www.neuralegion.com Open in urlscan Pro
35.214.19.152  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to content
NeuraLegion
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * CompanyMenu Toggle
   * About
   * Careers

 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

Menu
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

Login
Signup
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

Menu
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

Login
Signup
Login
Signup
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

Menu
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

Login
Signup
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

Menu
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

Menu
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers

Menu
 * Pricing
 * Docs
 * Resources
 * Contact
 * Blog
 * Company
   * About
   * Careers


BACK TO BLOG


MISCONFIGURATION ATTACKS: 5 REAL-LIFE ATTACKS AND LESSONS LEARNED

Admir Dizdar
 * October 4, 2021

Share on facebook
Share on twitter
Share on linkedin



WHAT ARE MISCONFIGURATION ATTACKS?

Security misconfiguration vulnerabilities take place when an application
component is vulnerable to attack as a result of insecure configuration option
or misconfiguration.

Misconfiguration vulnerabilities are configuration weaknesses that might exist
in software subsystems or components. For instance, web server software might
ship with default user accounts that a cybercriminal could utilize to access the
system, or the software might have a known set of standard configuration files
or directories, which a cybercriminal could exploit.

Furthermore, software might have vulnerable services enabled, such as remote
administration operations. Misconfiguration vulnerabilities cause your
application to be vulnerable to attacks that target any component of the
application stack. 

For instance, the following types of attacks could exploit misconfiguration
vulnerabilities:

 * Code injection
 * Credential stuffing/brute force
 * Buffer overflow
 * Cross-site scripting (XSS)
 * Command injection
 * Forceful browsing

In this article:

 * Examples of Real-Life Misconfiguration Attacks
   * NASA Exposed by Default Authorization Misconfiguration
   * Amazon S3 Misconfiguration Attacks
   * Citrix Attacked with Insecure Legacy Protocols
   * Mirai (未来)
   * Consent Phishing with OAuth in Office 365
 * Common Mistakes That Lead to Security Misconfiguration
 * How Can I Prevent Security Misconfigurations?
   * Education and Training
   * Encryption
   * Scanning
   * Least Privilege
   * Updating Software
   * Security Checklist
 * Misconfiguration Attack Mitigation with Neuralegion


5 EXAMPLES OF REAL-LIFE MISCONFIGURATION ATTACKS

Here are some examples of misconfiguration attacks that occurred in the real
world, and lessons you can learn from them to improve your organization’s
security.


1. NASA EXPOSED VIA DEFAULT AUTHORIZATION MISCONFIGURATION 

A security researcher discovered a security misconfiguration in the
collaboration tool-JIRA. This single misconfiguration made many Fortune 500
companies (and NASA) vulnerable to a release of personal and corporate data. An
authorization misconfiguration in the Global Permissions setting of Jira caused
this data disclosure.

When the dashboards and filters for the projects or issues were developed in
JIRA, then by default the visibility settings were “All users” and “Everyone”.
Rather than sharing roadmap tasks and the like within the organization, it
shared them with the public.

Lesson learned: Look at the file sharing configurations in each SaaS to make
sure confidential data is not revealed publicly.


2. AMAZON S3 MISCONFIGURATION ATTACKS

Here are several organizations that experiences an attack on their Amazon S3
storage due to misconfigurations:

WhenOrganizationThe LeakNov 2017Australian Broadcasting CorporationHashed
passwords, internal resources, and keys were leaked.Nov 2017United States Army
Intelligence and Security CommandSeveral files, including Oracle Virtual
Appliance (.ova). volumes with portions marked top secret.Sept
2017AccentureAuthentication information, which included certificates, plaintext
passwords, keys, and sensitive customer information.

Lesson learned: Many organizations rely on the data storage technology of Amazon
S3, including military and government agencies. However, past security events
indicate that this is a pervasive problem, and S3 authorization should be
carefully monitored.


