Ethical Hacking

FBI spams thousands with fake infosec advice after ‘software misconfiguration’

November 15, 2021 By Ryan Trapp Leave a Comment

In what is one of the bigger news items of the week, the FBI has had one of their servers compromised and fake emails sent out from it. Since the emails were sent from one of the FBI’s servers they appeared legitimate in nature, as they actually came from their domain. The emails that were sent out were a false warning that the FBI had detected a chain attack and that the company’s virtual servers had been exfiltrated. It also laid blame for the attack at Vinny Troia’s feet, who is the founder of infosec firms Shadow Byte Cyber and Night Lion Security. It does not appear that this is the case. In total about 100,000 of these emails were able to be sent out before the campaign was stopped.

https://www.theregister.com/2021/11/15/fbi_fake_emails/

Attack the block – How a security researcher cracked 70% of urban WiFi networks in one hit

November 11, 2021 By Matthew Bryan 1 Comment

A CyberArk researcher, Ido Hoorvitch, identified that many urban areas have unsafe and weak WiFi passwords that can be easily cracked. Hoorvitch collected 5,000 Wifi hashes around his neighborhood using network sniffing equipment. These were run through CyberArk’s “monster” password cracking rig which used an exploit found in PMKID hashes.

Hoorvitch noted that many people use cell phone numbers as their WiFi password. This allowed him to crack numerous hashes, obtain passwords, and then access their networks. In the cases where a phone number was used, it took approximately nine minutes for each crack. If routers do not support roaming modes, then they are not susceptible to this attack. It is recommended that complex passwords should be used with secure encryption protocols. WAP/WAP1 should be disabled.

Author: Matias Madou
Published: October 20, 2021
Link

The Top 3 Cyber Security Mistakes and How to Avoid Them

November 9, 2021 By Oluwaseun Soyomokun Leave a Comment

Ransomware cost Americans an estimated $1.4 billion last year, and beyond high-profile hacks like the Kaseya and Colonial Pipeline breaches, cyber threats are more common than ever. As a result, businesses of all sizes are scrambling to learn more about cyber security and ensure that they have the proper measures in place to protect their operations. These are the top three considerations organizations must take into account when implementing or upgrading their cyber security approach.

People and Training

First and foremost, there is a significant lack of cybersecurity education among employees. The human firewall is the most important defense, but it is also the most vulnerable. That means security training has to be a top priority when it comes to an organization’s cyber security. Organizations should implement a security awareness training platform which trains, tests and scores all employees. It’s important to teach employees how to identify cyber security threats and remain vigilant toward anything suspicious, such as scams, fraudulent emails, or even physical threats. It’s also important to consider implementing some sort of email gateway filter. With the rise of remote working, additional problems emerge as more people go mobile. For example, it is much easier on mobile to mix company and private mail and people tend to click quickly, which leads to errors. We all need to slow down, verify incoming requests and be cognizant of what we are clicking on so that we do not fall victim to a cyber security threat.

Technology and System

It is also paramount that organizations ensure systems are fully patched, inclusive of their OS, firmware and applications. They must ensure each endpoint detection and response application is installed on each device, with all systems reporting back to a central location or Security Operation Center, where all notifications, events, and alarms can be correlated. A quality Detection and Response application is not only going to defend against malware and other malicious activity, but it will also identify possible insider threats by monitoring lateral traffic. Utilizing such Security SaaS should be part of the overarching security platform which will provide a level of behavioral analytics with the ability to determine what is standard for that user and/or system. Therefore, this allows organizations to identify unusual activity, even if the user has the rights to the systems being accessed.

Additionally, I would suggest V-LANs and least privilege access or even zero trust as a greater security play. For example, IoT devices should not cohabitate on the same V-LAN as the accounting or human resources department. This type of network segmentation allows for greater risk reduction.

Staffing and Security Operations

Many organizations forgo the managed services model to create an in-house security operation center, believing they can do it themselves. There are many cyber security tools available; however, there are very few trained and certified security engineers, and these tools often rely upon alarms, event notifications, or automated messaging to provide alerts. However, this begs the question, who will be monitoring and mitigating the environment at 3 a.m. on New Year’s Eve? Effective cyber security infrastructure requires extensive resources to reduce the total volume of alerts, alarms and events to an actionable notification which requires mitigation. Vacation, training, sick time, education and retention programs are all factors to consider when creating a security operator center. There is a deficit of security analysts, engineers and architects throughout the cyber security space today. Even if you can hire a strong team of cyber security specialists, security operation centers require at least five to six people to ensure 24/7 coverage.

