what is LogicMonitor?
LogicMonitor is a Cloud-based SaaS platform used for infrastructure monitoring. On their official site they state monitoring “800 billion metrics per day across three million active devices” and that “it has more than 100,000 software users across 30 different countries”. The company is trusted by brands like PayPal, Siemens and Kayak.
What happened?
Based on how other publications are describing the issue, it’s most likely a password spraying and bruteforce attack. Given the existing information online, our best guess is that attackers chained two attacks together to gain access:
- Email/Username enumeration – this is very common issue in multiple applications which is rated low risk and usually ignored due to lack of direct impact. The most likely vulnerable features are the “Register” or “Forgot password” which return error messages such as “Email already registered” or “Email not found”, instead of a generic message. Attackers can use these error messages to collect lists of valid accounts
- Once the Emails/Usernames are discovered, a list of all possible passwords is generated and ran against the valid accounts until a successful hit.
According to a source at the company, passwords such as “Welcome@” plus a short number were used as default. Implying that the “short number” is 3 digits, that gives 1000 possible tries with a average success after ~500 attempts.
If the attackers tried 1 password every 10 minutes to avoid triggering account lockdown and alerts, it would take in average 3 and half days to hit the right password, and 1 week to try all 1000 possibilities.
While this may seem a long time, LogicMonitor has ~100,000 customers. By using one password at a time across all accounts, instead of focusing on only one account at a time, they could have technically checked all 100,000 customers in 7 days (assuming the password cooldown period is less than 10 minutes).
Insecure design
Two main insecure design decisions were made by LogicMonitor when they implemented the registration function:
- the default password is an (almost) open secret – by looking at the default password format such as “Welcome@123”, one can make an educated guess that other accounts have similar passwords with a slight change in the number sequence
- password reset was not required – the most common scenario (and a security recommendation) is to require newly registered users to reset their passwords if it was set by the application, specifically to avoid cases like this one
Impact
According to TechCrunch, the source said they are aware of a breached company that lost more than 400 systems due to a ransomware attack that exploited their weak default password.
How to stay protected?
Several things can be done to keep:
- Enforce multi-factor authentication – as of 2021 CISA (Cybersecurity and Infrastructure Security Agency) added Single-Factor Authentication to list of Bad Practices and Microsoft wrote back in 2019 that MFA can block over 99.9 percent of account compromise attacks
- Set unique and strong default passwords with expiration period – if your application sets a default password during the registration password, at least make sure it’s truly random, not predictable and it expires
- Enforce password reset – by forcing the end user to change the default password to one that follows best practices, the likelihood of a successful password spraying attack is highly diminished
“An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required” – OWASP 2021
> TRIPLA SECURITY 