Lessons from the security incidents in 2021

Lessons from the security incidents in 2021

Instead of predicting what the year 2022 will bring, we should rather learn the lessons from this year’s biggest security threats and prepare for the future. […]

It’s the end of 2021, a time when security experts are expected to make predictions about the security problems of the coming year. I’d rather look back at the security issues we’ve been following to make sure we’re learning all the necessary lessons from this.

SolarWinds Attack: Know your Vendor’s Security Precautions

It’s literally been a year since the SolarWinds software supply chain attack appeared in the news, and we’re still trying to fully understand the potential of this type of attack. The attackers proceeded secretly and were discovered only because one of the affected companies, FireEye, has first-class capabilities for monitoring and detecting intruders.

I wonder if, in such a situation, my company would have the necessary tools and resources to detect such an attack. I suspect that not only would I not have been aware of this intrusion, but also many of you would not have the necessary resources to do so. According to Microsoft, the attacker was able to forge SAML tokens that impersonate any users and accounts of the organization, including highly privileged accounts“. This should make us all rethink the source of the software we install and wonder if we can trust our vendors and their security processes, not to mention our own security processes.

Lessons learned: Check the security processes of your software vendors. Watch out for abnormal behavior, especially with highly privileged accounts. Check when new federated trusts have been created or credentials have been added to processes that perform actions such as mail.read or mail.can execute readwrite.  You should also block known C2 endpoints in the firewall at the network edge.

Exchange Server attack: Protection of legacy systems

In March 2021, a very disruptive attack occurred. Locally installed Exchange servers were directly attacked via a zero-day vulnerability. Microsoft initially stated that they were targeted attacks, but later it turned out that the attacks were much more widespread. Microsoft also found that many mail servers were completely outdated in terms of patches, so it was difficult to quickly update them. Microsoft had to provide patches for older platforms to protect customers. The FBI even went so far as to proactively clean and patch Exchange servers that were still unprotected.

Lessons learned: Make sure that every older server is protected. In particular, Exchange servers on site are more often the target of attacks. Make sure you allocate adequate resources for patching these legacy systems. E-mail is an important access point to networks, both in terms of phishing attacks that occur through e-mail, and in terms of higher risk, because attackers know how difficult it is to patch these servers.

Also, do not necessarily rely on the threat and risk assessment of the manufacturer. Microsoft initially pointed out that the attacks were limited and targeted, but they were much more widespread and even affected small businesses.

PrintNightmare: Keeping printers up to date

The next big security incident is one that we are still dealing with almost six months later. In July, Microsoft released an out-of-band update for a vulnerability called PrintNightmare. For network administrators, this PrintNightmare has turned into a print management nightmare. The print spooler software is older code from the NT era, which many ask Microsoft to rewrite completely, but this would cause significant interference with third-party printers. While the pandemic has taken us away from personal printing and towards more remote printing processes, even PDF printers rely on the print spooler to provide and print PDF files.

Even now in December, we are still observing the side effects of the numerous patches for the print spooler that have been released since then. The optional updates, released at the end of December, include a solution to several print-related issues. It resolves issues where Windows print clients may experience the following errors when connecting to a remote printer shared on a Windows print server:

0x000006e4 (RPC_S_CANNOT_SUPPORT)

0x0000007c (ERROR_INVALID_LEVEL)

0x00000709 (ERROR_INVALID_PRINTER_NAME)

I have seen that some network administrators have chosen not to install patches due to the annoying side effects of these updates.

Lessons learned: Even in the pandemic, we still have to print. Whenever an update contains a fix for the print spooler service, you should allocate appropriate resources to test before the update. Use third-party resources such as PatchManagement.org or the sysadmin forum on reddit to watch out for side effects and workarounds that you may need to take in order not to leave your business unprotected. The printer spooler service should be disabled on servers and workstations that do not require printing, and run only on devices and servers that require printing to be enabled.

Ransomware: Block RPC and SMB communication

Among the security incidents that we will experience in 2022, ransomware will continue to be a major risk. Ransomware is now included in cyber insurance policies, and the US government has set up task forces to provide companies with more protection, information and guidance on how to deal with this risk.

Learning lessonst: Use your local and network firewalls to prevent RPC and SMB communication. As a result, lateral movements and other attack activities are limited. Also, enable tamper protection features to prevent attackers from stopping security services. Then enforce strong, randomized local administrator passwords. I recommend that you use the Local Administrator Password Solution (LAPS) to ensure that you have random passwords.

Monitor the deletion of event logs. In this case, Windows generates the security event ID 1102. Also, make sure that the latest security updates are installed for all components connected to the Internet. Check these facilities regularly for suspicious activity. Finally, determine where highly privileged accounts log in and reveal credentials. Monitor and inspect login events (event ID 4624) for login type attributes. Highly privileged accounts should not be present on workstations.

Ready to see us in action:

More To Explore

IWanta.tech
Logo
Enable registration in settings - general
Have any project in mind?

Contact us:

small_c_popup.png