SecPro #21: Community Wisdom, Reality of Zero-Day Attacks
In today’s issue:
- The Reality of Zero-Day Attacks in 2021
- The SecPro Community Wisdom
- Recent Security Issues
- Secret Knowledge: Building Your Security Arsenal
The Reality of Zero-Day Attacks in 2021
By Tigran Avetisyan
2021 a Record Year for Zero-Days
Reality of Zero-Day Attacks are among the most formidable cybersecurity threats due to their unknown factor. It’s hard to counteract an attack if you don’t know exactly how it works or how it behaves.
If zero-days are among your top concerns, we have some not-so-good news. On September 24, 2021, MIT Technology Review reported that 2021 set a record for zero-day attacks. According to various databases tracking zero-day threats, no less than 66 zero-days had been detected in 2021 by September 24.
As of October 7, 2021, the Project Zero team at Google listed nearly 50 zero-days for 2021 in their 0day “In the Wild” spreadsheet. This was nearly twice as much as in 2020, a year that by itself had been no slouch in terms of zero-day threats.
With all that said, despite what the numbers may imply, you shouldn’t rush face-first into the seemingly obvious conclusion that hackers are now twice as effective as before. No, things are slightly more difficult and not as bad as you may imagine.
The Two-Pronged Reality Of Zero-Days attacks In 2021
The 2021 record in zero-days has become possible primarily thanks to the following two factors:
- The rapid development of hacking tools. The most skilled and experienced hacker groups – among them state-sponsored actors – are investing huge sums in developing their own increasingly powerful tools. Some of these groups, like Candiru or NSO Group, have monetized their malware development activities by selling exploits to entities that can’t craft hacks themselves.
- Improvements in cyber defense measures. Not only have the toolsets available to hackers become more sophisticated, but cyber defenses have seen drastic advancements too. Modern tools can detect small anomalies among tens of thousands of data points, so they can simply find more zero-days.
With that, we can’t easily draw direct parallels between zero-days in different years. A twofold increase in detected zero-days doesn’t necessarily mean that hackers have become two times better at what they are doing. Malicious groups have certainly evolved over the years, but we’ve also become better equipped to detect and neutralize zero-days.
This doesn’t mean that we should let our guard down though. As cybersecurity experts come up with better and better measures for threat detection and prevention, hackers are going to continue to adapt by releasing fiercer threats into the wild. In response, cyber defenses are going to become even more advanced, further forcing hacks and threats to evolve.
This never-ending arms race will likely escalate with time, with parties bombarding each other with more and more new tricks.
In such a landscape, cybersecurity teams can do nothing to prevent the continuous development of threats. What they can do, however, is stay alert and keep their existing measures in impeccable condition.
Notable Reality of Zero-Day Attacks in 2021
CVE-2021-35211 – SolarWinds Serv-U Servers
In mid-July 2021, American software vendor SolarWinds patched a zero-day in its Serv-U file. According to an analysis published by Microsoft, the authors of this zero-day hack (tracked as CVE-2021-35211) operated from China and targeted SolarWinds Serv-U servers by connecting to open SSH ports and sending malformed pre-auth connection requests.
CVE-2021-1879 – WebKit (Safari)
In July 2021, Google shared the details of four zero-days discovered in 2021 – two in Google Chrome, one in Internet Explorer, and one in WebKit (Safari). The latter zero-day, dubbed CVE-2021-1879, is perhaps the most interesting.
In this campaign, attackers sent malicious links to government officials from western European countries via LinkedIn. The links, if clicked, would redirect iOS users to a malicious website that collected authentication cookies to websites like Google, Microsoft, LinkedIn, Facebook, and Yahoo.
CVE-2021-40444 – Microsoft Windows
In mid-September 2021, Microsoft patched 66 CVEs in its products and services, including the Windows MSHTML zero-day (CVE-2021-40444). According to Microsoft, the flaw could allow attackers to “craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.”
The MSHTML zero-day had been under active attack for nearly two weeks before being patched. What’s worse, threat actors at some point began sharing how-tos for the exploit. Bleeping Computer reported that the guides were simple to follow and could allow anybody to craft their own working exploit.
