SCCM - Microsoft's Native C2
A lot of hype has come out around System Center Configuration Manager (SCCM), Microsoft's software management suite that allows administra
This year has been a hurricane of debris hitting anyone in the Cybersecurity space. Its been extremely active for a large majority of the year from the coattails of the Solarwinds and Fireeye breach at the end of 2020, pushing into a global Exchange attack at the start of 2021 that continues to haunt some companies as Exchange continues to be the gift that keeps on giving. We've had some critical Microsoft vulnerabilities that dropped over the summer and into the fall and now here we are ending the year with Log4j, which has a huge surface area that has impacted almost every industry. I wanted to take a moment to post a final blog update for 2021 going over some of the big ticket items I dealt with over the year.
In January, Orange Tsai and the DEVCORE team reported the Proxylogon CVE chain via MSRC portal. Not long after, the exploits were being seen being used in the wild due to a leak that occurred. These were used to breach a large number of public exposed Exchange servers by dropping webshells onto the host which usually had System or Admin privileges and given the usually case of permissions provided to on-prem servers to the DC, allowed threat actors to usually move laterally in the environment or pull sensitive information from the email server and use it as a base of operation for internal phishing. Patches were provided in March for these CVE's, but exchange would come later in the year to provide even more fun with the ProxyShell upgrade, allowing RCE once again to Exchange servers in October which is continuing to impact businesses who have failed to apply latest patches, especially for ransomware operators. If I can provide any insight for 2022, I can assure you that exchange is not going to stay quiet. Refer to some links below for more details. Looking back to when these dropped, I was still working as a threat analyst, and I remember working 12+ hour days during the peak of attacks. Remember to keep your SOC and NOC workers in your mind during these upcoming holidays, as they are the backbone of your network during the usual ramped up attacks while others enjoy the off time!
During the summer months, Microsoft had several CVE's drop for the print spooler service and for mshtml. These allowed a large range of attack paths from privilege escalation to initial code execution. Dubbed PrintNightmare, CVE-2021-34527 at first, followed by several rounds of print spooler based CVE's came out in July that allowed an attacker to escalate to system rights from a low privilege user. Tons of researchers created PoCs to showcase the use case of these and Microsoft was able to finally get patches out by August. Just as that was winding down, CVE-2021-40444 dropped allowing attackers to send crafted payloads that would execute initial droppers using very little to no user interaction. These were once again used in the wild to breach companies via their users. This continues to show the importance of educating users on being weary of unsolicited email content or files from both outside and even inside sources. Special mentions go to CVE-2021-42287 and CVE-2021-42278 also called NoPac which allowed domain based privilege escalation from a normal domain user to domain admin with ease. Red teamers and ransom operators rejoiced! Make sure to add some coffee and hugs for your blue team members!
Earlier this month, an Apache logging exploit for the very popular and common library log4j gained public traction that took the Cybersecurity space by storm, over shadowing even the patch Tuesday releases. Log4j is found in tons of different applications from various vendors and in everything from a hobby github project to full enterprise applications that you may not even know is running it. The attack surface was huge due to the fact that basically any user input could be used to trigger the server running the library to make a callback to a malicious server, even those not publicly exposed. Several version updates have been released to attempt to deal with the exploit, with the latest 2.17 the recommended patch to avoid current exploitation. I feel we will continue to see Log4j around for the foreseeable future. I encourage you to identify and patch anything that may even use the library as these are being heavily scanned for by botnets and threat actors looking for an easy win. Initial attacks were installing miners, but ransom groups have began to use the exploit for initial access. A lot of work has been put in by SOC and research teams this year and I encourage you to give them a kind word and any help you can offer.
As a majority of people wind down for vacations or holiday traditions, many will continue to work over the holidays to perform vital job duties. Make sure to take the time off when you can to recover from the extra hours and mental tax that comes with working during such active times. For 2022, I predict we will still continue to see ransomware trending but hopefully with the increased government focus now on these groups, it will at least begin to flatline if handled correctly by companies and legislation. Its a very hard problem to solve, with many different approaches to solving the problem. Goals for 2022 for myself, I plan on continuing to improve my skills and knowledge. I'd like to continue to learn Golang and maybe Rust, possibly look for another certification to grab, and provide useful research for our customers and the community. Another goal is to further improve my networking and building out my website. I'd like to thank everyone who has provided help or guidance this year and wish you all a