3. CITRIX ATTACKED WITH INSECURE LEGACY PROTOCOLS

A majority of Microsoft Office 365 and G Suite tenants have been the target of
IMAP-based password-spraying attacks. The cybercriminals target the insecure,
legacy IMAP protocol to get past MFA settings and expose cloud-based accounts,
giving access to SaaS applications.

Citrix, which specializes in federated architectures, was the target of such an
attack. The FBI proposed that cyber criminals achieved a foothold by password
spraying and then were able to bypass other layers of security. 

The utilization of legacy protocols including IMAP and POP makes it hard for
system administrators to establish and activate MFA. Shared mailboxes and
service accounts can be especially vulnerable, and it can be difficult to use
MFA to protect G Suite cloud and Office 365 accounts that use IMAP.

Lesson learned: Make sure that MFA is activated for every user in every
application, including super administrators.  


4. MIRAI (未来)

Mirai is a type of malware that infects network devices. After devices are
infected they can be remotely controlled by the operator, which uses them as
bots that extend the power of a botnet. Mirai targeted mainly IoT devices, and
managed to execute several high profile attacks even after it was discovered in
August 2016. Eventually, the creator released the code as open source
(Anna-senpai), and the technique has since been used in other malware projects. 

Mirai managed to infect and run on CCTV cameras, home routers, and DVRs. It
succeeded by trying commonly used passwords. This simple method enabled the
mirai botnet to produce 280 Gbps and 130 Mpps in DDoS capability and attack the
DNS provider Dyn. Mirai also rendered several notable sites inaccessible,
including GitHub, Reddit, Airbnb, Netflix, and Twitter.

Lesson leaned: Weak and default passwords are a common security
misconfiguration. Threat actors actively look for systems and devices to attack,
making use of lists of commonly used passwords and bots that can quickly input a
large number of passwords.


5. CONSENT PHISHING WITH OAUTH IN OFFICE 365

Consent phishing is an attractive exploit for attackers, who take advantage of
the common OAuth actions performed by users. OAuth is prone to implementation
mistakes. When a victim clicks on the misleading OAuth application, they permit
the installation of any amount of malicious activities. 

Microsoft tells users to keep an eye out for deceptive OAuth applications to
stay clear of malicious attacks. Many remote employees have experienced such
attacks when using Office 365. 

Lesson learned: Put in place a security protocol to onboard new applications and
restrict user permission by default for all applications.


COMMON MISTAKES THAT LEAD TO SECURITY MISCONFIGURATION

Here are several common mistakes that lead to security misconfiguration:

 * Failure to remove or disable unnecessary features—when you do not remove
   superfluous components, code samples or features, the application is left
   open to attack. Do not keep unnecessary ports open or unneeded services
   running. You should also make sure to delete accounts that are no longer
   needed.
 * Using default accounts and passwords—devices and programs, including web
   applications and network devices, come with a set of default credentials that
   provide initial access to owners. After gaining access, owners must change
   their passwords. Otherwise, attackers can use lists of common default
   credentials to brute-force the system and gain unauthorized access.
 * Defining error messages that reveal too much information—default server
   configurations should not provide too much information in error messages. For
   example, the error message should not provide detailed stack traces. This can
   expose sensitive information, like the used component versions, which
   attackers can use to search for exploitable flaws.
 * Using old software versions and missing updates—outdated software can leave
   systems exposed to known vulnerabilities, which may have already been
   patched. To ensure patches are effective, they must be applied on time.
 * Misconfigured upgrades—to be truly effective, upgrades must be properly
   configured. Whether the upgrade includes security patches or new
   functionality, it must be configured and enabled correctly. To avoid
   misconfiguration, review each update to see the exact change and adjust your
   configuration accordingly.
 * Misconfigured cloud systems—cloud providers are responsible for securing the
   underlying infrastructure. You are responsible for securing your own cloud
   resources, including workloads and data. A misconfigured cloud-based
   operating system, for example, can expose your virtual machines (VMs) or
   containers to attacks.


