Silverfort Researchers Discover an Authentication Bypass Vulnerability in Palo Alto Networks PAN-OS [CVE-2020-2002]

[vc_row][vc_column][vc_column_text]Palo Alto Networks published an advisory about a KDC-spoofing vulnerability in PAN-OS  that was discovered and responsibly disclosed to Palo Alto Networks by Silverfort researchers Yoav Iellin, Yaron Kassner and Rotem Zach. The vulnerability affected all supported versions of PAN-OS, and all interfaces that used a Kerberos authentication profile. After disclosing the vulnerability, Palo Alto Networks fixed all supported versions of PAN-OS and published an advisory about it. The vulnerability can allow an attacker to bypass the Kerberos authentication to PAN-OS and gain access to the administrative interfaces to PAN-OS, as well as authentication to firewall sessions through the captive portal. This vulnerability is similar to a KDC spoofing vulnerability our researchers discovered in Cisco ASA . It seems that the implementation of the ...
קרא עוד

Silverfort Researchers: Kerberos Exploit Can Bypass Authentication to Cisco ASA [CVE-2020-3125]

[vc_row][vc_column][vc_column_text]Security researchers at Silverfort, provider of agentless authentication platform, identified a severe vulnerability that can enable hackers to gain control over Cisco Adaptive Security Appliance (ASA). All ASA versions are affected. After disclosing the vulnerability to Cisco, Cisco fixed all supported versions of ASA and published an advisory on it. The vulnerability (CVE-2020-3125) was assigned a CVSS risk score of 8.1 out of 10, which is considered “High.” This is because the vulnerability can allow an attacker to bypass the Kerberos authentication to Cisco ASA. Silverfort researchers credited for discovering the vulnerability are: Yoav Iellin, Yaron Kassner, Dor Segal & Rotem Zach. Cisco fixed this vulnerability in all versions of ASA. We highly recommend enterprises upgrade to the latest ASA versions to protect against an ...
קרא עוד

Patternless Detection of Lateral Movement Attacks

Lateral Movement refers to techniques adversaries use after gaining initial access to the network, to progressively move through the network, in their search of target assets and data. It is notoriously hard to detect and block lateral movement because it involves the compromise of legitimate user accounts, privileged accounts, and devices. These attacks are typically accomplished by using a number of different techniques. Some of the most popular ones are credential theft and Pass the Hash (PtH) in which the adversary exploits non-sensitive machines that hold credentials of other accounts. These credentials may be used to gain direct, or indirect, access to target systems. This blog will explain one of the methods we at Silverfort use to uniquely identify and protect against these attacks. This method doesn't assume there was a use of known attack patterns. Instead, it ...
קרא עוד

The Hidden Dangers of Shadow Admins

[vc_row][vc_column][vc_column_text]Shadow Admin accounts are user accounts that have sensitive privileges – not because they are members of a privileged Active Directory (AD) group, but because they were inadvertently assigned permissions that can allow them to take over other privileged accounts, and leverage them to reach their target systems to compromise them. If a Shadow Admin account is compromised, it can be very risky for the organization. After all, these user accounts can be used to compromise additional accounts and gain administrative privileges. Yet identifying these accounts and restricting their access is not a trivial task. A Deeper Look at Shadow Admins A Shadow Admin is a user who is not a member of AD administrative groups like Domain Admins, Enterprise Admins, Schema Admins, Administrators, etc. Yet this user will have rights to some sort of ...
קרא עוד

Silverfort Named Winner of the PCI 2020 Awards for Excellence

[vc_row][vc_column][vc_column_text] Silverfort has been named a winner of the  PCI 2020 Awards for Excellence  at this year’s prestigious PCI London event. The AKJ Associates’ fourth annual PCI Awards for Excellence recognize and honor the industry’s most outstanding examples of best practice in payment security and PCI DSS projects and implementations. The award was presented to Silverfort at the PCI London 2020 event in recognition of its agentless authentication platform, which enables customers to meet PCI DSS requirements for enforcing Multi-Factor Authentication to secure privileged access to the CDE (Cardholder Data Environment) – without requiring code changes or software agents on CDE systems, and without deploying proxies in the network. Silverfort introduced a real-life PCI DSS project, successfully implemented for BlueSnap – a global payment company ...
קרא עוד

