CISA calls out security misconfigurations, common mistakes

Threat actors are taking advantage of misconfigurations and weak security controls to gain initial access into enterprise networks, a recent cybersecurity advisory warned.

The Cybersecurity and Infrastructure Security Agency, along with cybersecurity authorities from Canada, New Zealand, the Netherlands and the United Kingdom, detailed the most exploited controls and practices used in the beginning stages of an attack.

"Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim's system," the advisory said.

The advisory Tuesday listed five techniques overall: exploit public-facing applications, external remote services, phishing, trusted relationship and valid accounts. Trusted relationship refers to a dangerous technique where attackers breach a second or third party to gain access to the intended victim. Abusing remote services such as VPNs and Microsoft's Remote Desktop Protocol has become an increasingly popular target for threat actors.

Misconfigured cloud services are another popular target, according to the advisory. Securing the cloud can be more complicated compared with on-premises networks. The advisory warned that unprotected cloud services are commonly exploited by threat actors prior to employing initial access techniques and can lead to dire consequences.

"Poor configurations can allow for sensitive data theft and even cryptojacking," the advisory said.

One of the most difficult techniques to protect against exploits poor endpoint detection and response. The advisory warned that actors use "obfuscated malicious scripts and PowerShell attacks" to gain access to targeted endpoint devices.

TrendMicro discovered that AvosLocker ransomware actors recently used a PowerShell script to disable antivirus software and evade detection. The relatively new technique employed by AvosLocker operators also scanned for vulnerable endpoints, which is another threat highlighted in the advisory.

Listed as exposed open ports and misconfigured services, it is one of the most common vulnerability findings, the advisory said, and it can lead actors directly to vulnerable organizations.

"Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector," the advisory said.

This risk was highlighted further in a blog post, also published on Tuesday, by the Shadowserver Foundation. The nonprofit infosec organization recently started scanning for accessible Kubernetes API instances and found that out of more than 450,000 instances, more than 380,000 allowed for some form of access. Shadowserver broke it down further by stating that exposed APIs made up nearly 84% of all instances.

"While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface," the blog post said. "They also allow for information leakage on version and builds."

While many weaknesses come down to poor hygiene and highlight ongoing problems with enterprise security, such as unpatched software, the joint advisory also provided detailed mitigation steps. For example, adopting a zero-trust model to reduce the attack scope through network segmentation.

Many of the mitigations focused on authentication and securing third-party devices, because the most common techniques attackers use involve exposed applications and abusing credentials. Before enabling external access, the advisory urged enterprises to have firewalls in place, and segmentation from other secure accounts and hosts like domain controllers.

In addition, the joint advisory recommended mitigations to secure control access and harden credentials, such as implementing multifactor authentication and limiting the remote capability of an administrator account. Other important practices included vulnerability scanning, changing third-party supplied default credentials and establishing centralized log management. The last can be essential for forensic investigations and documenting attack techniques.