Do you ever find Microsoft documentation lacking? If you are curious about what effect the virtual groups NT AUTHORITY\SERVICE and NT SERVICE\ALL SERVICES have, then look no further. The two virtual service groups – and their lacking descriptions in Microsoft documentation – was the offset of this new tech blog.
The Fundamentals of AD tiering
Do you want to know more about AD Tiering but don’t know where to start? Discover the essentials of AD Tiering with Security Advisor Tobias Torp’s latest blog post. This introductory course covers the foundational theory behind tiering, its significance, and provides technical guidance on implementing basic tiering.
Access Granted: Strengthening Azure Security through Conditional Access Policies.
Are you in control of who, what and where your data in your Microsoft environment can be accessed from? Have you prioritized security in your Azure Tenant configurations?
Implementing Conditional Access Policies in Azure can be a difficult but necessary task. Misconfigured policies which allow users to skip MFA or use legacy systems allow attackers to breach an organization more easily.
In this new blog, Security Advisor Jimmie Berk offers 10 Conditional Access Policy configurations to implement in your environment to protect your Azure Tenant from potential attacks.
Read the blog and check that you have implemented security best practices today.
Compromised Cloud Container Credentials: Azure Edition
The increasing adoption of Azure by enterprises has led to a growing use of Azure Container Registry (ACR). However, with the introduction of new resources, the security risk also increases.
When Improsec advisors look for vulnerabilities from a hacker’s perspective in our offensive services, we go beyond simple misconfigurations and actively explore potential avenues for exploitation. We often find clear-text credentials defined in environment variables and files on these images.
This new blog by Security Advisor Simon John Larsen, explains how these images often contain valuable information such as clear-text credentials or other sensitive data that can be used to escalate privileges and carry out further attacks.
Read the full blog to learn how to download images from ACR with only “Reader" permission.
The risks of guest and collaboration settings in Azure
Seamless collaboration with other businesses is vital to the the operation of most companies, therefore cloud platform vendors have embraced user-friendly collaboration tools and settings in their services, such as Azure B2B / Microsoft Entra B2B.
Unfortunately, the use of Azure B2B / Microsoft Entra B2B has introduced unintended security risks. These risks are related to Collaboration and Guest settings, which - if not handled properly - could cause hackers to get a foothold and escalate privileges and move laterally in the system.
In this new blog Security Advisor Jimmie Berk describes how collaboration settings can pose a significant security risk and provide recommendations of settings to mitigate these risks.
Say Goodbye to Bad Passwords: How Azure Active Directory Password Protection can save the day
How can companies fine-tune their password policies? In this new tech blog, Improsec Security Advisor Lasse Moisen explains Azure Active Directory Password Protection, including methods for identifying weak and shared passwords in both Azure AD and on-prem AD environments. He also covers how to create custom banned password lists that include company brand, product, and team names.
How I killed BT's payphone email service
Did you know that until recently you could send an email from the iconic payphones in the UK? This antiquated service was discontinued from all BT payphones this year thanks to Improsec Security Advisor Martin Sohn Christensen. On a trip to London, he discovered he could spoof the @bt.com address from the payphones and thereby undermine BT’s email security controls – SPF and DMARC. See how Martin did it here.
Basic Microsoft Active Directory Security - Identify and Prioritize Low-hanging Risks
Securing Microsoft Active Directory (AD) is essential for most businesses’ operations, as AD is the backbone of user access and authentication. In mainstream media a common headline is ransomware shutting down a company for weeks; this is almost always because an AD was compromised by an attacker.
Attackers take advantage of system administrators’ inability to identify, prioritize, and address security risks in their AD. This could be due to Microsoft's lengthy and often overwhelming documentation, or simply due to a lack of awareness of how easily it can be done.
In this new blog post, Security Advisor Martin Sohn Christensen provides system administrators with a starting point for securing their AD; how to identify and prioritize low hanging security risks in AD.
Local privilege escalation vulnerabilities in PeaZip MSI installer
This blog describes two local privilege escalation (LPE) vulnerabilities in PeaZip, affecting versions up to 8.8.0. The vulnerabilities allow a low privileged user to become NT AUTHORTY\SYSTEM
.