Reducing the Password Footprint in a Windows Environment

The word password-less gets thrown around a lot lately, and while everybody is talking about it, I haven’t met any enterprises that actually managed to eliminate passwords. Eliminating passwords is a big challenge, and I believe big challenges should be solved in small steps. So in this blog post, I will suggest a series of recommended steps that would help enterprises eliminate passwords. Frankly, this isn’t something I would recommend to every enterprise – it’s a lot to take on. But the first steps should be practical for everybody, and should already be enough to relieve most of the pain inflicted by passwords while strengthening the organisation’s security. Can We Just Get Rid of Passwords? Let’s start with a thought experiment: what would happen if you got rid of password complexity requirements in the enterprise or if you removed the requirement to change ...
קרא עוד

Security Advisory: Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution (CVE-2019-19781)

[vc_row][vc_column][vc_column_text]A recently identified vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway allows, if exploited, an unauthenticated attacker to perform arbitrary code execution. The vulnerability has been assigned the CVE number: CVE-2019-19781. It is estimated that about 80K organizations are impacted. There is no patch available yet, but Citrix published recommended mitigations. For Silverfort customers, we recommend the following additional precautionary measures on top of the ones recommended by Citrix, to ensure that an already compromised device is not used for unauthorized access. Here are the recommended mitigation steps for Citrix ADC or Citrix Gateway users: Subscribe to the Citrix alerts so you will know when the fixed firmware is released: ...
קרא עוד

Detecting and Predicting Malicious Access in Enterprise Networks Using the Louvain Community Detection Algorithm

[vc_row][vc_column][vc_column_text]Many data breaches start with gaining access to an insignificant computer and propagating by jumping from one computer to another until reaching the valuable ‘crown jewels’, like admin credentials, information about an important DB holding customer data and more. Detecting and preventing these attacks is a very complicated task for security professionals since the number of possible attack paths is extremely high and networks change frequently (new entities are added or removed, permissions are changed etc.). Most of the techniques for detecting attacks are based on recognition of known malicious patterns, but for complex attacks this is no longer enough. When the attack doesn’t have a known recognizable pattern it’s extremely hard to detect it. Our initial attempts with attack detection Since Silverfort analyzes authentication and ...
קרא עוד

Blocking Office365 Attacks (CVE-2017-11774) with MFA

[vc_row][vc_column][vc_column_text]US Cyber command has recently published a security alert on Twitter regarding abuse of an Outlook vulnerability https://twitter.com/CNMF_VirusAlert/status/1146130046127681536 . This vulnerability was originally found and reported by SensePost back in 2017 – see here:  https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/ A patch has been available since then, but the vulnerability is still being actively abused. How does it Work? It is an interesting attack vector, allowing remote code execution (RCE) given compromised Office 365 credentials: The exploit takes advantage of a feature of Outlook’s Home Page, which can open a web page each time a folder is opened in Outlook. Why would you want to do this? One example floating online is to have a quick link to SharePoint from inside the Outlook application. The is a ...
קרא עוד

Zero-Touch Secure Authentication for ‘Lift-and-Shift’ Cloud Migrations

With data breaches appearing in the headlines almost on a daily basis, many have concerns about cloud security. There is no doubt that the introduction of trends like cloud, IoT and BYOD are changing our networks, dissolving the perimeters we used to have. In this reality, ensuring the security of enterprise systems that are migrated to the cloud can be a challenge and in some cases, put on hold the migration of homegrown and legacy systems. When planning to migrate a homegrown or legacy application to the cloud, many organizations choose the ‘lift and shift’ approach. The advantages of the ‘Lift-and-Shift’ approach are clear because it means that the application and its associated data are migrated to the cloud with minimal or no changes. You “lifted” the application from its existing environments and “shifted” it as-is to the cloud. This means that there ...
קרא עוד

