Content, Content, Security Program Controls/Technologies, Threat Intelligence

Pentester Horizon3 Finds Three Major Attack Themes, 10 Common Vulnerabilities Attackers Exploit: Roadmap for MSSPs?

Credit: Getty Images

Pentesting specialist Horizon3 has uncovered three major attack themes and the 10 most common misconfigurations, vulnerabilities and weaknesses that attackers are likely to exploit, the company said in a new report on the cybersecurity threat scape.

7,000 Pentests Sourced

The findings are derived from nearly 7,000 pentests using Horizon3’s NodeZero cloud-based pentest platform. Nearly 1 million assets were evaluated in tests conducted by companies that deploy industry-leading security tools, employ experienced cybersecurity practitioners, and implement compliance policies.

The bottom line? To accurately assess the effectiveness of an organization’s posture, it is crucially important to continually attack the environment in the same way a malicious cyber threat actor would.

As Snehal Antani, chief executive and co-founder of Horizon3, explained:

“These findings underscore why it’s so crucial to regularly pentest all internal and externally exposed assets and points of entry. Many of the vulnerabilities and weaknesses that companies believe they’ve already addressed are, in fact, welcoming entry points for threat actors. Every organization should regularly ask themselves what their threat environment looks like, whether their security tools are appropriately configured and effective, and most importantly – whether their assets and environments are secure.”

Exploits Identified

The three main themes or causes of exploitable weaknesses, vulnerabilities and misconfigurations in 2022 were:

  • Credential policies are weak, or often not enforced. Most often, attackers don’t “hack” in using sophisticated tools or exploits. They simply “live off the land” and log in with legitimate credentials.
  • Patching is rare but fixes to misconfigurations are even rarer. Many organizations found exploitable vulnerabilities that are several years old and have relatively easy fixes in the form of vendor-provided patches, including CISA’s Top 15 Routinely Exploited Vulnerabilities list and Known Exploited Vulnerabilities catalog.
  • Tools need oversight and tuning to work effectively. Often, it was not the tool itself that failed, but rather a failure to properly configure the tool that resulted in the exposure of assets.

Top 10 Vulnerabilities

Each of the top 10 vulnerabilities and weaknesses that Horizon3 enumerated and exploited were the direct result of these three weaknesses. Each led to critical impacts, deeper implications, and ultimately to positive action by the customer to remediate them.

The top 10 vulnerabilities detected in 2022 are:

  1. Weak or reused credentials
  2. Weak or default credential checks in protocols (SSH, FTP, Web, etc.)
  3. Credential dumping from Windows or Linux hosts
  4. Exploitation of critical Cybersecurity Agency and Critical Infrastructure Agency (CISA) vulnerabilities
  5. Exploitation of critical VMware vulnerabilities
  6. Misconfigurations and vulnerabilities in DevOps tools (Jenkins, GitLab, Kubernetes, Docker)
  7. Misconfigurations and vulnerabilities in Routers, iLOs, and iDRACs
  8. Windows Man-in-the-Middle attacks (NTLM relay)
  9. Windows Active Directory Elevation of Privilege Escalation Vectors (Kerberoasting)
  10. Zero-day or N-day vulnerabilities (Log4Shell, Fortinet, etc.)

Strategies and Recommendations

The report also offers mitigation strategies and policy recommendations for each of the three main attack themes. Here’s an example regarding weak or unenforced credential policies:

  • Increase training for employees on basic cyber security, including the dangers of credential reuse and weak or easily guessed passwords.
  • Institute password policies that include sophistication and length requirements at least 15 characters in length and use at least one upper case letter, number, and special characters. Consider using a password manager with multifactor authentication.
  • When creating a temporary password for a new user or a user that requires an account unlock, require the password to be used within a specific time frame before the account becomes disabled. Lock the account after 24 hours if the temporary password is not used.
  • Require the use of multifactor authentication for logging into environments and segmented networks when possible. This ensures a high degree of certainty that a cyber threat actor cannot gain access to systems unless they also have control of the second device, such as a registered cellphone or other device to confirm a login attempt.
  • Implement a configuration management process that directs default credentials to be changed before systems are deployed in a production environment.
  • Disable the accounts of current or former employees who no longer require access. Oftentimes, cyber threat actors are disgruntled employees or former employees that would like to seek retribution against an organization and already have access. Disabling and not deleting the former user account allows the organization to retain any files or data that individuals may have generated while limiting the organization’s risk.
  • Verify that each of the above guidelines are implemented, enforced, and effective by attacking your environmental teams, tools, and rules using NodeZero.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.