inform any victims of data theft directly, then move to tell stakeholders, relevant government entities, and finally the public. Be transparent about the breach itself, and the steps taken in response.

8. Prepare for questions – in collaboration with your legal, PR, business and IT departments, prepare honest and informed answers to probing questions. Doing this ahead of time allows an organization to maintain their reputation by staying in control of the narrative and helps them to avoid sharing confidential details.

Analyze the Incident

After a breach occurs, an organization will likely spend several months analyzing the incident to avoid a similar one in the future. Areas to analyze include Severity, Vector, root cause, and financial impact.

9. Determine severity of breach – what was stolen, what was its value, and what systems were compromised in the course of the attack? Answer these questions as thoroughly as possible to find areas of priority.

10. Determine attack vector – determine the exact parameters of the intrusion, including any vulnerabilities exploited. Interview staff members to determine whether social engineering was used to gain access credentials.

11. Conduct a security audit – beyond the nitty-gritty of an attack, audit your organization’s security strategy, infrastructure and staff training to find areas of weakness that may have contributed to the breach.

Prevent Future Attacks

In some cases, a data breach can be a blessing in disguise. It provides organizations with the impetus to modernize infrastructure and allocate resources to security. Armed with new information and better safeguards, organizations can avoid more serious incidents down the road.

12. Calculate expenses – determine the cost of infrastructure that needs replaced and include it in future budgets. Expenses may include networking equipment, storage and security systems, software licenses and building plans.

13. Improve infrastructure – aging infrastructure is inherently vulnerable, and a data breach can prove that. Based on information gathered in the aftermath of a breach, update anything that may have contributed to the breach, prioritizing critical systems first.

14. Train personnel – ensure security administrators are prepared for rapid response in the event of another data breach; train personnel throughout the organization for cyber hygiene practices, especially if attackers gained entry through social engineering, phishing attacks, or malware originating through email and web.

Building an Incident Response Plan

Work to reduce the impact of a data breach through rapid and effective response. The best form of harm reduction is harm prevention, and that can be achieved through a proactive enterprise security strategy that includes a protocol for incident response.

Before a cyberattack hits, invest in thorough risk, management, and compliance solutions to prepare your company for the worst. With the help of vulnerability and penetration tests, cyber hunt and asset management, your organization can stay one step ahead of attackers and prevent the worst from ever happening.

Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cyber security, we are here to protect your organization from data breaches. Contact us for more information.

The IoT Security Gap, and Six Ways to Overcome It

IoT Security
IoT Security

By next year, Gartner predicts that the number of devices connected to the Internet will reach 20.4 billion. That’s up 14.1 billion from 2016 – a shocking amount of growth in a short period of time and quintuple the number of usable IP addresses that existed under IPv4.

Like thought leaders predicted a decade ago, the burgeoning Internet of Things (IoT) is outgrowing mobile phones and dominating network connectivity in both the public and private sector. Unfortunately, the more Internet connections an organization has, the more vulnerable it is to attack; but IoT vendors don’t seem to care.

While today’s IoT is more secure than the devices of yesterday, security remains little more than an afterthought for too many product developers. According to scientist Sarah Zatko, IoT vendors continue to omit basic security features out of mere complacency.  “They’re just not bothering,” said Zatko, adding that “the needle hasn’t moved much in 15 years”.

The Consequences of Insecure IoT

On one hand, the almost impossibly fast growth of IoT means that a security gap is inevitable. On the other hand, this gap has consequences which organizations cannot afford to ignore: according to research, 48% of companies have already been the victim of at least one IoT attack.

Some of these incidents are damaging enough to gain significant publicity. In 2016, the Mirai botnet propagated through open Telnet ports on 600,000 IoT devices and brought down Internet connectivity across the U.S. East Coast. Other major attacks include:

  • EchoBot – with similar source code to Mirai, EchoBot targeted popular consumer and enterprise routers using over 26 unpatched vulnerabilities. It’s spread continued into 2019, and still threatens organizations today.
  • TheMoon – in many ways TheMoon represents “peak malware,” allowing threat actors to rent out thousands of hijacked routers and modems around the world for various malicious purposes.
  • Industroyer – in 2016, the Industroyer malware targeted Ukraine’s power grid and left thousands without electricity for a few hours. In 2017, researchers concluded that points of entry had been exploited within “Industrial IoT” deployed throughout the grid.

