FVM will include the Microsoft Patch Tuesday checks in the NIRV 4.56.0 and FVM Agent 2.17.

• Microsoft addressed 70 vulnerabilities this release, including 16 rated as Critical.
• CVE-2024-49138 - Microsoft has disclosed an actively exploited vulnerability that allows attackers to gain SYSTEM privileges on Windows devices. No further information is provided from Microsoft on how the security vulnerability was exploited in attacks at this moment.

Fortra VM will include the Microsoft Patch Tuesday checks in the NIRV 4.54.0 and FVM Agent 2.15 releases.

• Microsoft addressed 89 vulnerabilities in this release, including 4 rated as Critical and 51 Remote Code Execution vulnerabilities.
• This release also includes fixes for two vulnerabilities that have been publicly disclosed and exploited in the wild.
  • CVE-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability
    • When a user interacts with a malicious file, their NTLMv2 hash could be disclosed.
  • CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability
    • An attacker could elevate privileges via running a crafted application.
  • In addition, this release includes another publicly disclosed vulnerability.
    • CVE-2024-49040 Microsoft Exchange Server Spoofing Vulnerability
      • An attacker could spoof a forged email sender as legitimate via a crafted P2 FROM header.

How many user accounts do you have? Emails, social media, online shopping, streaming services—and that doesn’t even begin to account for professional logins. By the time you add them all up, it’s likely one hundred or more unique accounts.

According to NordPass, the average user maintains an average of 168 logins for personal purposes, and no less than 87 for the workplace. This is an extraordinary amount to keep safe, and threat actors realize that it’s only a matter of time before users make a wrong move and enter those credentials somewhere they’re not supposed to. And this is why, inevitably, they manage to swipe a pair (or two) and sneak into an undisclosed network.  

When those instances occur, and a team is effectively dealing with a rogue insider threat (even though the insider is nothing more than a threat actor who’s compromised a legitimate account), organizations can be prepared to handle that exact circumstance. Solutions like penetration testing and red teaming help security teams see what an attacker sees, look for what they would look for, and shore up those weaknesses that they would otherwise exploit.  

In that spirit, here are a few tips to proactively harden your environment against compromised credentials.  

Compromised Credentials: What’s At Stake

In a word: everything. Credentials might not be the “keys to the kingdom,” but they can certainly help to unlock the door. Once compromised, cybercriminals can gain entrance both easily and undetected, wreaking as much havoc as a malicious insider – maybe more.  

Not only can attackers access everything your employees can, but what’s worse, they can do it without being noticed. Since they got in (and are snooping around) on a legitimate account, a lot of security solutions won’t flag their nosy deeds until much further down the line (probably when it’s too late). If the attacker is accessing things that user is “supposed to access,” there’s no anomaly and no clock on the dwell time.  

They could even exfiltrate sensitive data (to which the user has legitimate access) and make a clean escape. So, in other words, compromised credentials give cybercriminals something of a “license to do evil,” making their subsequent actions all the more dangerous. 

Pen Testing vs. Compromised Credentials

Granted, when we think of “stolen passwords,” we may not immediately think of penetration testing as an intuitive source of defense. But maybe we should.  

Credentials get stolen because there is a chink in the armor. Some weakness went undiscovered and was eventually exploited by attackers. Pen testing can help identify weak or compromised credentials, as well as weak authentication (e.g., lack of MFA, or other brute force protection mechanisms). This helps prevent ransomware attacks, password spraying, and other exploits that target low-hanging fruit.  

For example, pen testers can simulate tactics such as credential stuffing, a common attack type targeting reused passwords. By injecting credentials swiped in a breach on one system into a login for another system, many pen testers (and more nefariously, threat actors) gain access to multiple accounts. This happens when the user has used the same username, password, or both on more than one occasion, which is why it is important to utilize a password manager that can generate strong, distinct passwords for every new site – and keep track of them all.  

Additionally, pen testing can help provide insight into what could happen after credentials are stolen. These internal pen tests can demonstrate how threat actors can find and exploit vulnerabilities within a system, like outdated software, misconfigurations, or weak access controls. For example, an internal pen tester with basic credentials could exploit unpatched software to gain access to escalate their privileges and gain access to sensitive data. Since the perimeter is never impenetrable, these tests can help organizations close gaps internally to ensure that a breach causes limited damage.  

Red Teaming vs. Compromised Credentials

Red team engagements put your enterprise to the test in other ways, essentially testing everything to give your detection and response strategy a comprehensive shake-down. Red teaming helps ensure that a team can detect, contain, and respond effectively to threats. The findings can inform the improvement of security policies and procedures, including the Blue Team’s detection and response.  