Jump Host Best Practices
Because a jump host serves at an entry point to privileged resources it is a highly sought target by adversaries. Therefore, it is important to have an increased focus on security. However hardening the jump host itself it not enough, a holistic approach is needed. In this blog, Jakob Mollerup, provides solid advice for jump host administrators to ensure continuous protection of their jump host system.
RESTing after implementing your API? Know the risks involved with exposing APIs
Emil recently noticed that API’s are often overlooked by IT professionals as they focus more on CVE’s. However, as 80% of web traffic moves thru an API, a misconfiguration can expose just as much sensitive data as a breach through a vulnerability. In this blog, he explains the importance of API security, vulnerabilities, and best practices.
New Zero-Day Exploit Targets Microsoft Exchange Servers
A new zero-day Microsoft Exchange server vulnerability was disclosed by researchers from the Vietnamese cyber security vendor GTSC. GTSC reports that a Chinese threat actor group is exploiting a Proxy-Shell-like that allows attackers to enable remote execution of commands on a compromised server. The attackers are chaining a pair of zero-days to deploy China Chopper webshell for persistence and data theft, as well as move laterally to other systems on the victim’s networks.
Deploying mail security in Microsoft Office 365
Storing Sensitive Data in Active Directory
Active Directory often acts as the primary data provider for connected systems and for this to be possible across a large number of IT systems, a system-wide unique identifier for each identity is needed. Enter the Social Security Number (SSN)” or CPR-Number in Denmark. As this number is unique for each person, many systems already use it as their primary unique identifier. So what’s not to like?
Well, without proper attention to AD configurations, all users can see the attributes of all other users.. Protect your users from over-sharing and your company from GDPR breaches by reading this helpful blog.
Azure AD PIM as a Security Boundary
When conducting cloud assessments, we often see Privileged Identity Management (PIM) in Azure Active Directory being misconfigured. PIM offers an additional layer of security but these misconfigurations could be abused by an attacker to still promote themselves to privileged roles, effectively bypassing this feature.
In this blog, Jeffrey Bencteux took a deeper dive into how PIM could be used by an attacker, and how to mitigate the associated risks.
Email Security Pitfalls
‘Email Security Pitfalls’ the third and last part of our blog series on email security, depicts common mail security pitfalls that @Sebastian Andersen, @Jeffrey Bencteux, & @Martin Sohn Christensen have been regularly seeing on customer assessments. These mistakes usually expose the customer to a loss of confidentiality or increase the risk of an attacker being able to compromise the mail infrastructure.
Read here to discover what are these risks and how to detect and mitigate it to reduce the mail attack surface.
Learn more about @Improsec A/S and our world-class team and services at www.Improsec.com
#SAFERandBETTERfuture #TechBlog
Phish'n'Chimps: mail spoofing via marketing and CRM platforms
‘Phish'n'Chimps: mail spoofing via marketing and CRM platforms’, the second part of a new blog series on email security issues, describes how insecure practices by services such as marketing and CRM platforms enable mail spoofing. Sebastian Andersen, Jeffrey Bencteux, & Martin Sohn Christensen discovered risks in Mailchimp and Outfunnel which were disclosed to the vendors but not addressed. Read here to learn what vulnerabilities they found and mitigations and advice for mitigating on similar CRM platforms.
All Your SPF Includes Are Belong To Us
Email security issues are a considerable threat to organizations. In this new blogpost series, @Sebastian Sindlev Andersen, @Jeffrey Bencteux & @Martin Sohn Christensen test possible email exploits and explain how to harden email security configurations against those exploits. In their first post, they exploit SPF misconfigurations of several Danish public institutions' domains to impersonate email senders. Read the first post All Your SPF Includes are Belong to Us and stay tuned for the second post on email spoofing via CRM and marketing platforms.
Mitigate ‘Follina’ Office Zero-Day Vulnerability CVE-2022-30190
A new critical vulnerability in the ms-msdt protocol handler let attackers bypass security mechanisms to execute malicious code without user interaction. Thus far the vulnerability has been weaponized by hackers primarily for Word Documents. In a crafted Follina RTF document this preview will run malicious code with no clicking involved! Learn the current mitigation in this blog.
Multiple vulnerabilities in cifs-utils
We found and patched two bugs in cifs-utils, the userland tools interacting with the CIFS (SMB) Linux implementation. Both the bugs are in mount.cifs, the binary used to mount network shares from userland. One is a buffer overflow in the option parser, the other is a partial arbitrary file read due to overly verbose error messages.