Ethical Hacking

FBI spams thousands with fake infosec advice after ‘software misconfiguration’

November 15, 2021 By Ryan Trapp Leave a Comment

In what is one of the bigger news items of the week, the FBI has had one of their servers compromised and fake emails sent out from it. Since the emails were sent from one of the FBI’s servers they appeared legitimate in nature, as they actually came from their domain. The emails that were sent out were a false warning that the FBI had detected a chain attack and that the company’s virtual servers had been exfiltrated. It also laid blame for the attack at Vinny Troia’s feet, who is the founder of infosec firms Shadow Byte Cyber and Night Lion Security. It does not appear that this is the case. In total about 100,000 of these emails were able to be sent out before the campaign was stopped.

https://www.theregister.com/2021/11/15/fbi_fake_emails/

Attack the block – How a security researcher cracked 70% of urban WiFi networks in one hit

November 11, 2021 By Matthew Bryan 1 Comment

A CyberArk researcher, Ido Hoorvitch, identified that many urban areas have unsafe and weak WiFi passwords that can be easily cracked. Hoorvitch collected 5,000 Wifi hashes around his neighborhood using network sniffing equipment. These were run through CyberArk’s “monster” password cracking rig which used an exploit found in PMKID hashes.

Hoorvitch noted that many people use cell phone numbers as their WiFi password. This allowed him to crack numerous hashes, obtain passwords, and then access their networks. In the cases where a phone number was used, it took approximately nine minutes for each crack. If routers do not support roaming modes, then they are not susceptible to this attack. It is recommended that complex passwords should be used with secure encryption protocols. WAP/WAP1 should be disabled.

Author: Matias Madou
Published: October 20, 2021
Link

The Top 3 Cyber Security Mistakes and How to Avoid Them

November 9, 2021 By Oluwaseun Soyomokun Leave a Comment

Ransomware cost Americans an estimated $1.4 billion last year, and beyond high-profile hacks like the Kaseya and Colonial Pipeline breaches, cyber threats are more common than ever. As a result, businesses of all sizes are scrambling to learn more about cyber security and ensure that they have the proper measures in place to protect their operations. These are the top three considerations organizations must take into account when implementing or upgrading their cyber security approach.

People and Training

First and foremost, there is a significant lack of cybersecurity education among employees. The human firewall is the most important defense, but it is also the most vulnerable. That means security training has to be a top priority when it comes to an organization’s cyber security. Organizations should implement a security awareness training platform which trains, tests and scores all employees. It’s important to teach employees how to identify cyber security threats and remain vigilant toward anything suspicious, such as scams, fraudulent emails, or even physical threats. It’s also important to consider implementing some sort of email gateway filter. With the rise of remote working, additional problems emerge as more people go mobile. For example, it is much easier on mobile to mix company and private mail and people tend to click quickly, which leads to errors. We all need to slow down, verify incoming requests and be cognizant of what we are clicking on so that we do not fall victim to a cyber security threat.

Technology and System

It is also paramount that organizations ensure systems are fully patched, inclusive of their OS, firmware and applications. They must ensure each endpoint detection and response application is installed on each device, with all systems reporting back to a central location or Security Operation Center, where all notifications, events, and alarms can be correlated. A quality Detection and Response application is not only going to defend against malware and other malicious activity, but it will also identify possible insider threats by monitoring lateral traffic. Utilizing such Security SaaS should be part of the overarching security platform which will provide a level of behavioral analytics with the ability to determine what is standard for that user and/or system. Therefore, this allows organizations to identify unusual activity, even if the user has the rights to the systems being accessed.

Additionally, I would suggest V-LANs and least privilege access or even zero trust as a greater security play. For example, IoT devices should not cohabitate on the same V-LAN as the accounting or human resources department. This type of network segmentation allows for greater risk reduction.