How Silverfort Overcomes the New Lock Screen Bypass Vulnerability (CVE-2019-9510)

[vc_row][vc_column][vc_column_text] Last week, CERT released an advisory about a Windows vulnerability (CVE-2019-9510) that allows effectively bypassing Multi-Factor Authentication (MFA) to Windows servers. Microsoft was quick to dismiss the vulnerability. But however you look at it, with most MFA solutions, locked remote desktops can be unlocked due to this vulnerability without using MFA, even if MFA is enforced on the server. CERT said that there is no practical solution to the problem and recommended a few workarounds. In this post, we show how Silverfort can be used to overcome this vulnerability. The Vulnerability Explained The vulnerability is a result of a new behaviour of the RDP reconnection feature in Windows 10 1803 and Windows Server 2019. If Network Level Authentication (NLA) is enforced, the following sequence of events triggers the vulnerability: ...
קרא עוד

The ‘BlueKeep’ Vulnerability: Keeping Your Systems Secure

[vc_row][vc_column][vc_column_text] On May 14th, 2019 Microsoft issued a patch against the so-called BlueKeep vulnerability, which is also known as CVE-2019-0708. The patch fixes a critical Remote Code Execution vulnerability. According to Microsoft: “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” 1 Microsoft TechNet announcement about the patch for fixing CVE-2019-0708 Microsoft was quick to release the patch and is putting major efforts in to making sure their customers patch their systems. The severity of this vulnerability drove Microsoft to take the unusual step of issuing ...
קרא עוד

Silverfort Named a Gartner Cool Vendor in Identity and Access Management

  Gartner has just named Silverfort a “Cool Vendor” in Identity and Access Management (IAM) . Needless to say, we are thrilled and very honored to receive such recognition. Gartner’s report explains that “Digital businesses must achieve a great user experience, and support digital transformation and optimization as well as the shift of workloads to the cloud.” We completely agree. Corporate networks are going through dramatic changes in recent years, due to IT revolutions such as the cloud, Internet of Things (IoT), Bring Your Own Device (BYOD) and more. In this new reality, with countless devices and services that are all connected to each other without clear perimeters, traditional authentication solutions become irrelevant, and a new approach is needed. What's So Cool About Silverfort? We attribute Silverfort’s rise as a Next-Generation ...
קרא עוד

Passwords: Can’t Rely On Them, Can’t Live Without Them…

May 2nd, 2019 is national password day - a good opportunity to discuss our ‘love-hate’ relationship with passwords. There are many reasons why we can’t rely on password-only authentication mechanisms. Yet we can’t really get rid of them either. Let me explain: The Problems with Passwords When users are asked to create passwords – whether they are opening new accounts or changing passwords of existing accounts – they are likely to choose passwords they can remember . The problem is that many users choose weak passwords , that can be easily guessed. A recently published list of the most commonly used passwords in 2018 shows a grim picture. It claims the most commonly used password is ‘123456’ , and the 2nd spot is the obvious choice, ‘password’ . True, some people use stronger passwords. However, many reuse the same password across multiple s ystems ...
קרא עוד

3 Ways Agentless MFA Successfully Tackles PCI DSS 8.3.1 Challenges

[vc_row][vc_column][vc_column_text]One of the most common questions we get from customers is regarding requirement 8.3.1 of PCI DSSv3.2: In its latest revision, PCI extends MFA as a requirement for all personnel with administrative access (console and non-console), in addition to any personnel with remote access to the Cardholder Data Environment (CDE). The requirement to secure all administrative access to the CDE with MFA should come as no surprise. After all, most data breaches in the retail sector involve unauthorized access to the cardholder data environment. PCI explains that the effectiveness of passwords as an authentication mechanism is questionable, therefore additional security measures are required. In fact, in an interview with Troy Leach, PCI Security Standards Council Chief Technology Officer, he explains: "The most important point is that the change ...
קרא עוד