What happened in the Ukraine is instructive. As time wears on, critical infrastructure in the United States will depend on remote access technologies facilitated by IoT or will at least be in contact with IoT devices on the same network. Current security standards leave vulnerabilities that could have devastating consequences on businesses, their customers and the nation as a whole.

Regulatory Attempts

Efforts to regulate IoT like other technologies – including cloud and storage systems for classified information – have failed on more than one occasion. In 2017, the “Internet of Things Cybersecurity Improvement Act” was proposed to Congress, but never passed.

A new version of the same bill was introduced earlier this year, with a narrower focus. If passed, it would have put the National Institute of Standards and Technology (NIST) in charge of developing security standards for IoT devices by last month – a move that many in the industry approved of. However, the act is still in limbo and no further developments have occurred.

Unfortunately, it may take a serious incident before the government is prepared to hold IoT vendors to a higher standard. In the meantime, vendors simply don’t face enough pressure from the free market to take care of the problem themselves. For now, organizations must shoulder the responsibility of securing their own devices.

Six Ways to Improve IoT Security

Fortunately, there are many ways to significantly improve IoT security within a public or private enterprise environment. Here are six:

1. Minimize device footprint – the billions of IoT devices in use today, not all serve an important purpose. Minimize the number of devices in your organization, removing the frivolous and using non-networked solutions wherever possible. Remember that any opening to the Internet creates a potential route for attackers.

2. Segment IoT from critical assets – whenever possible, keep IoT disconnected from networks used to access classified information and sensitive data. Barriers between critical and non-critical assets in your organization make it difficult for attackers to move laterally even if they gain a foothold through one opening.

3. Replace default credentials – according to the Office of Management and Budget (OMB), lack of strong authentication is one of the most common security mistakes across federal agencies. IoT devices rarely require administrators to change their weak default credentials. Ensure that every networked device in your organization is tightly secured.

4. Use two-factor authentication – in the same vein, two-factor authentication (2FA) creates an extra barrier against brute-forcing and stolen login information. Most IoT devices are compatible with 2FA, but – again – they will not prompt users to install it. Take the initiative to keep devices as secure as possible.

5. Choose high-reputation vendors – not all IoT is created equal, and some vendors have a better reputation for security than others. Research IoT vendors as part of your risk management strategy and avoid those known for past attacks, lax standards or slow firmware updates.

6. Track and test devices – tracking IT assets is an important part of any security strategy, and IoT is no exception. Track all your IoT assets, and regularly test them for strong authentication. Firmware updates sometimes include patches for known vulnerabilities, so ensure that the latest version is always installed.

Adopting a Threat-Based Mentality

While they have never been more serious than they are today, the risks of IoT have been understood for over a decade. If organizations have ignored them, it’s because they have adopted a checklist mentality: but following regulations to the tee won’t protect against threats that legislation doesn’t address.

In order to protect their data, revenue and customers, today’s organizations must take a proactive approach to security. With the help of vulnerability and penetration tests, cyber hunt and asset management, “cybersecurity” can mean a lot more than compliance: it can mean safety against malware and targeted attacks.

Preparing For Data Breaches: 5 Lessons From 2018

cyber attacks cyber warfare2018 will likely go down in history for the sheer scale of consumer data that was hacked, leaked, stolen and otherwise compromised by cyberattacks throughout the year. Estimates show that during the first six months alone, 4.5 billion records were exposed over 945 data breaches leading to mass identify theft and financial fraud.

On the one hand, this is deeply concerning. On the other hand, it’s not very surprising at all.

Among the biggest breaches which occurred during 2018, Facebook, Quora and Marriot Hotels stood out for the simple reason that these were the very companies that should have been safe. When industry giants fall to attackers, small firms and businesses don’t stand a significantly better chance.

As regulators turn a critical eye to data breaches and consumer privacy, the time for businesses to pay sharp attention has come. If protecting the good faith of consumers isn’t enough incentive, financial loss in the form of penalties and theft should be.

In this article, we’ll look at five key lessons that stand out from the past year of cyberattacks, and what businesses can learn from them.