Why is this beneficial to keeping credentials safe? For the same reason. These are some of the tactics an adversary would employ to pilfer your passwords in the first place:

• Social engineering | Tricking users into giving away valuable information by gaining their trust, intimidating them, or otherwise outwitting them online, getting them to act of their own accord in data-compromising scenarios.  
• Brute force attempts | Guessing (often methodically, using a tool) every possible combination of a credential until finally getting it right.  
• Cross-site scripting (XSS) attacks | When a threat actor inserts a malicious client-side script into a web page which will execute when the user loads the site.  
• Malware | A hazardous program designed to contaminate a network, file, or application, often with the intent to exfiltrate data or compromise a system.  
• Password cracking | Using a specially designed application to decipher a password, either to recover it or allow an unauthorized party to discover it.  

Red team engagements can also provide “assumed breach” scenarios to focus on post-exploitation activities. While pen tests have a limited scope to fully document the weaknesses within a single system or network, red teaming is more goal focused, allowing them to demonstrate how an attacker could potentially gain full control. These scenarios can often reveal misconfigurations in internal systems, weak access controls between network segments, or blind spots in security monitoring. The trick is to “hack yourself” first to test how well your security team identifies the infiltration and whether response measures are effective so when cybercriminals come along, they won’t be able to linger long enough to do real damage.

Fortra Pen Testing, Red Teaming, and More

Fortra offers a comprehensive suite of offensive security tools and services for getting the job done and keeping your credentials safe. It includes:

• Penetration Testing | Exploit the top vulnerabilities on your list and see if they’re that big of a problem – or if they’re worse.
  • Core Impact penetration testing software uses accessible automations to enable security teams to efficiently conduct advanced penetration tests.
  • The Core Security Services team (SCS) delivers expert security assessments, penetration tests, and red teaming exercises to help proactively improve your security stance.
• Red Teaming | Put everything else in your enterprise to the test – your network, integrations, EDR and XDR tools, employees, and even your SOC.
  • Cobalt Strike software replicates the techniques of advanced attackers in your environment.  
  • Outflank Security Tooling (OST) is a set of evasive attack simulation solutions made “by Red Teamers, for Red Teams,” some of which are too potent for public release.
  • In addition to Core Security Services, Outflank also offers red teaming services to manage your entire red team engagement using their years of offensive security experience, research, and deep knowledge of offensive security techniques and tooling.  
• Network and Application Security Tools | Find code weaknesses that could be used to leverage further entry.
  • BeSTORM  is a DAST solution that determines weaknesses in a product’s security after it has rolled off the line, without access to its source code, to catch threats only found in a dynamic application.  

The more you test your defenses, the more you’ll find mistakes – but don’t worry, that’s the whole point. Many practitioners prefer to stick their heads in the sand and not test because they’re afraid of what they might see (and how it will make them look to higher-ups). Or they’re afraid that they’ll find too many errors and not know where to begin.  

Fortra’s wide range of offensive security techniques and tools can help you harden your environment against credential-based attacks. By helping you gain visibility into your environment, think like an attacker, and attack like a sophisticated threat actor, it can help you spot the same weaknesses they will see – only while you still have time to do something about them.  Contact a Fortra expert today to get started.  

Most ransomware prevention advice focuses on antivirus software and other defenses, such as having good detection and response (DR) mechanisms. All of these are important. But with the advanced level of ransomware today, you also need to take measures that test your defenses and DR strategies to ensure the measures you have in place will hold up to a real-life advanced attack.  

“It works in theory…” 

A restaurant wouldn’t serve a recipe without testing it. Automobile manufacturers wouldn’t sell a car without crash testing it. And companies responsible for safeguarding sensitive and legally protected personal information (or intellectual property, proprietary data or business-critical assets) shouldn’t stake their reputation on security defenses that they haven’t tested either.  

The bottom line is, you don’t know what you don’t know. Testing your defenses with simulated attacks and targeted exploits increases the likelihood that you’ll uncover weak spots you didn’t know you had.  Find those issues before attackers find them for you.  Cover your bases. Protect your reputation, position, and compliance standing – not to mention all that sensitive information – and make it a habit to test every new security strategy you implement. 

 An offensive security program (vulnerability management, penetration testing, red teaming) should be engaged on a regular basis. Vulnerability management solutions are typically automated, allowing organizations ongoing visibility. But this should always be paired with pen testing and red team engagements that are performed on a regular basis. Every quarter is optimal, every half is acceptable, every year is mandatory – and maybe a little too late, given the rapid evolution of ransomware today.  

Ransomware Isn’t Slowing Down 

Ransomware is an ever-evolving craft and one that threat actors are not getting tired of anytime soon. Now, thanks to advancements in artificial intelligence, a whole new world of creative ransomware endeavors has opened, and organizations need new tools, systems, and commitment to deal with it - and a lot of other negative changes. Here are some: 

• Generative AI-based attacks | The UK’s National Cyber Security Centre (NCSC) published a paper in January linking AI to higher ransomware rates. The report states that “AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations. This enhanced access will likely contribute to the global ransomware threat over the next two years.” 
• Evolving phishing techniques | 81% of security professionals billed phishing as the top threat in 2024, according to the 2024 Fortra State of Cybersecurity Survey. According to a 2022 study, of the 26% that experienced an increase in malicious emails, 88% were victimized by ransomware. 
• Social engineering deep fakes | Using deep fakes in social engineering attacks is a tactic that could yield potentially disastrous results, especially given the effectiveness of generative AI. Imagine getting a fake video recording of a call with your boss, who asks that everyone watching navigate to a certain site to see the new Q2 sales figure – only when you click the link, your machine gets infected with malware instead. That’s the power of deep fakes to spread ransomware.  