Staffing and Security Operations

Many organizations forgo the managed services model to create an in-house security operation center, believing they can do it themselves. There are many cyber security tools available; however, there are very few trained and certified security engineers, and these tools often rely upon alarms, event notifications, or automated messaging to provide alerts. However, this begs the question, who will be monitoring and mitigating the environment at 3 a.m. on New Year’s Eve? Effective cyber security infrastructure requires extensive resources to reduce the total volume of alerts, alarms and events to an actionable notification which requires mitigation. Vacation, training, sick time, education and retention programs are all factors to consider when creating a security operator center. There is a deficit of security analysts, engineers and architects throughout the cyber security space today. Even if you can hire a strong team of cyber security specialists, security operation centers require at least five to six people to ensure 24/7 coverage.

In addition to the personnel issues, there are also equipment, software updates and proper configuration to consider. True quality deployment will require multiple layers, and the systems will have to be integrated, monitored and managed. In comparison, an organization that outsources its cyber security needs can depend upon systems being maintained and a team of experts to support them. Simply put, organizations should secure their environment through a third-party managed security service. These services are inclusive of EDRs, patching systems, a security information event manager, behavioral analytics and east/west traffic monitoring. At best, with the current staffing shortage, an in-house SOC is an ineffective method to detect, quarantine and/or remediate an infected device and/or network.

Hackers are only becoming more sophisticated and, big or small, no organization can afford to go unprotected. Being aware of these three points is critical in protecting your organization from cyber threats. In the current cyber security environment, there is no room for mistakes.

The Top 3 Cyber Security Mistakes and How to Avoid Them – Cyber Defense Magazine

Explanation of the flaws in Software and Systems Code

October 16, 2021 by Oluwaseun Soyomokun Leave a Comment

I found this article about Vice President Cybersecurity Advisor Network – Peter Coroneos explains the “Zero day vulnerabilities are flaws in software or systems code that leaves end users open to attack.
“They are called ‘zero day’ because they are either unknown to the vendor who produced the product, or are known but no patch has yet been made available.

“The period between when the zero day is first discovered by an attacker and when the patch is installed by the end user is the attack window in which a compromise can occur. The consequences can be vast and most serious attacks these days involve zero day exploits.”
“The first famous zero day attack was Stuxnet in 2009 against the Iranian uranium enrichment program. More recent attacks include WannaCry, NotPeyta, SolarWinds, MS Exchange Server hacks of 2021 and the infamous Colonial Pipeline ransomware attack.”
“‘White hat’ zero day researchers form a critical piece in the remediation of exploitable connected systems. They uncover the existence of unpatched vulnerabilities and report them to vendors of the relevant products they can be fixed. Regrettably, they face legal threats from some vendors sensitive to the discovery of flaws in their products.
Most digital security incidents are caused by malicious actors (e.g. cybercriminals and state-sponsored groups) exploiting vulnerabilities in organisations’ digital ecosystems. Addressing vulnerabilities before attackers take advantage of them is an effective means of reducing the probability of cybersecurity incidents. This article discusses vulnerabilities in products’ code such as software and firmware, and in how products are implemented in information systems. It shows that the technical community has progressed in developing good practice for treating vulnerabilities, including through co-ordinated vulnerability disclosure (CVD). However, significant economic and social challenges prevent stakeholders from adopting good practice, such as legal frameworks that do not sufficiently protect “ethical hackers” from legal proceedings. The paper stresses that public policies aimed at removing obstacles and encouraging vulnerability treatment could significantly reduce digital security risk for all.

https://itwire.com/security/video-interview-cyan-vp-peter-coroneos-explains-why-laws-are-needed-to-protect-ethical-zero-day-cyber-research.html

Article on how hackers steal one time passcodes

October 14, 2021 by Wade Mackey Leave a Comment

I saw this today and thought I’d pass it along. It also describes recon to identify users.

https://krebsonsecurity.com/2021/10/how-coinbase-phishers-steal-one-time-passwords/

Apache Warns of Zero-Day Exploit in the Wild — Patch Your Web Servers Now!