  1. Complacency Kills

Marketing firm Exactis has comprehensive data on nearly every citizen in the U.S – 340 million records, to be exact. Last year, security researcher Vinny Troia discovered that all those records had been stored on a publicly accessible database which was easily found with a simple search query.

Soon after the leak was publicized, the company made its records private: something which should have been done the moment they were created. Exactis justly received large amounts of negative publicity for failing to take this crucial step earlier.

Similarly, when data was stolen from 500 million patrons of the Marriot hotel chain, an investigation revealed that hackers had been in Marriot’s system for four whole years before they were discovered. Alarm bells had warned security administrators of this activity on several occasions, but never resulted in adequate measures to assess the full level of intrusion.

Takeaway: Nothing does more for attackers than a simple lack of vigilance across the board. A robust risk prevention protocol coupled with serious attention to every red flag is key to avoiding and addressing cyberattacks.

  1. Never Postpone Disclosure

In the past, companies have been reluctant to admit a data breach occurred. Last year, ride-sharing company Uber settled for $148 million dollars in court after failing to disclose a data breach which occurred in 2016, compromising the personal information of 600,000 drivers. Similarly, the U.K’s Ticketmaster knew about a breach for seven months before finally revealing it.

Hiding a breach doesn’t do a company any favors – if the intention is to avoid bad publicity, it only prolongs and exacerbates the inevitable. In the meantime, fixing existing issues and mitigating the damage becomes more difficult.

In the wake of GDPR which mandates that companies must reveal a breach within 72 hours of its occurrence, the number of reports coming out of the U.K have quadrupled, showing just how common delayed acknowledgment was before the legislation.

Takeaway: Companies should take a hint from Quora, which immediately disclosed a vulnerability that had exposed 100 million of its users, responded to the incident by resetting account passwords and created an informational site in the wake of the breach – all within a 72-hour window.

  1. Anything Can Be A Flaw

Data breaches take many unexpected forms. Last year, Facebook turned off – and has not yet turned back on – a seemingly benign feature which allowed users to view their profiles as a visitor would. The “view as” feature contained a critical bug enabling hackers to access 50 million user accounts.

Meanwhile in New York City, Saks Fifth Avenue and Lord & Taylor found that a device had been inserted into their card readers which stole the account information of nearly 5 million customers.

These exploits couldn’t be more different – one completely physical, and one involving complex digital hijinks. But they show that attacks can come in many forms, and no detail should be overlooked when it comes to data.

Takeaway: Web designers should eliminate unnecessary features that could constitute a vulnerability user experience. Businesses should also invest in penetration testing for digital properties, while businesses should regularly monitor their facilities and point-of-sale (POS) systems for malicious hardware.

  1. Beware of Third-Party Apps

Third party applications have become an indispensable part of the digital ecosystem, as businesses depend on them to process transactions and provide essential functions to their websites. Unfortunately, third party applications have also become a primary route that hackers use to compromise businesses.

2018 saw two high-profile breaches of third-party apps. Mobile linking platform Branch.io was attacked, potentially exposing the information of 685 million users across services like Tinder, Shopify and Yelp. MacAfee reports that the sales support platform [24]7.ai may have leaked credit card info and social security numbers from thousands of users.

As long as they are in charge of building their services, a business can defend them. But third-party apps are controlled on the outside, and often reflect a different set of security prerogatives. For instance, a website may securely encrypt its traffic while an unsecured plugin transmits it in plain text.

Takeaway: Businesses must be especially wary of the third-party apps which support their site. In some cases, they may not even realize how many dependencies they employ and should conduct regular inventories to ensure the safety of their users.

  1. Pay Attention to Insider Threats

In April of last year, SunTrust Bank announced that 1.5 million customer records had been stolen with criminal intent. The culprit, the institution claimed, was likely one of its own employees.

Insider threats are one of the biggest and most unpredictable threats an organization can face, and they aren’t always malicious. Simple user error can cost an organization billions of dollars. As Verizon’s 2018 Data Breach Investigations Report states:

Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.

As an example, the average cost of a phishing attack – which occurs when a user clicks on an illegitimate email – was $1.6 million dollars in 2018. When such a simple action can cause such devastating consequences, no organization is safe from risk.

Takeaway: In order to stay safe, companies must be looking in both directions. Educating personnel on security protocol is one important way to monitor insider threats; monitoring behavior for signs of malignancy is also essential.

Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!