The top six exploits and how zero trust can mitigate them
ThreatLocker VP operations explains how stopping illegal conversations between software programs could have prevented exploitation of the major vulnerabilities of the past two years
The top six exploits of the past couple of years have seen billions of devices, millions of organisations and numerous individuals adversely affected by cyber attacks, said Rob Allen, VP of operations EMEA at ThreatLocker.
Those exploits were as follows.
The 2020 SolarWinds supply chain attack that saw software agents in the company's Orion software reconfigured to contact a command-and-control server in New Jersey that was controlled by Russian hackers. Thousands of organisations, including government departments, implicitly trusted SolarWinds and could have been compromised as a result - although in the end, only about 100 were directly affected.
Then there were the ongoing Microsoft Exchange vulnerabilities, which saw 600,000 organisations impacted in 2021.
See also: Microsoft's mitigation for preventing Exchange Server zero-day exploits can be bypassed
In another supply chain attack, the REvil group hijacked Kasaya's VSA remote management software, used by MSPs to administer IT services to customers, leaving 100,000 machines encrypted and forcing numerous businesses to close.
PrintNightmare is a glitch in the Windows Print spooler utility allowing remote code execution and privilege escalation that has now been patched. It was very easy to exploit.
Then there was the Follina flaw, a zero click exploit in Microsoft Office that simply required a user to open an infected document.
And of course, we can't ignore Log4J - "the big guy in the room" as Allen called it - the Java library used in hundreds of thousands of applications and present on an estimated 3 billion devices. Security teams have had to track down all the places where it exists, apply patches, and/or wait for vendors to update their software.
"It was the closest thing to an endemic vulnerability you're ever going to come across," said Allen, speaking at Computing's IT Leaders Festival on Tuesday.
All these exploits involve software talking to other software it shouldn't or people with privileges they shouldn't have. You have the agents in SolarWinds, and the Windows print spooler reaching out to PowerShell as a first step to downloading a file in PrintNightmare. PowerShell is implicated again in Follina as a port of call for corrupted Office docs, Log4Shell exploits an ability to access JNDI-related endpoints, while privilege escalation is implicated in the Kaseya attack.
A zero trust approach in which unexpected connections are blocked through allow listing is an effective defence against many attacks on these vulnerabilities.
"Allow listing has always been a good idea but it has always been difficult to achieve," said Allen.
However, modern solutions like ThreatLocker make it much easier because they learn the environment, build a picture of what software is needed and create rules, policies and exceptions. Then, once switched on, they block anything that's not within the rules.
The same zero trust principle can apply to backups, a number one target of ransomware. Storage controls can enforce rules the only software that can communicate with an archive is backup software, then that route is blocked to the attackers.
The zero trust approach also offers protection against hardware attacks using USB rubber duckies or fake charging cables devices that allow data exfiltration from a targeted device. Devices and USB devices can be paired on approve lists, with access denied to other pairings. Similarly, file types that can be downloaded to a USB stick can be approve-listed to, for example, JPEGs or .docx files, preventing a common route for data leakage.
Dynamic network access control lists are another part of the picture, restricting access to the network to certain devices or IPs or regions.
"We can open and close ports depending on what's connecting to it. So you set up a dynamic ACL on the server and say, only allow machines on my workstations group to connect to this and that means anything that's not in that group is not going to be able to connect to that server. And it's a very simple, very easy setup," Allen said.
And there should be tight control on admin rights to install software. Frequently these rules are sidestepped, for example to allow a partner organisation to install remote access software. Sometimes this software is not subsequently uninstalled and remains a risk.
"Who here has people or machines in their environment who are admins and shouldn't be?," asked Allen.
"OK I've got a room full of liars," he joked, when few in the audience raised their hands. "I can guarantee that every single one of you have people with elevated privileges who should not have."