October 11, 2021 by Ryan Trapp 1 Comment

This week there was a zero day discovered in Apache HTTP Server 2.4.49. This vulnerability can allow attackers to map URLs to files outside of the expected document root on the server. However, it has subsequently been discovered that the zero-day flaw is worse than originally thought due to a new proof of concept that demonstrates the vulnerability can lead to remote code execution. This vulnerability only affects the 2.4.49 version of Apache but it is extremely severe in nature and something that you would want to patch immediately if one of your servers was running this.

https://thehackernews.com/2021/10/apache-warns-of-zero-day-exploit-in.html

Apple AirTag Bug Enables ‘Good Samaritan’ Attack

October 9, 2021 by Matthew Bryan 2 Comments

I thought this was interesting and relevant to our recent discussions about social engineering. Apple Air Tags are used to locate frequently lost devices. Finders of a tag can scan the device on their iPhone to reveal information about the tag’s owner if it’s in “lost mode.” During the scan, the finder’s iPhone displays a custom web page with the owner’s phone number.

The Air Tag “Good Samaritan Attack” exploits a flaw in this process which does not sanitize the input to the phone number field. This allows the bad actor to input anything they’d like into the field, e.g. a redirect to an iCloud phishing page. The deployment is similar to USB baiting attacks where USB devices are dropped outside the target location. The Good Samaritan picks up the device, scans the tag, and is redirected to the attack page. This is concerning as users are not as diligent with checking sites on mobile devices and it may not be clear that they are being redirected to a malicious site.

The researcher who found the bug, Bobby Rauch, reported that Apple was not responsive to his attempts to disclose the issue. This has been a trend among security researchers that report issues to Apple. Rauch stated that they never answered his questions about the bug bounty program and did not follow-up with their remediation plan. Apple did ask that Rauch avoid publicizing his findings; however, he did not comply with this request, due to their lack of communication.

Article: Apple AirTag Bug Enables ‘Good Samaritan’ Attack

Author: Brian Krebs

Published: September 28, 2021

Link

Ransomware Finally Claims a Life

October 8, 2021 by Vanessa Marin 3 Comments

Article: A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death
Author: Kevin Poulsen, Robert McMillan and Melanie Evans
Published: September 30, 2021
Source: The Wall Street Journal

This article was incredibly upsetting. Up until now ransomware making victims of hospitals has always been speculated as a danger to human life. Now, we have an actual victim that has died. An unborn child’s condition was not tracked appropriately which resulted in permanent brain damage and the eventual death of the baby. Parents are suing the hospital and the physician and are still in litigation. As it happens the hospital was undergoing an aggressive ransomware attack at the time on the incident and did not inform the patients or the staff of what was occurring in the moment. The hospital was actively trying to mitigate the incident. Not an unusual occurrence as the response is immediate to these kinds of attacks. The hospital did not pay the ransom, which is to be noted. Eventually the institution was able to gain access to their patient files and recover. However, the damage had been done and the patient was irrevocably impacted. If this case is won, this will be the FIRST proven case of ransomware causing a death.

A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries

October 4, 2021 by Ryan Trapp 3 Comments

My article this week is one that highlights the emergence of a new APT group targeting the fuel, energy, and aviation industries. This new group is disguising their malware under legitimate services of companies such as Microsoft, TrendMicro, McAfee, IBM, and Google. I find this interesting due to the recent pipeline hack. It seems that these sectors are some that have not been targeted very much so far but could be the focus of a lot of future attacks. This could be the beginning of a trend for the cybersecurity industry. The consequences for attacking these industries are severe in terms of financial and data loss.

https://thehackernews.com/2021/10/a-new-apt-hacking-group-targeting-fuel.html

Banking industry sees 1318% increase in ransomware attacks in 2021

October 3, 2021 by Shubham Patil 3 Comments

Ransomware remained the standout threat in the first half of the year as cybercriminals continued to target big-name victims. Working with third parties to gain access to targeted networks, cybercriminals used Advanced Persistent Threat tools and techniques to steal and encrypt victims’ data, the report shows.

