Hacking the golden four

With modern networks now taking advantage of cloud computing and hybrid solutions, we are seeing the main routes of attack coming through four main gateways. We explore how the “golden four” gateways for attackers are exploited and how you can better protect your organisation.

VPN (Virtual Private Network)

Remote working is usually offered via VPN and RDP (Remote Desktop Protocol). The attackers are issuing IKEv1 session keys to decrypt connections. The technique involves reusing the key pair across different versions of IKE (Internet Key Exchange) which leads to a cross-protocol authentication bypass which allows the attacker to spoof the targeted IPsec endpoint to break the encryption mechanism.

Every hack starts with a scan which reveals access points (services, ports and technology) and scans reveal access areas. Medusa to “brute-force”, brute-force provides an “in” which means the Hacker gets to decide what they want to do and the company is at the mercy of the attacker.

Top five to stay safe are:

1. Multi-Factor Authentication
2. IP Blacklisting
3. IPS/IDS
4. Penetration Testing
5. Vulnerability Scanning

Remote Desktop

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.

Scan IP Range, the scan reveals access points (services, ports and technology), scans reveals the public gateway and any firewall restrictions, Hydra to “brute-force”, brute-force provides an “in” usually at session level (user friendly), Hacker gets to decide what they want to do and the company is at the mercy of the attacker.

Top five tips to stay safe are:

1. Multi-Factor Authentication (less common on RDP)
2. IP Blacklisting (less common on RDP)
3. IPS/IDS (less common on RDP)
4. Penetration Testing
5. Vulnerability Scanning

Office 365 / OWA (Outlook Web Access)

With 258 million corporate users, the Microsoft Office 365 platform has become a target-rich environment for sophisticated phishing attacks. Office 365 presents a number of unique attack techniques for hackers looking to compromise accounts. Microsoft was the number one impersonated brand in phishing attacks in 2019 - thanks to Office 365.

Scan domain name to find Mail.Address, the scan reveals company uses Outlook, dehashed (for credentials/breach lists), Enumerate users via (username spraying (metasploit), Password spraying (word list), Hacker gets to decide what they want to do, Crime, Privacy liability, Pivoting, Company is now at the mercy of the attacker.

Top five tips to stay safe are:

1. Multi-Factor Authentication
2. Complex Passwords
3. Auto Lockout
4. Penetration Testing
5. Cyber Security Awareness Training

Cloud Applications

In the last decade, we have seen that companies experienced a cyber incident or a data breach due to a vulnerability or misconfiguration on their third parties, e.g., vendors, suppliers, partners, etc. Research reveals that the ratio of companies that experienced a data breach caused by a third party increased to 58%.¹

Website reveals cloud apps from testimonials and back links, Hacker phishes entire domain usually in password reset for cloud app, Credentials gained, user uses credentials for more than 1 app, user is significantly compromised, Hacker gets to decide what they want to do and the company is at the mercy of the attacker.

Top five tips to stay safe are:

1. Multi-Factor Authentication
2. Complex Passwords / different passwords
3. Employee Training
4. Email Filtering
5. Phishing Simulations

Finally, please take care in these testing times and we hope that this document can support your business and your employees work remotely and securely during this period.

1. https://blackkitetech.com/top-ten-data-breaches-caused-by-a-third-party-in-the-last-decade/

CONDITIONS AND LIMITATIONS
This note is not intended to give legal or financial advice, and, accordingly, it should not be relied upon for such. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. In preparing this note we have relied on information sourced from third parties and we make no claims as to the completeness or accuracy of the information contained herein. It reflects our understanding as at 20/05/2021, but you will recognise that matters concerning Covid-19 are fast changing across the world. You should not act upon information in this bulletin nor determine not to act, without first seeking specific legal and/ or specialist advice. Gallagher accepts no liability for any inaccuracy, omission or mistake in this note, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein. No third party to whom this is passed can rely on it. Should you require advice about your specific insurance arrangements or specific claim circumstances, please get in touch with your usual contact at Gallagher.