Threat Trends | 6 mins

Top Ten Security Misconfigurations hackers are exploiting

Today, organizations face a seemingly never-ending number of cybersecurity risks. While malware attacks, coding flaws, and improperly applied software represent some of these, security misconfigurations have to be considered as well. 

Recently, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory (CSA) detailing the most common cybersecurity misconfigurations affecting the business world today.

In addition to listing the most common network misconfigurations, the CSA outlined the tactics, techniques, and procedures used by malicious actors to leverage them in their exploits. By placing a spotlight on the network misconfigurations that are most commonly plaguing businesses, the NSA and CISA have provided security teams with valuable information that they can use to shore up their defenses by adopting secure-by-design principles. 

Below, we’ve summarized the 10 most common security misconfigurations identified within the joint CSA authored by the NSA and CISA. Familiarizing yourself with them will help you spot if they’re present in your organization before the hackers do.

1. Mediocre credential hygiene

This kind of security misconfiguration is easily rectified, but worryingly common. Using easily crackable passwords or storing passwords in cleartext are two of the most frequent mistakes made around credential hygiene. Weak requirements around passwords - such as a small number of characters - can make it much more likely for individuals to rely on easily guessed passwords.

Malicious actors may also scour networks for files containing cleartext passwords. If located, this allows them to access solutions as if they were a legitimate user so there is no record of an intrusion taking place. 

2. Default software configurations

Far too many software solutions and applications can be accessed simply by entering their default credentials, the kind that can be discovered via a simple web search or reset using easily guessed forgotten password questions. Leveraging these default configurations, threat actors can gain authenticated access to devices, execute malicious code, or harvest sensitive data. 

The problems caused by default service permissions and configuration settings can be found afflicting a range of devices, such as printers, scanners, security cameras, VoIP phones, IoT solutions, and more. Many of these devices utilize privileged domain accounts, meaning hackers can move laterally once they’ve gained access. Services with overly permissive access controls, insecure Active Directory Certificate Services, and legacy protocols can also all lead to misconfigurations that inadvertently allow attackers to access networks or devices.

3. A lack of network monitoring

Unfortunately, breaches are impossible to prevent entirely - even in organizations with the most robust safeguards. However, if businesses monitor their internal network activity, collecting data on traffic and unusual activity, they can detect any compromise quickly, preventing malicious actors from being able to conduct an exploit.

In order to gain true visibility into adversarial compromises, it is important for organizations to deploy both host-based and network monitoring. Together, this allows businesses to see malicious activity taking place on singular hosts and moving laterally between them. If, on the other hand, network monitoring is insufficient, hackers may lie undetected after infiltration for some time, meaning security responses are not launched until the damage has already been done.

4. Improper separation of user or admin privileges

It is not uncommon for administrators assign accounts with higher than necessary permissions to enable users to work. However, this means that a single compromised account can enable malicious actors to quickly move through a network and access multiple devices and services without alerting tools designed to detect lateral movement or privilege escalation exploits.

Overly permissive account privileges allow users to see and/or do things they shouldn’t be able to, expanding an organization’s attack surface. The presence of elevated accounts and their use for non-essential tasks can also increase an organization’s risk.

5. Sub-standard patch management

Another common mistake that can undo cyber defenses is poor patch management. This is when, despite vendors having released a patch or update to address a particular vulnerability, attackers are still able to exploit them due to a failure to apply the patch in question. Alternatively, it may be the result of outdated firmware or an unsupported operating system that leaves the vulnerability unaddressed.

A failure to patch regularly can leave networks particularly susceptible to known exploits that are publicly listed. Vulnerability scanning tools and open-source research can inform organizations of known exploits in their environment. Where software or hardware is no longer supported by the vendor, vulnerability patching may not be an option. 

6. Insufficient ACLs

Access Control Lists (ACLs) are used to regulate access to files, directories, and other resources by assigning permissions to users and groups. However, improperly configured ACLs can allow threat actors to access sensitive data using custom tools or malware. 

If threat actors leverage misconfigured ACLs to gain access to shared files and folders, they can use the ill-gotten data for extortion or follow-up exploits. In addition, ACLs can provide hackers with information on the network landscape, vulnerability scan data, and other information that broadens their knowledge of the network.

7. Bypassing system access controls

Bypassing access controls is one of the fastest ways for an attacker to leverage security misconfiguration to access accounts, move laterally through a network, and escalate privileges. This may be achieved by collecting hashes across the network that can then be used to gain unauthorized access. 

Crucially, this exploit often allows attackers to gain access to a network undetected. One of the most common approaches is called, “Kerberoasting,” and involves compromising the Kerberos authentication process used by Microsoft Active Directory. To avoid being Kerberoasted, adopt a hacker’s mindset when examining the security posture around your Active Directory environment.

8. Misconfigured or weak MFA methods

Multi-factor authentication (MFA) methods are employed by many apps and services to strengthen their security, but they are not impregnable. In fact, MFA can lull organizations into a false sense of security where they never change the password hashes for accounts. This means malicious actors can use it indefinitely once a password is compromised.

Phishing is another risk facing misconfigured MFA methods. This may involve push bombing, the exploitation of Signaling System 7 protocol vulnerabilities, and/or SIM swap techniques. In any case, phishing allows threat actors to bypass MFA and access the MFA-protected systems.

9. Improper network segmentations

If network intrusions do occur, it is essential that organizations are able to mitigate the damage resulting from them. Network segmentation is one such method, using security boundaries to keep certain parts of the network distinct from others. For example, a business may want to ensure that its critical systems are partitioned from, say, an employee intranet, so a breach affecting the latter cannot lead to exploits that impact the former.

Unfortunately, there are organizations suffering from a lack of network segmentation today. This leaves them vulnerable to threat actors moving laterally between a variety of systems. With some cybersecurity risks remaining unknown due to forgotten or accidental network connections, a lack of segmentation can mean that an initial network compromise leads to major damage. 

10. Allowing code execution

After a threat actor has gained access to a network, if network restrictions are not in place it may be possible to execute malicious code. Scripting languages can also be used to ensure their malicious actions remain hidden. Similarly, where restrictions are in place to ensure only code from known and trusted applications can be run, the scripting language can allow malicious code to bypass allowlisting. 

Newsletter sign up

Get insights directly to your inbox

Subscribe to our newsletter for blog recaps, fresh tips, insights, and resource downloads.

Newsletter Example

The misconfigurations hackers are looking for

Of course, although these are some of the most common security misconfigurations today, they are far from the only ones. They are also preventable. Network security engineers can help mitigate default configurations for your software and application, out-of-date certificates, insecure legacy protocols, and the improper separation of user or administrator privileges. 

Software manufacturers can play an important role in preventing security misconfigurations, but it is also crucial that organizations validate their own security in light of the misconfigurations listed above. Learning from the way that hackers leverage these misconfigurations is also key - which is why no security posture is complete unless it takes into account what malicious actors look for and how they operate.

At Hadrian, we weave the hacker mindset throughout our security tools so we can test, validate, and fine-tune your network security. If you have misconfigurations in your network, our automated tools will find them and remediate them before a hacker has the chance to leverage them as part of their latest exploit.

Newsletter sign up

Get insights directly to your inbox

Subscribe to our newsletter for blog recaps, fresh tips, insights, and resource downloads.

Newsletter Example