Plus, crucial industries like healthcare, energy, and the public sector at large are also increasingly at risk.  

• Healthcare | A 2024 study revealed that 20% of healthcare companies’ data holdings are impacted in a ransomware attack. 
• Critical infrastructure | In 2023, 67% of critical infrastructure organizations across oil, energy, and utilities suffered a ransomware attack.
• Government | On average, government and education pay significantly higher ransom sums compared to other sectors, with some paying upwards of $6 million.  

Ransomware attacks are increasing in size and scope, as well as the potential to damage critical areas, especially in sectors where digitization is still comparatively new or disjointed (healthcare, education, local municipalities, and small utilities). These sectors are tantalizing targets for attackers who know that their defenses are often not fully matured, and so battle-testing them becomes more important than ever.  

Be Battle Ready 

Thankfully, testing your network’s security defenses doesn’t need to be hard, no matter your skill level. Fortra has managed options and advanced technologies that empower your team to execute vulnerability scanning, penetration testing, and red teaming. 

We know that we’re in the midst of an ongoing cyber talent crisis (and probably will be for a while), so we’ve adapted our solutions to meet SOCs where they are.  

• Vulnerability Management | Don’t have time to figure out which vulnerabilities to address first? Fortra’s vulnerability management solutions not only uncover weak spots but let you know which ones are the highest risk to your assets so you can prioritize limited remediation resources appropriately.  
• Penetration Testing | Don’t have the resources to perform lengthy penetration tests? Our Core Impact solution provides you with training resources and technology that help simplify the process so your existing staff can easily upskill and perform these tests for you.   
• Red Team Engagements |Does your red team need tools that are flexible and powerful? Fortra’s Cobalt Strike provides malleable C2 for your team to create the specific engagements they need while Outflank provides you with additional advanced exploits, some “too powerful for public release,” to put your detection and response through its paces. 

Preparing for a ransomware attack is a two-part process. Yes, you need quality antivirus solutions and network detection and response tools in place. But you also have to make sure they all come together and work under pressure, that your team runs the right fire drills, and that your whole security strategy – solutions and SOC – is always prepared, because you never know when and how ransomware could strike.  

In this demo we show you the features and functionality of Fortra VM, which are designed to strengthen and streamline your security efforts. Fortra VM helps you identify and prioritize which weaknesses are the greatest risk to your organization so you can accelerate critical time-to-remediation. 

Fortra VM will include the Microsoft Patch Tuesday checks in the NIRV 4.52.0 and FVM Agent 2.13 releases.

• Microsoft addressed 117 vulnerabilities in this release, including 3 rated as Critical and 43 Remote Code Execution vulnerabilities.
• This release also includes fixes for two vulnerabilities that have been exploited in the wild.
  • CVE-2024-43572 Microsoft Management Console Remote Code Execution Vulnerability
    • This update prevents untrusted MSC files from being opened.
  • CVE-2024-43573 Windows MSHTML Platform Spoofing Vulnerability
    • This is a cross-site scripting vulnerability.

About the Author

Mieng Lim, Vice President, Product Management has served as a security expert for Digital Defense, Inc. since 2001. Mieng takes a consultative approach to security having held prior roles in Operations, Quality Assurance and Sales Engineering. Mieng seamlessly blends technical expertise with real world scenarios to provide an entertaining and educational cyber security perspective. Mieng serves a mentor and STEM advocate encouraging young women to pursue careers in security and technology and volunteers with BSides San Antonio as a staff member. Mieng holds a Bachelor’s Degree in Computer Science with Minor in Sociology from Trinity University. 

Fortra VM will include the Microsoft Patch Tuesday checks in the NIRV 4.50.0 and FVM Agent 2.11 releases.

• Microsoft addressed 79 vulnerabilities in this release, including 7 rated as Critical and 23 Remote Code Execution vulnerabilities.
• This release also includes fixes for four vulnerabilities that have been exploited in the wild.
  • CVE-2024-38217 and CVE-2024-38226 are Security Feature Bypass vulnerabilities and CVE-2024-38014 is an Elevation of Privilege vulnerability.
  • Microsoft Windows Update Remote Code Execution Vulnerability (CVE-2024-43491)
    • This vulnerability only affects Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB. It resulted in some previously installed security updates, related to Optional Components, to be rolled back. According to Microsoft, there is no known exploitation of CVE-2024-43491, but there is for some of the CVEs included in previous security updates that were rolled back as a result of this vulnerability.