Default Configurations: A Common Gateway for Threat Actors

Background

In our increasingly interconnected world, where technology is omnipresent, default configurations serve as the silent foundation upon which much of our digital infrastructure rests. These settings are intentionally designed to make initial setup and usage easier for users, but therein lies a hidden danger. Threat actors are exploiting these defaults with increasing frequency and sophistication, leaving organizations vulnerable to a wide array of security risks. Understanding the gravity of this issue and taking proactive steps to mitigate it has become paramount in the realm of cybersecurity.

Introduction

Default configurations are the settings that come pre-installed on hardware, software, and systems straight out of the box. While these defaults are essential for simplifying the user experience, they often prioritize convenience over security. Threat actors are acutely aware of this vulnerability, and they are adept at exploiting it to infiltrate systems, steal data, and wreak havoc.

Historical Default Configuration Risks

IoT Devices with Default Passwords: Many Internet of Things (IoT) devices, such as webcams and routers, used to come with default usernames and passwords. Attackers could easily access these devices if users didn’t change these defaults. The Mirai botnet, for instance, exploited default credentials to launch massive DDoS attacks.

Apache Struts Default Configuration: Apache Struts, a popular web application framework, had a default configuration that allowed for remote code execution. In 2017, the Equifax data breach occurred due to a vulnerability in Apache Struts, which was exploited because the company hadn’t properly configured the software.

Windows XP’s Default Firewall Settings: Windows XP, in its default configuration, had certain network ports open and services enabled that were vulnerable to remote attacks. This led to widespread security issues until users adjusted their firewall settings and Microsoft released patches.

MongoDB with No Access Control: MongoDB, a NoSQL database, used to have no authentication by default. If users didn’t configure access control properly, their databases were exposed to anyone on the internet, leading to data breaches.

Default FTP Settings: Some FTP (File Transfer Protocol) servers come with overly permissive default settings, allowing anonymous access to sensitive directories. This has led to unauthorized data access and theft in the past.

Bluetooth Device Pairing: Some Bluetooth devices used to have default PINs or no PIN requirements for pairing. This made it easier for attackers to pair with and potentially compromise devices.

WordPress Default Settings: WordPress, a popular content management system, used to have default settings that exposed sensitive information, such as version numbers and login URLs. Attackers could exploit these defaults to target WordPress sites.

Recent Default Configuration Concern

Microsoft Teams Default Setting: Microsoft Teams comes with a default setting that permits the receipt of files from external users, also known as “external tenants.” Malicious actors have identified an uncomplicated method for delivering malware through this channel. By making a subtle adjustment to the identification (ID) found within the POST request of a message, they can deceive the system into treating an external user as if they were an internal one. This manipulation creates a notable security loophole in the platform.

Default Configuration Risks

1. Unauthorized Access: Default usernames and passwords are often well-known or publicly available, allowing malicious actors to gain unauthorized access to systems and devices. This can lead to a range of issues, from data breaches to full system compromise.

2. Data Exposure: Misconfigured settings can inadvertently expose sensitive data, including personal information, financial records, and confidential business data. Attackers can exploit these exposures for their own gain or to damage an organization’s reputation.

3. System Compromise: Misconfigurations may leave unnecessary ports and services open, providing attackers with entry points for exploitation. Once inside, they can install malware, establish persistence, or launch further attacks.

4. Malware and Botnets: Systems with default misconfigurations can be vulnerable to malware infections, enabling attackers to distribute malicious software, create botnets, or launch attacks on other targets.

5. Denial of Service (DoS) Attacks: Misconfigured systems may be susceptible to DoS attacks, disrupting operations and causing financial losses.

6. Inadequate Authentication: Weak or ineffective authentication mechanisms due to misconfigurations can allow unauthorized users to gain elevated privileges or access sensitive resources. Software that trusts all certificates by default can be vulnerable to man-in-the-middle attacks.

7. Operational Disruption: Attacks on misconfigured systems can disrupt an organization’s operations, causing downtime, loss of productivity, and additional expenses.

8. Permissive Access Controls: Default configurations might allow excessive privileges or access rights to users or applications. This can lead to data leaks or unauthorized actions.

9. Logging and Monitoring: In some cases, default logging and monitoring settings might not be sufficient to detect and respond to security incidents effectively. Users often need to configure these settings to their specific needs.

10. Automatic Updates: While automatic updates are generally a good practice, some software might have default settings that don’t enable them. This can leave systems vulnerable to known security flaws.

Mitigation Factors

Mitigating the risks associated with default misconfigurations requires a proactive approach to cybersecurity:

1. Review and Change Defaults: Regularly review and change default settings on hardware, software, and systems to reduce exposure to known vulnerabilities.

2. Conduct Security Assessments: Perform regular security assessments and audits to identify misconfigurations and vulnerabilities before threat actors can exploit them.

3. Apply Patches and Updates: Keep systems up to date with security patches and updates to address known vulnerabilities and improve overall security.

4. Security Training: Provide security awareness training to personnel to ensure they understand the risks associated with default settings and know how to secure their devices and systems.

5. Best Practices: Implement security best practices, such as the principle of least privilege and the defense-in-depth strategy, to minimize the impact of default misconfigurations.

Conclusion

Once intended for user convenience, default configurations have become prime targets for threat actors seeking to exploit vulnerabilities. Recognizing these risks and taking proactive cybersecurity measures to counter default misconfigurations are now critical. Risks associated with defaults include unauthorized access, data exposure, system compromise, malware distribution, DoS attacks, weak authentication, operational disruptions, permissive access, inadequate logging, and outdated updates. Addressing this issue strengthens defenses and ensures a more secure digital future. Mitigation requires a proactive approach, including adjusting defaults, security assessments, timely updates, training, and best practices.

__________________________________________________________________________ 

CRITICALSTART® offers a pioneering solution to modern organizational challenges in aligning cyber protection with risk appetite through its Cyber Operations Risk & Response™ platform, award-winning Managed Detection and Response (MDR) services, and a dedicated human-led risk and security team. By providing continuous monitoring, mitigation, maturity assessments, and comprehensive threat intelligence research, they enable businesses to proactively protect critical assets with measurable ROI. Critical Start’s comprehensive approach allows organizations to achieve the highest level of cyber risk reduction for every dollar invested, aligning with their desired levels of risk tolerance.

References

1. https://www.rosesec.com/post/risk-of-default-configuration

2. https://www.darkreading.com/edge/theedge/6-dangerous-defaults-attackers-love-(and-you-should-know)/b/d-id/1338571

3. https://www.bleepingcomputer.com/news/security/new-tool-exploits-microsoft-teams-bug-to-send-malware-to-users/

4. https://reciprocity.com/blog/security-misconfigurations-how-to-avoid-them/#:~:text=Threat%20actors%20can%20gain%20entry,malware%20attacks%20and%20data%20compromise

5. https://www.cisa.gov/news-events/alerts/2022/05/17/weak-security-controls-and-practices-routinely-exploited-initial