Pentester Horizon3 Finds Three Major Attack Themes, 10 Common Vulnerabilities Attackers Exploit: Roadmap for MSSPs?

“These findings underscore why it’s so crucial to regularly pentest all internal and externally exposed assets and points of entry. Many of the vulnerabilities and weaknesses that companies believe they’ve already addressed are, in fact, welcoming entry points for threat actors. Every organization should regularly ask themselves what their threat environment looks like, whether their security tools are appropriately configured and effective, and most importantly – whether their assets and environments are secure.”

• Credential policies are weak, or often not enforced. Most often, attackers don’t “hack” in using sophisticated tools or exploits. They simply “live off the land” and log in with legitimate credentials.
• Patching is rare but fixes to misconfigurations are even rarer. Many organizations found exploitable vulnerabilities that are several years old and have relatively easy fixes in the form of vendor-provided patches, including CISA’s Top 15 Routinely Exploited Vulnerabilities list and Known Exploited Vulnerabilities catalog.
• Tools need oversight and tuning to work effectively. Often, it was not the tool itself that failed, but rather a failure to properly configure the tool that resulted in the exposure of assets.

1. Weak or reused credentials
2. Weak or default credential checks in protocols (SSH, FTP, Web, etc.)
3. Credential dumping from Windows or Linux hosts
4. Exploitation of critical Cybersecurity Agency and Critical Infrastructure Agency (CISA) vulnerabilities
5. Exploitation of critical VMware vulnerabilities
6. Misconfigurations and vulnerabilities in DevOps tools (Jenkins, GitLab, Kubernetes, Docker)
7. Misconfigurations and vulnerabilities in Routers, iLOs, and iDRACs
8. Windows Man-in-the-Middle attacks (NTLM relay)
9. Windows Active Directory Elevation of Privilege Escalation Vectors (Kerberoasting)
10. Zero-day or N-day vulnerabilities (Log4Shell, Fortinet, etc.)

• Increase training for employees on basic cyber security, including the dangers of credential reuse and weak or easily guessed passwords.
• Institute password policies that include sophistication and length requirements at least 15 characters in length and use at least one upper case letter, number, and special characters. Consider using a password manager with multifactor authentication.
• When creating a temporary password for a new user or a user that requires an account unlock, require the password to be used within a specific time frame before the account becomes disabled. Lock the account after 24 hours if the temporary password is not used.
• Require the use of multifactor authentication for logging into environments and segmented networks when possible. This ensures a high degree of certainty that a cyber threat actor cannot gain access to systems unless they also have control of the second device, such as a registered cellphone or other device to confirm a login attempt.
• Implement a configuration management process that directs default credentials to be changed before systems are deployed in a production environment.
• Disable the accounts of current or former employees who no longer require access. Oftentimes, cyber threat actors are disgruntled employees or former employees that would like to seek retribution against an organization and already have access. Disabling and not deleting the former user account allows the organization to retain any files or data that individuals may have generated while limiting the organization’s risk.
• Verify that each of the above guidelines are implemented, enforced, and effective by attacking your environmental teams, tools, and rules using NodeZero.