Weak default password leaves LogicMonitor clients vulnerable

An old and well-known flaw in the world of Information Technology (IT), the use of default passwords, claimed another group of victims at the end of August: customers of LogicMonitor, a provider of IT infrastructure observability solutions.

According to TechCrunch, one of the affected customers reported that previously, when setting up a LogicMonitor account, a weak, standardised password was set for all the organisation’s user accounts. These passwords were not temporary, as no subsequent changes were required. Now the configuration password lasts for 30 days and must be changed at the first login.

The TechCrunch website also spoke of a customer who received an email from LogicMonitor addressing a possible user login/password breach that could cause systems monitored by LogicMonitor to suffer ransomware attacks. One source said he was aware of a company that lost more than 400 systems due to a ransomware attack that exploited standardised weak passwords.

Although LogicMonitor has not confirmed ransomware attacks on customers, anonymous sources also told the website security/logicmonitor-customers-hacked-in-reported-ransomware-attacks/" target="_blank" rel="noreferrer noopener">BleepingComputer that hackers “broke into accounts and were able to create local users and deploy ransomware”. The same sources explained that the ransomware was deployed using LogicMonitor Collector sensors that monitor user infrastructures, but also have scripting functions.

LogicMonitor defined the case as “a security incident” that affected a small number of customers and had already taken measures to mitigate the impact.

Days before the incident came to light in the press, LogicMonitor announced on its website that it was investigating technical abnormalities that could be affecting customer accounts, as a group of users located in the eastern and western regions of the United States and the western region of the European Union had lost access to their portals. It later reported that the affected customer portals had been restored and that it was working on restoring time series data. In a subsequent report, it said that the problem had been resolved.

Most used technique

Valid accounts are the most common attack technique in cyberattacks, accounting for 54 per cent of successful attempts, according to research by CISA, the US Cybersecurity and Infrastructure Agency. These can be standard administrator accounts or those of former employees that have not been deleted. When default passwords are not changed, malicious actors can install and execute code as they see fit. The figure below demonstrates the process of executing a valid account.

CISA warns that gaining access to an organisation’s network is only the first step in a successful attack. Malicious actors can subsequently use other techniques, such as privilege escalation, to steal data. Therefore, preventing the first access should be the main objective of network asset and data protection processes.

Password sharing and reuse Sharing passwords has also become a common habit among users in most companies. This is partly because many teams may only have one or two licences for a piece of software or service, the passwords for which need to be shared. This may be a necessary practice, but it must be secure and encrypted, explains research by LastPass.

What’s more, password reuse is still a widespread problem. The LastPass report shows that, on average, a password is reused 13 times, noting that reusing passwords isn’t so bad. The point is that when a password used on several accounts is stolen, the damage can multiply.

What about weak passwords?

Believe it or not, 88 per cent of the passwords exploited in successful attacks had 12 characters or less and basic terms such as ‘password’, ‘admin’, ‘welcome’ and ‘p@ssw0rd’. Passwords with only lowercase letters were the most common combination of characters, representing 18.8% of those used in attacks, according to Specops Software’s annual report on weak passwords, which analysed more than 800 million breached passwords.

Another surprising fact comes from the fact that 83 per cent of the compromised passwords met the length and complexity requirements of cybersecurity standards, including those of NIST, PCI, ICO for GDPR (data protection standards), HITRUST for HIPAA (patient data) and Cyber Essentials for NCSC.

“This shows that while organisations are striving to follow best practices and standards, more needs to be done to ensure that passwords are strong and unique. With the sophistication of password-based attacks, additional security measures are needed to protect access to sensitive data,” says Darren James, product manager at Specops Software.