Bleeping Computer managed to reproduce the exploit in only 15 minutes.
CVE-2021-37975, CVE-2021-37976 – Google Chrome
In late September 2021, Google patched two zero-days in an update to the Google Chrome web browser. One was a use-after-free vulnerability, while the other one was an “information leak in the core.” This marked the twelfth time Chrome was hit with zero days in 2021.
Very little information was given about these flaws, but one thing’s certain – users should keep their browsers up to date not to fall prey to zero-day exploits.
The SecPro Community Wisdom
✨ In this month’s Community Wisdom, we tackle reader questions in container security, compliance, and pentesting domains with a sprinkle of career discussion.
🌟 Container Security
“How to meet compliance requirements in containers, how to instrument them for visibility? Similar concerns across cloud environments (AWS, Azure, GCP, etc). “
Noel: “There are many aspects in container security (misconfigurations, vulnerabilities, etc), so first of all it is important to understand which are critical and make sure they meet our compliance. There are several open-source tools available (Snyk, Trivy, etc) that can help. For me it is important to make them visible, but more important is what we can do about it. Just sending alerting is not enough, we should have an action or remediation plan accordingly. I am strongly in favor to make container security part of the CI/CD pipeline and block the delivery if it does not meet the compliance requirements and has a task created for remediation.”
Chris: “I could list all the usual recommendations for securing container images and containers at runtime here. But I think they are being discussed already in-depth in other places (like Liz Rice’s book on container security. I know, it’s not a Packt book :)). However, I’d like to get into one practical issue I’ve seen a lot in the real world: The fear or inability to update or re-build container images just for the sake of security updates. Like in one environment that I’ve seen at work, we’ve relied on very old images of certain standard software (with that I mean things like Postgres or Nginx … it’s not these two, but very similar). These images had known security vulnerabilities. However, we weren’t able to update them because it would have broken things. All of that is/was because of bad dependency management of homebrewn code and poor test coverage. It’s hard to overcome this with a huge legacy environment with lots of technical debt.”
Rohit: “Define and prioritize the use cases. For better security follow these use cases:
1) Kubernetes security posture management, 2) container image scanning and vulnerability management, and 3) runtime security.
Container security solutions should be evaluated in the context of your overall approach to securing applications, CI/CD pipelines, and DevOps admin credentials, not just containers. Attackers are looking for a way into your organization and will look for a weak link to exploit in order to gain access to other areas.
Next for functions such as secrets management, the product should ideally integrate with a wide range of native solutions, such as Amazon Elastic Kubernetes Service (EKS), which developers may already be using to minimize code changes and provide secret sharing between container platforms and tools. Avoid “islands of security,” which cause secrets to spread.
Last but not least, it’s also about process rather than technology. Different security tools offer a variety of capabilities. These can range from the simple generation of security-centric data for analysis by security engineers to the automatic enforcement of stringent security policies against your container environments. It is critical to map existing security processes to the capabilities of available technology.”
🛡 Compliance & Standards
“Have you come across any useful resources to develop Information Security strategies in areas such as CIS Controls, NIST Framework, ISO 27001/2, CSA?”
Noel: “Not for all of these, but in my domain of expertise (system security) it was related to CIS Controls. I am using tools like kube-bench for Kubernetes or Chef Inspec for more operating system-related CIS benchmarks. But I am always interested to learn about others :-)”
Antonio: “Yes, definitely in the CSA Security Guide and in the NIST framework and in the ISO 27000 family I have found many resources to be able to define policies and propose them to the different Information Security Plans of some customers who have or are migrating their workloads to the cloud, mainly in hybrid environments.”