The banking industry was disproportionately affected, experiencing a 1,318% year-on-year increase in ransomware attacks in the first half of 2021. Other key findings include:

Business email compromise (BEC) attacks increased by 4%, potentially due to new COVID-19 opportunities for threat actors.
Cryptocurrency miners became the most detected malware, surging ahead of WannaCry and web shells in recent months.
The Zero Day Initiative detected 770 vulnerabilities, a slight (2%) drop from 1H 2020.
A total of 164 malicious apps related to COVID-19 scams were detected, 54% of which impersonated TikTok.

Link

Wanted: Disgruntled Employees to Deploy Ransomware

October 2, 2021 by Matthew Bryan 1 Comment

Cybercriminals are asking employees to install ransomware on their company’s network in exchange for a portion of the profits. The article details security researcher, Crane Hassold’s, experience engaging with a scammer offering 40% of the multi-million dollar ransom. The actor disclosed to Hassold that he originally tried phishing senior executives unsuccessfully, which is why he’s reaching out to insiders and asking to partner. Hassold was asked to install the Demonware ransomware strain which is freely available on Github.

Ransomware typically requires more sophistication to deploy. The actor used techniques commonly associated with business email compromise to engage the user and manipulate them to act on their behalf. It’s similar to other scams involving wire transfers, but the payload is ransomware.

Approaching employees directly is not new; however, there are growing concerns about disgruntled employees creating identities on the darknet and offering to launch insider attacks for a fee. The article cites the Lockbit 2.0 ransomware-as-a-service gang that included a solicitation for insiders in the desktop wallpaper left behind on systems encrypted with the malware.

Article: Wanted: Disgruntled Employees to Deploy Ransomware

Author: Brian Krebs

Published: August 19, 2021

Link: https://krebsonsecurity.com/2021/08/wanted-disgruntled-employees-to-deploy-ransomware/

New techniques taking advantage of MAC layer to enable long-range communication using other people’s networks.

September 27, 2021 by Vanessa Marin 2 Comments

Article: Our Eye Is on the SPARROW
Author: Reza Soosahabi
Published: September 24, 2021
Site: DARKReading.com

This weeks news: there’s a new way to enable long range communication leveraging other people’s networks by taking advantage of a vulnerability found in MAC layer protocols in 5G and LTE.
Using the cell coverage network, anonymous messages can be sent via short distances that link to enable longer trail of the communication. The vulnerability allows the establishment of these link prior to authenticating the user therefor allowing for anonymity. Specifically the MAC layer (L2) of “wireless access infrastructure” is impacted rather than the physical disruption of the L1 layer of using the other layers of the infrastructure stack (L3-L7).

It’s important to note that “Since commercial wireless signals are available virtually everywhere, exploiting them for data exfiltration can circumvent all existing preventive measures.” Rendering this a rather critical vulnerability.

3 reasons for major concern:
– Max Anonymity
– More distance coverage
– Low power and low complexity

Exploits
– data exfiltration – can serve as a vehicle to known data exfiltration techniques
– command and control – remote control of IoT to trigger events
– clandestine ops – attackers can communicate without detection

New Android Malware Steals Financial Data from 378 Banking and Wallet Apps

September 27, 2021 by Ryan Trapp 1 Comment

This article details a new mobile malware built off of a previous infamous piece of malware. This Trojan named ERMAC targets users financial data. It steals users contact info, text messages, open arbitrary applications, and also triggers and overly for a multitude of financial apps to steal the login credentials. The roots of the malware are suspected to stem from the Cerberus malware, which was another banking Trojan that affected users not too long ago.

https://thehackernews.com/2021/09/new-android-malware-steals-financial.html

Main Content