Microsoft software products are a connective tissue of many organizations, from online documents (creation, sharing, storage), to emails and calendars, to operating systems that enable business operations on the front and back end, both in the cloud and on-premises.
Over one million businesses worldwide and over 731,000 businesses in the United States use Office 365, and although Microsoft does not offer precise statistics, some sources suggest that there are over 90,000 Microsoft partners facilitating services and products for customers. It is therefore not surprising that vulnerabilities in Microsoft solutions are an attractive attack vector.
So far in 2021, Microsoft’s 12 most notable critical vulnerabilities fall into five major threat categories:
- Exchange vulnerabilities
- Print spooler vulnerabilities
- Sensitive vulnerabilities of Windows registry database files
- Remote File System Protocol (MS-EFSRPC) and Active Directory Certificate Services (AD CS) vulnerability encryption, and
- ActiveX vulnerabilities.
Let’s break them down.
Microsoft Exchange includes the back-end of Integrated Mail, Calendar, Tasks, and Email. Exchange Server is one of the most widely used and well-known messaging solutions for governments and businesses around the world. Managing Exchange Server internally is a complex task, and improperly configured Exchange servers are particularly troubling as malicious actors actively scan and exploit vulnerable Exchange servers that are improperly configured or have fixes and updates in place. latest security.
Recent vulnerabilities in Microsoft Exchange Server include ProxyLogon, ProxyOracle, and ProxyShell.
ProxyLogon (CVE-2021-26855 and CVE-2021-27065) targets on-premises Exchange servers. This bug exploits the proxy architecture of Exchange and its logon mechanism, allowing the malicious actor to bypass authentication on the Exchange server, impersonate an administrator, and acquire capabilities. code execution.
ProxyOracle (CVE-2021-31196 and CVE-2021-31195) is a bit more complicated than ProxyLogon in that the malicious actors must trick users into clicking on a malicious link to steal the user’s password. Forms-based authentication used to manage user logins for Outlook Web Access saves credentials and passwords in a user’s browser cookies, which are encrypted. To circumvent these measures, malicious actors use a fill-in oracle attack to help decrypt user cookies and obtain clear-text passwords.
ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) is another on-premises Exchange Server vulnerability on unpatched servers with Internet access. ProxyShell works by abusing the normalization of the Client Access Service URL triggered by logon requests. When logon requests are initiated, Exchange normalizes the request URL and removes the portion containing the email address before routing the logon request to the backend. With ProxyShell, malicious actors can remove part of the URL during the normalization process, grant access to an arbitrary backend URL, and run commands on the Exchange server using port 443 exposed with Exchange PowerShell Remoting. Simply put, it allows threat actors to act as an Exchange administrator and run PowerShell commands remotely.
Print spooler vulnerabilities
Printers in general and Print Spooler in particular have been the target of exploitation by malicious actors for many years. For example, the infamous 2010 Stuxnet worm – the one used against Iranian nuclear facilities – used a Print Spooler vulnerability.
Print Nightmare (CVE-2021-34527) is a vulnerability that allows attackers with a low privilege domain user account to take control of a server running on the Print Spooler service and add dynamic link library (DLL) files as as printer drivers, which they then run through SYSTEM. Once the threat actor exploits this vulnerability, they can install programs, manipulate data, and create new users with full permissions.
Sensitive vulnerabilities of Windows registry database files
The Windows registry stores information about the configurations, settings and preferences of the operating system and Windows applications. It contains a collection of files called hives, such as the SYSTEM and SECURITY hives, and the Windows Security Accounts Manager (SAM) database. A malicious actor who abuses the vulnerability of sensitive Windows registry database files and successfully authenticates to a machine can execute arbitrary code with SYSTEM privileges.
HiveNightmare aka SeriousSAM (CVE-2021-36934) is one of those vulnerabilities. Using a low-privilege account, a malicious actor can use the hash method to authenticate a remote server with the hashed credentials it has obtained from the database. (You read that correctly – the default configurations of Windows 10 and 11 grant all non-administrator users read rights to key registry hives; this is a known error.) This allows them to recover all hives. registry in Windows 10 and 11. This includes SAM data, which attacker can use to execute code as SYSTEM. Once their machine is authenticated, the attacker gains full control, can run commands, remove additional payloads, propagate over the network, and create users with full permissions.
MS-EFSRPC and AD CS vulnerabilities
Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) supports your data that is encrypted, stored remotely, and accessed over a network. It performs maintenance and management operations. Active Directory Certificate Services (AD CS) is a server role that allows users to create a public key infrastructure (PKI) and provides public key cryptography, digital certificates and signing capabilities and other functions of security.
Petit Potam (CVE-2021-36942) is an example of a new technology local area network manager (NTLM) relay attack. PetitPotam is a type of relay attack in which the threat actors who have already accessed the victim’s machine have the ability to take control of an Active Directory with AC DS in use. In this type of attack, rather than taking advantage of a specific vulnerability, malicious actors exploit the authentication method in the MS-EFSRPC to produce an authentication certificate, resulting in compromise of the domain and the possibility of failure. ” elevate privileges within the domain.
ActiveX controls are parts of a program used to create and run applications that run over a network. Applications rely on ActiveX to share functionality and data across web browsers, so this vulnerability can be exploited through Microsoft Office documents online.
MSHTML (CVE-2021-40444) is a highly sophisticated remote code execution vulnerability that allows an attacker to execute arbitrary code on a victim’s machine through an ActiveX control that is typically sent to the victim by phishing. The threat actor entices the user to open the malicious document, and after the file is opened and the code executed, the threat actor performs malicious activities such as running remote commands, removal of additional payloads and persistence.
Do you feel vulnerable?
According to IBM’s 2021 Cost of a Data Breach report, the average cost of a data breach increased by the biggest margin year-over-year in seven years, from 3.86 million in 2020 to $ 4.24 million in 2021. The average time elapsed before a violation was detected in 2021 was 212 days with an additional 75 days to contain it!
The types of attacks we have explored in this article lead to compromised domains and the possibility for criminals to create their own accounts with full administrator credentials. And according to the report, compromised credentials were the most common attack vector, responsible for 20% of breaches and costing an average of $ 4.37 million per breach.
Each of these Microsoft vulnerabilities has serious implications for organizations of all sizes. For example, PrintNightmare is essential because the Print Spooler service runs by default on all Windows servers and clients. It is alarming that this iteration evolved from an earlier vulnerability that was patched but changed to reduce the patch to only half its effectiveness. And HiveNightmare (aka SeriousSAM) works because of a vulnerability in a company’s Windows operating system. It also does not require unencrypted credentials. These types of attacks justify the need to keep all systems up to date in addition to keeping abreast of Microsoft vulnerabilities.
Cyber security leaders need to ensure they deploy detection rules designed to detect and prevent attempts to exploit these vulnerabilities and create additional detection rules to focus more on risk. Release all available patches for Microsoft products and monitor not only newly discovered vulnerabilities, but also changes to known vulnerabilities.