Chris: “For German-speaking folks, I highly recommend the BSI manual (800 pages, from the federal government’s IT security agency/authority). It’s both broad (look at the table of contents for a great list of what’s in the scope of IT security in general) and in-depth (like if you’re looking for how to harden an Apache webserver, MacOS client, or Kubernetes cluster there’s a chapter about it). Link. “
“What is the most exciting thing in pentesting or in red/blue teaming right now for you and why should other community members be inspired to learn it? ”
Javier: “I am in the offensive field from the 90’s. In the last 4 to 5 years, I’m involved in the red team field. If you have experience in pentesting is a natural movement, if you do not have offensive experience there is a lot to do in the field. Red team have many connection points to pentest, but the focus is really different. Every engagement is a challenge, every client is a challenge, every objective is a challenge. If you want to be challenged is a way to go. You will need to learn about how to deploy infra, about command and controls, malware development, security solutions evasion, social engineering, and a lot more.”
Rohit: “Drafting initial reports of the findings, reviewing these findings with the customer, explaining why a system or facility is vulnerable, negotiating the severity of the issue in the given context, and drafting the final report.”
Antonio: “I think the most exciting thing is discovering the vulnerabilities that business owners say they don’t have and being able to show them in black and white, so as to raise awareness about security and the real dimension of the need to be prepared for any security incident they may face in the not-too-distant future. ”
“I worry about being able to move on to a more consultative or architecting role. Too many jobs in the industry seem siloed to give engineers a chance to work on all the technologies required to move into a broad-experience position that is both more fulfilling/rewarding. “
Javier: “In my opinion, one must give a chance to different roles. Every role has something to offer, and a lot to learn. Try different roles and find the role you love. I was lucky enough to work in support, networking, development, business analysis, application analysis consultancy, architecture, network security, application security, pentesting, red teaming, and other roles. I choose infosec as a way of life.”
Noel: “To me being an architect is an immensely rewarding career path that opens many doors. It is a given that in many industries there is a requirement for highly skilled engineers, but what I see more and more is the need for good architects that can overview/design the complete solution. For example, I can see many companies moving to the public cloud, which is the way to go, but often forget about the importance of the role of an Architect which can think about the complete picture like operational excellence, security, reliability, performance efficiency, and being cost-efficient.”
Antonio: “Indeed, I see a future where I need to develop my skills at a more consultative or strategic level. The market indicates that specialization in certain specific areas such as cloud computing security or cybersecurity is becoming more and more in demand. For that, it is necessary to be able to continue learning and gaining knowledge to be able to apply them in companies that may require my services.”
Recent Security Issues
🔸 Twitch’s all source code leaked: A server misconfiguration led to a massive 125GB data leak and source code at Twitch! Amazon-owned video live streaming platform acknowledged that those details of creator payments, software development kits, and other proprietary internal tools had been compromised. Twitch also denoted that in a statement confirming that no personal data of the users were exposed.
🔸 TangleBOT: A new android based phishing malware that is luring users with COVID-19 vaccine-themed campaigns to install them on their devices. Proofpoint’s security researchers recently identified this malware that is distributed through SMS in Android phones across the US and Canada region. The phishing message looks like this, “New regulations about COVID-19 in your region. Read here: https//covid19*****.”
Secret Knowledge: Building Your Security Arsenal
Discover useful security resources, cheatsheets, hacks, one-liners, and open-source CLI/web tools.
- ScoutSuite – a multi-cloud security audit tool designed for AWS (Amazon Web Services) Google Cloud and Azure environments (python).
- Prowler – a security tool for assessing, auditing, incident response, continuous monitoring, hardening, and forensic readiness of AWS security best practices (bash and python components).
- PMapper – an advanced and automated AWS IAM Evaluation (Python) tool.
- SkyArk – provides an advanced assessment of discovery and security for the most privileged entities in the AWS tested.
- Lunar – a security audit tool based on several security frameworks (it performs some AWS checks).
- kube-hunter – Open-source tool that runs a hunter code sets for security issues in Kubernetes clusters from the attacker’s point of view or from an internal cluster.
- kube-forensics – enables a cluster administrator to dispose of the current state of a running pod and all its containers and therefore security professionals can implement online forensic analysis.
- kubernetes-event-exporter – enables exporting the often-missed Kubernetes events to various outputs and hence they can be used for alerting and observability purposes.
- Polaris – Validates the best practices of Kubernetes by running tests against a Kubernetes admission request, or code commits, or live resources that are already running in a cluster.
- Kyverno – Kubernetes Native Policy engine.