Ngā tikanga me ngā whakamaurutanga pānga nui High-impact techniques and mitigations

Adversary-in-the-middle (AITM) phishing attacks used to bypass security controls like multi-factor authentication (MFA)

During 2023/2024, several attempts at adversary-in-the-middle (AITM) phishing attacks were reported to the NCSC. AITM phishing attacks are an advanced way to steal sensitive credentials and bypass security controls, such as MFA. In AITM phishing attacks, a server is used as a proxy to intercept the network communication between a victim’s computer and the real web server. Additionally, the malicious cyber actor creates their own website security certificate to remove encryption from data in secure internet connections, subsequently enabling sensitive information such as credentials and MFA session cookies to be captured. Engaging with a legitimate website through a proxy also ensures that MFA session cookies last longer, giving attackers more time to perform malicious activities.

Managing the threat

• Prevent and Protect: Although AITM attacks have been used to bypass some MFA implementations, phishing resistant MFA methods using the Fast IDentity Online 2 standard (FIDO2) can be utilised to protect against these attacks. FIDO2 uses a combination of origin checking, token binding, and public key cryptography, preventing attackers from using intercepted authentication and session information.
• Detect and Contain: Use endpoint security products that include rules to detect phishing attempts alongside correlation rules from third-party log sources, which may be provided by endpoint security products or security information and event management (SIEM) systems, to identify and disrupt clicked phishing links and related network activity. Some products may include specific AITM monitoring rules, which should be enabled wherever possible. 

Historical common vulnerabilities and exposures (CVEs) used by state and criminal actors

While conscientious organisations may work to address new vulnerabilities, some of the biggest CVE threats have been used for a long time. Historical CVEs, including those from 2019 or earlier, are still frequently seen exploited in New Zealand cyber incidents, even though solutions are known and readily available. These unpatched vulnerabilities are still threats to the security of systems domestically. In many cases, individuals or organisations are not selected as specific targets, but the fact that they rely on a product or service with unaddressed vulnerabilities exposes them to risk.

Managing the threat

• Guide and Govern: Maintain clear expectations with technology owners and external support partners regarding patching requirements, through policies, standards, and reporting mechanisms.
• Identify and Understand: Systems should be catalogued and regularly scanned to ensure the latest available patches are implemented, with compensating controls applied where assets can’t be patched in a timely manner. Reports for patch compliance should be provided regularly.
• Prevent and Protect: Patch all systems as soon as possible, following a ringed release model that allows the pause of patch updates in the unlikely event that updates impact service availability.
• Detect and Contain: Monitor for indicators of compromise related to high-scoring CVEs. It is not safe to assume that because patches have been installed in a timely manner, that they have not been exploited prior to the installation of a patch.

SQL injection and cross-site scripting used for exploitation of public-facing applications

Several incidents in 2023/2024 where public-facing applications or websites were targeted for exploitation involved the use of SQL injection or cross-site scripting (XSS). The NCSC observed these techniques were being used in instances where the malicious cyber actors attempted or gained unauthorised access to data for subsequent exfiltration. The NCSC has observed both state-sponsored and criminal cyber actors using this technique, including in some of the most damaging ransomware incidents reported to the NCSC. SQL injection is a security vulnerability that targets the underlying database of a web application. It occurs when a malicious cyber actor manipulates the application’s database into running malicious SQL queries. XSS is another prevalent server-based web vulnerability that targets the trust a user has in a particular website. In XSS attacks, malicious scripts are injected into web pages that other users subsequently view.

Managing the threat

• Guide and Govern: Organisations should provide strong guidance to application developers through secure development training, which incorporates recognised risks and related mitigations, such as the Open Web Application Security Project Top 10 Web Application Security Risks 2021 (OWASP Top 10:2021).
• Identify and Understand: Early detection and remediation of application security issues are important steps to minimise the risk of web application compromise. Organisations should conduct threat modelling consistently to understand how injection attacks (including SQL injection and XSS) could impact their applications before they are built.
• Prevent and Protect: Implementing application security tools and checks within CI/CD pipelines (a method of automatically testing and delivering new software) is a good way to check for common security issues. Such tools can be configured to fail build tasks where issues are identified, preventing the introduction of potentially risky issues into live, internet-facing systems.

BADCANDY malware implant used to compromise Cisco IOS devices

In February 2024, exploitation of a previously unknown vulnerability in the Web User Interface feature of Cisco IOS software led to 11 of New Zealand’s nationally significant organisations experiencing targeted reconnaissance activity. Unauthorised users exploited vulnerabilities in order to maintain and elevate access to victims’ systems. Once a local user account was created, a malware implant known as BADCANDY was deployed. This allowed the user to attempt privilege escalation, where modifications grant access to additional roles, permissions or higher-privileged valid accounts.

Managing the threat

• Guide and Govern: Organisations should maintain a vulnerability management strategy that encompasses networks, cloud platforms, and locally installed devices. Organisations should also subscribe to vendor notifications for security issues. These alerts highlight security issues, mitigating actions, and notify the availability of security updates to address identified vulnerabilities.
• Identify and Understand: Organisations should make use of technology capabilities such as attack surface management to understand their web-facing assets and what the risks of exposure to the internet may be.
• Prevent and Protect: Disable HTTP/HTTPS server components of management interfaces and restrict configuration access to trusted locations.
• Detect and Contain: Implement processes to monitor network appliances and security gateways for unauthorised changes. Regular revalidation of access requirements, alongside auditing of network device configuration is a good hygiene step, which can be supported by administrative log ingestion by SIEM services.

Cloud storage providers targeted, but not just for data exfiltration

In 2023/2024, the NCSC responded to several incidents in New Zealand associated with possible compromised accounts held by cloud-managed service providers.

The NCSC frequently observes legitimate cloud providers being targeted for data exfiltration. However, the abuse of cloud service providers is frequently a vector for other forms of intrusion. This includes unauthorised access to cloud data gained for the purpose of espionage, cloud infrastructure being used to propagate email spam campaigns, DDoS attacks to disrupt legitimate users from accessing IT resources, and the hosting of malicious content such as bots and phishing pages. Hosting of malicious content on the cloud is difficult to block, as malicious cyber actors are able to hide in legitimate content from trusted cloud brands.

Managing the threat

• Guide and Govern: Organisations should emphasise training requirements around security best practices and identifying phishing attempts.
• Identify and Understand: Cloud security posture management (CPSM) capabilities continuously check cloud settings and configurations to find risks and misconfigurations. Ensure that all cloud storage platforms are integrated with CPSM solutions, and that recommendations from such tools are acted on in a timely manner.
• Prevent and Protect: Organisations should consider adoption of cloud services following a zero trust architectural approach, which requires continuous evaluation and enforcement of policies, prior to granting access. Following principles of least-privilege, which restrict users and services to only the resources required for their role, can minimise the impact of a malicious user gaining access to services through phishing or exploitation of other vulnerabilities. Implementing access policies that require a number of sign-in conditions to be satisfied before access is granted may be an effective way to prevent many attacks from occurring.
• Detect and Contain: If a successful account compromise is detected, revoke active sessions, reset MFA registration and user account passwords, and isolate end-user compute devices where suspicious activity is occurring from (if this is within the control of the organisation).