HOW CAN I PREVENT SECURITY MISCONFIGURATIONS?

There are several measures you can take to prevent misconfiguration attacks.


EDUCATION AND TRAINING

One of the most effective means of preventing security misconfiguration is
training and educating your staff members about the latest security trends. This
allows them to make smarter decisions and adhere to best practices. 


ENCRYPTION

Data exfiltration is a concern for many organizations. Sensitive or proprietary
data in the hands of individuals with ill intent can lead to dramatic losses or
embarrassment for an organization, both in relation to personnel and
financially. Data can often be an organization’s most essential asset.

Utilizing data-at-rest encryption schemes might assist with the protection of
files from data exfiltration. You can also apply appropriate access controls to
directories and files. These measures offset the vulnerability of susceptible
directories and files. 


SCANNING

Conducting security scans on systems is an automated method of isolating
vulnerabilities. Running such scans on a regular schedule, after creating
architectural changes, is a significant step in improving the overall
vulnerability. 

If implementing custom-written code, you should also make use of a static code
security scanner. This must come prior to implementing that code in the
production environment. 


LEAST PRIVILEGE

Only provide users with access to information they absolutely require to do
their jobs. You will need strong access controls, including a strong password
and username, and establish two-factor authentication. 

You should also compartmentalize data. Ensure that administrators hold unique
accounts for when they are making use of their administrative rights as opposed
to when they are behaving as a regular user of the system.


UPDATING SOFTWARE

The use of outdated software remains one of the most prevalent security
vulnerabilities. Many companies don’t appreciate the need to invest in the
newest and latest. They may feel it is more cost-effective to continue making
use of legacy software. However, using outdated software can actually place an
organization at risk of losing assets—as well as the trust of their investors
and customers. 

Establishing a consistent patch schedule, and maintaining updated software, is
essential to reducing an organization’s threat vectors.


SECURITY CHECKLIST

To ensure you’ve covered all your configuration security requirements, implement
a checklist that incorporates the different measures you want to put in place.
Based on the recommendations of security experts, a checklist as follows may
help prevent security misconfiguration:  

 * Create a patching schedule and encrypt your data
 * Ensure software is up-to-date and disable default accounts  
 * Implement reliable access controls
 * Give administration a routine process to so they don’t overlook items
 * Establish security settings in development frameworks to safeguard value
 * Undertake system audits periodically and launch security scanners 


MISCONFIGURATION ATTACK MITIGATION WITH NEURALEGION

NeuraLegion’s Nexploit automates the detection of misconfiguration and hundreds
of other vulnerabilities in your web apps and APIs. Easily start a scan in
minutes and enjoy a false-positive free report with clear remediation guidelines
for your developers. Thanks to Nexploit’s integration with ticketing tools,
assign all the findings to team members and keep track of execution.

Try NeuraLegion’s Nexploit for free – Register for a Nexploit account

Secure your app with every build

Sign up for a FREE NeuraLegion account.
Get Free Account
Share on facebook
Share on twitter
Share on linkedin
Related Articles
AppSec Testing


GRAPHQL TESTING: COMPONENTS TO TEST AND 5 SECURITY TESTING TIPS

What Is GraphQL? GraphQL is a query language, as well as a server-side runtime,
designed for APIs. GraphQL prioritizes providing clients with only the requested

Read More »
October 28, 2021 No Comments
AppSec Testing


TOP 6 API SECURITY TESTING TOOLS AND HOW TO CHOOSE

What Is API Security Testing? Application Programming Interfaces (APIs) enable
communication between applications and services. API misconfigurations and
vulnerabilities can expose data. Threat actors exploit

Read More »
October 21, 2021 No Comments
AppSec Testing


REST API TESTING: THE BASICS AND 8 API TESTING TIPS

What Is REST and Why Should You Test REST APIs? Representational State Transfer
(REST) is a software architectural style that defines certain rules
(constraints). For