Simplify and Strengthen Authentication to CyberArk with Silverfort’s Agentless MFA

[vc_row][vc_column][vc_column_text]We are proud to announce Silverfort’s integration with CyberArk. The joint Silverfort and CyberArk Privileged Access Security Solution enables our joint customers to simplify and secure privileged access with an agentless MFA platform. Since the solution has been made available on the CyberArk Marketplace , many customers have expressed their interest and overall market response has been very positive. “Silverfort’s Agentless MFA solution provides out-of-the-box protection for the CyberArk Privileged Access Security Solution,” says Silverfort’s CEO Hed Kovetz. “Not only does it enable our customers to easily strengthen secure access, it also simplifies user workflows delivering tremendous value to our customers.” Why are customers so excited about the offering? Customers are excited about Silverfort’s MFA offering ...
קרא עוד

The Importance of Context-Aware IAM and Continuous Risk and Trust Analysis – Notes from Gartner IAM summit

[vc_row][vc_column][vc_column_text]Earlier this month I attended the Gartner Identity and Access Management Summit 2018 in Las Vegas. The summit was a great opportunity to meet with our customers and partners, as well as spend time with Gartner analysts. There were many interesting sessions delivered by analysts, vendors and end-users, sharing experiences, discussing best practices and recommended strategies - I wish I had time to attend more of the sessions. Nevertheless, I was able to attend some of them. Here are my notes: Concerns about identity-based attacks are driving both identity and security teams to search for solutions that can better adapt to today’s evolving threat landscape. According to Gartner’s Mary Ruddy and Gregg Kreizman , improving security and access controls is not just about technologies, but a need to adopt a new mindset and new processes which ...
קרא עוד

How to Stop Iranian ‘SamSam’ Hackers from Taking your Network for Ransom

[vc_row][vc_column][vc_column_text]SamSam – sounds cute, right? Well, it’s not. SamSam is a destructive ransomware that affected more than 200 victims across the US, including hospitals, city governments, and other organizations in 2018. On November 28, the US Department of Justice has charged two Iranian nationals with computer hacking offenses in connection with the global SamSam ransomware outbreak. The alleged criminals are currently in Iran, out of the reach of US law enforcement, and I doubt the two suspects will travel to the U.S. to face questioning. I also doubt that these attacks will stop. So, it’s important to understand how this attack operates and implement some protective measures. Compromising the First Endpoint SamSam targets computers that are open to remote desktops from the internet. Finding such endpoints is super easy: free tools like Shodan can ...
קרא עוד

It’s Time to Add MFA to Our Critical Infrastructure

[vc_row][vc_column][vc_column_text]November is National Critical Infrastructure Security and Resilience Month so I thought it would be a great opportunity to discuss some of the security challenges concerning critical infrastructure, specifically the weak access controls in sensitive operational technology (OT) environments. Strong authentication is an essential requirement for critical infrastructure When defending critical infrastructure, it’s necessary to authenticate the identity of an individual, device or machine that requires access to sensitive networks, facilities or information. Poor authentication mechanisms are commonly exploited by adversaries seeking to gain access to, and control over, sensitive systems. One would expect that access to these systems is limited to authorized users. However, these environments have an inherent vulnerability - weak access ...
קרא עוד

Rethinking MFA

We all dream of a world where we can trust everyone who accesses our corporate resources - but the reality is different. Adversaries are constantly trying to breach our systems and access our sensitive data, using our vulnerable authentication mechanisms against us. The problems of password authentication have been known for decades. The introduction of multi-factor authentication was the first major step towards strengthening authentication. Today, MFA is used by almost all enterprises at some capacity, yet it is still used for protecting only a small portion of our sensitive assets. This must make you wonder - if the problem is well known and the solution is available, why aren’t we using MFA to protect all systems? Why do we still rely on passwords so much? This is especially alarming considering that the use of compromised passwords in data breaches is growing from year ...
קרא עוד