In addition to the personnel issues, there are also equipment, software updates and proper configuration to consider. True quality deployment will require multiple layers, and the systems will have to be integrated, monitored and managed. In comparison, an organization that outsources its cyber security needs can depend upon systems being maintained and a team of experts to support them. Simply put, organizations should secure their environment through a third-party managed security service. These services are inclusive of EDRs, patching systems, a security information event manager, behavioral analytics and east/west traffic monitoring. At best, with the current staffing shortage, an in-house SOC is an ineffective method to detect, quarantine and/or remediate an infected device and/or network.

Hackers are only becoming more sophisticated and, big or small, no organization can afford to go unprotected. Being aware of these three points is critical in protecting your organization from cyber threats. In the current cyber security environment, there is no room for mistakes.

The Top 3 Cyber Security Mistakes and How to Avoid Them – Cyber Defense Magazine

FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor

September 5, 2021 by Matthew Bryan 2 Comments

This is a good example of knowing your intended target and providing the right context to increase perceived legitimacy, e.g. capitalizing on Microsoft’s recent announcement of Windows 11. Specifically, I thought the following items were interesting and relevant to our upcoming discussion on reconnaissance.

The FIN7 script checked for, and terminated itself, if the following were found on the victim’s machine:

Eastern European languages in use
Running within a virtual environment such as VMware or Virtual Box

The items above would be atypical for their ideal victim. Stopping the script when the above criteria is met helps avoid detection by security researchers and extends the lifespan of the attack.

https://thehackernews.com/2021/09/fin7-hackers-using-windows-11-themed.html

Vulnerabilities in Microsoft Exchange

August 30, 2021 by Vanessa Marin Leave a Comment

This was an interesting read this week. Three vulnerabilities have been identified in Microsoft exchanged that if used in combination allow the user to ” perform unauthenticated remote code execution” easily accomplished via the public facing web platform of Microsoft Exchange.

Some attackers have already started using the Proxyshell attacks by modifying configurations in applicationHost.config files in which a new “virtual directory” is set up that tricks the server into hosting files from other locations on the file system. Some attacks leave the Wed shell open for future use, others have been hit with cryptocurrency miners and another with Lockfile ransomware. Yet this is not yet a “centralized, organized and large-scale attack”. The article explains that the pieces/framework is there for an attacker to exploit. It “could” turn into a more critical attack chain if unchecked.

Patching is still being analyzed and decided upon as this is not to be confused with the vulnerabilities and patches that were applied to the ProxyLogon situation in March. Huntress is advising that business apply patches to the Exchange servers thru the July 2021 release.

Article:

Dark Reading Article – CISA Warns of Ongoing Attacks Targeting ProxyShell Vulnerabilities – Author: Kelly Sheridan; Published: August 24, 2021

Ragnarok Ransomware Gang Bites the Dust, Releases Decryptor

August 30, 2021 by Ryan Trapp 3 Comments

This article is interesting because the ransomware group has not only shut down but they have decided to release the encryption key for free. This begs the question of why they would do such a thing before shutting down? What motivation do they have to release the key? I personally think that it demonstrates that groups like this are only concerned with making a profit and because they are shutting down there is no reason for them to hold onto the key. They could have just never released it and be truly “evil” by letting the companies still affected have no way of ever receiving the key, because they are shutting down. This also continues a trend of several other ransomware groups ceasing operations lately, which is something interesting to keep an eye on.

Ragnarok Ransomware Gang Bites the Dust, Releases Decryptor

Microsoft Warns of Widespread Phishing Attacks Using Open Redirects

August 29, 2021 by Matthew Bryan 3 Comments

I thought this was interesting and provided a great explanation of the phishing campaign. Using the reCaptcha, during the link redirects, is a good example of building false trust with users in efforts to exploit them.

I also thought the parameter passing approach was particularly devious to avoid detection by email gateways.

Link: Microsoft Warns of Widespread Phishing Attacks Using Open Redirects

Sample News Article

August 29, 2021 by Wade Mackey 1 Comment

Here is an Article I saw that was interesting to me. The reason I picked this article is because it correctly points out some of the concerns around false positives flagging innocent people for arrest.

While not discussed in the article, there have also been concerns around ethnic bias in the tools as many of the early tools were trained on mostly Caucasian men.

https://www.msn.com/en-us/news/us/federal-government-to-expand-use-of-facial-recognition-despite-growing-concerns/ar-AANKdmh

Welcome to MIS 5211 – Introduction to Ethical Hacking

August 23, 2021 by Wade Mackey 1 Comment

Welcome! MIS 5211 students will use this site to post articles and comments during the semester. Projects and the assignments will be posted to Canvas.

Main Content