Read More »
October 21, 2021 No Comments
Product
 * NexPloit: Automated Penetration Testing
 * Get Free Account

Company
 * About
 * Contact
 * Request a Demo
 * Pricing
 * Careers

Resources
 * Docs
 * Resources

Join Us
Get Started

© 2021 NeuraLegion Inc. All Rights Reserved

Privacy Policy Terms of Use

Copyright © 2021 NeuraLegion | Powered by Astra WordPress Theme

 * AboutMenu Toggle
 * Agile + DevOps FormMenu Toggle
 * Agile +DevOps Thank YouMenu Toggle
 * API WORLD FormMenu Toggle
 * API WORLD Thank YouMenu Toggle
 * Application Security Testing for DevelopersMenu Toggle
 * AWS Activate SignupMenu Toggle
 * BlogMenu Toggle
 * BootcampMenu Toggle
 * CareerMenu Toggle
 * ContactMenu Toggle
 * D1ST WebinarMenu Toggle
 * Dev Innovation Summit FormMenu Toggle
 * Dynamic Application Security Testing (DAST): Ultimate Guide [2021]Menu Toggle
 * Enter the Nintendo Switch GiveawayMenu Toggle
 * Five Leading Trends in Modern Enterprise DevSecOps – WebinarMenu Toggle
 * Free security testing automation for AWS Activate membersMenu Toggle
 * fwdays FormMenu Toggle
 * fwdays Thank YouMenu Toggle
 * JavaSpektrum Readers Special OfferMenu Toggle
 * NeuraLegion & GeekleMenu Toggle
 * NeuraLegion & MitigaMenu Toggle
 * NeuraLegion at Agile + DevOpsMenu Toggle
 * NeuraLegion at API WorldMenu Toggle
 * NeuraLegion at cdCon 2021Menu Toggle
 * NeuraLegion at Dev Innovation Summit 2021Menu Toggle
 * NeuraLegion at Dev Innovation Summit 2021 – Thank you pageMenu Toggle
 * NeuraLegion at DeveloperWeek EuropeMenu Toggle
 * NeuraLegion at fwdaysMenu Toggle
 * NeuraLegion at React Advanced LondonMenu Toggle
 * NeuraLegion at React Global SummitMenu Toggle
 * NeuraLegion CompetitionMenu Toggle
 * NeuraLegion with DeveloperWeek EuropeMenu Toggle
 * NeuraLegion: Dynamic Application Security TestingMenu Toggle
 * NexDAST: AI-Powered Dynamic Application Security TestingMenu Toggle
 * NexPloit – NeuraLegionMenu Toggle
 * NexPloit: Automated Penetration TestingMenu Toggle
 * Preventing OWASP Top 10 API VulnerabilitiesMenu Toggle
 * Preventing OWASP Top 10 VulnerabilitiesMenu Toggle
 * PricingMenu Toggle
 * Privacy PolicyMenu Toggle
 * Protect your application against CSRFMenu Toggle
 * Protect your application against SQL InjectionMenu Toggle
 * Protect your application against XSSMenu Toggle
 * Protect your application against XXEMenu Toggle
 * React Advanced London FormMenu Toggle
 * React Advanced London Thank YouMenu Toggle
 * React Global Summit FormMenu Toggle
 * React Global Summit Thank YouMenu Toggle
 * Reducing-Security-Technical-DebtMenu Toggle
 * Request a DemoMenu Toggle
 * ResourcesMenu Toggle
 * Security Acronyms with NeuraLegionMenu Toggle
 * Sign Up for NexploitMenu Toggle
 * T&CMenu Toggle
 * Terms of UseMenu Toggle
 * Thank youMenu Toggle
 * Web Application Security TestingMenu Toggle
 * Web Application Vulnerability ScanningMenu Toggle
 * Workshop: Security Testing Automation for Developers on Every BuildMenu
   Toggle