Mei X Wang

A newly discovered APT attack has been combining VPN exploits with the Zerologon bug. It has been considered a serious threat because of the vulnerabilities are exploited to gain access to networks. The aftermath of the attacks is still being observed but the bug is first gaining initial access to Active Directory. Then using the stolen legitimate credentials, they’re able to connect to virtual environments through RDP and VPN. There are talks that this might have some influence over the upcoming election, many government/non-government agencies are being attacked. Activities tracked of the bug has seen that they target multiple sectors not just SLTT entities, CISA and the FBI are finding mitigation techniques and pushing out best practices to decrease the risk of an attack.

 

https://www.infosecurity-magazine.com/news/attackers-chaining-zerologon-with/

On September 20, eResearch Technology (ERT) was attacked, this company specializes in clinical services, they collect, analyze, and distribute electronic patient-reported outcomes. Many companies were using this technology to track clinical trials on Covid-19 treatments. Due to the attack, the researchers had to revert to pen and paper, to track the outcomes and caused delays in trials conducted. Other healthcare companies affected by ransomware attacks are IQVIA(hired to assist AstraZeneca’s COVID Vaccine Trials) and Bristol-Myers Squibb(Drug manufacturers). Since then, the company has taken its systems offline and the incident has been reported to the FBI. However, the perpetrators have not even linked yet, and there isn’t conclusive information about whether or not the ransom was met, or how much they asked for.

 

https://www.infosecurity-magazine.com/news/ransomware-disrupts-covid19/

Netcat= The TCP/IP Swiss Army Knife

• Netcat is used to write and read data across TCP/UDP network connections. It can be used to debug and explore target networks. It can create just about any network connections.
• Netcat can be used to scan ports, test firewalls, proxy gateways, script backends, and more.
• Using NetCat to remote command prompt: “nc -1 -p1234 -d -e cmd.exe -L”
  • Using Netcat to listen to port 1234, while running detached from the console, and execute command prompt when the connection is made.

 

1. NetCat is an extremely useful tool because it not only can scan for open ports, but it can also utilize these open ports to take over the target machine. What precautions can be made to avoid being exploited?
2. What are some ways hackers are able to hide NetCat on the target system?

Four former eBay executives have pleaded guilty for cyber-stalking and intimidating a Massachusetts couple. The married couple works as an editor and publisher; in their online newsletter, they wrote posts criticizing eBay. These executives retaliated by sending parcels such as bloody pig masks, live spiders, cockroaches, books on surviving the death of a spouse, funeral flowers, and pornographic magazines to their home. They even went as far as creating fake social media accounts threatening the couple and posting fake events that are supposedly happening at the couple’s home.

The defendants have all plead guilty to the crime and are among six former senior employees charged. Court documents have shown they even have the conspiracy to tamper with witnesses and commit more cyber-stalking.

Proactive Vulnerability Assessment w/ Nessus

• Nessus is an open-sourced free vulnerability scanner tool, it can be configured to auto-update when new vulnerabilities are discovered (900+ at the moment), beating even proprietary scanners. Plug-ins can be used to not only scan for existing vulnerabilities but also provide descriptions and instructions on how to fix it. ->can be seen as a “hacker tool”, finds vulnerabilities by exploiting them, and may crash the system.
• Nessus may also run into false positives if the target system is behind a firewall/packet filter device. A port scan can be changed to run against 65535 ports, not just the first 15000. It works as an initial scanner, showing POSSIBLE vulnerabilities. Further analysis should be done to see if they’re false positives or actual vulnerabilities(and what remediation needs to be done).

 

Discussion Questions:

1. Has anyone worked with using Nessus before? If so, what was your experience like?
2. Nessus can be used by both the “good guys”/”bad guys” to test the system. Using the reports, the “bad guys” can also find what to exploit. Are there any ideas about what can be done to get around that?

In the UK, educational institutions have been the target of many ransomware attacks. Due to the pandemic, there has been a heavy surge of reliance on using technology. Hackers are taking advantage of these circumstances and recent incidents have “observed more remote desktop protocols, unpatched software/hardware being utilized, and use of phishing emails to deploy ransomware”. They have also sabotaged any chances of backups or auditing devices that can be used to recover stolen data by encrypting virtual servers and using shell environments to deploy attacks. The complexity and scope of devices and environments colleges use makes it extremely difficult to monitor the system as a whole. The National Cyber Security Centre advises these institutions to have better vulnerability management and patching procedures, also to have safety protocols such as multi-factor authentication, enabling anti-virus, and phishing prevention training.

Source: https://www.infosecurity-magazine.com/news/universities-ransomware-attacks/

Using Open Source Reconnaissance Tools for Business Partner Vulnerability Assessment

• Using a Google search of “intitle:index.of “Apache 2.2.22at “, we can find all servers using that version of Apache. When you attach a site name, all the possible queries showing vulnerable software or sensitive information (password, scans, files) can be found. This can be done using any search engine.
• If flagged, Google can prompt you to answer the captcha puzzle, Google can also freeze all search activity on your network if Google decides there’s a botnet on the server.

 

What software can be used to test sites against malware/spam?

What tools can be used to non-intrusively perform a vulnerability assessment?

Basics of computer networking

• Differences between an open system and a closed system, why would anyone use a closed system if it can’t be connected to a network or communicated with. Computer networks include the devices and also things can help connect the devices such as routers and switches.

How can the MAC address help incriminate an electronic device compared to just using the IP Address?

How can you use the IP address to physically locate the electronic device?

Intro to basic networking terminology

• To facilitate the connection between two parties, a number of protocols have to be in place so the products can communicate and share information. A number of protocols working together are called protocol suites or stacks.

Why would it be useful to have network reference models developed for products(different manufacturers)?

Why would VPNs be useful to you?

Layers of OSI

• The physical layer would be the one responsible for the connection of devices and also for translate to 0s and 1s. It’s required that the physical layer translate and then the data link pieces the message back together.

Which layer would be most important to ensure the connection is secure? What’s the use of the dialog controller?

TCP/IP

• The application layer of the TC/IP model performs the top three layers of OSI, Application, Presentation, and Session. TC/IP model protocols are not easily replaced and can only provide connectionless services.

What are the key differences between layers of OSI and layers of TCP/IP models?

One of the largest banks in England and Wales, Lloyd Bank fell victim to an elaborate phishing scam. Clients were sent emails and text messages that displayed warnings that their accounts would be shut off unless they logged in to verify their credentials. The attacker then set up a realistic site that contained official words, logos, and personalized details to trick the user into believing the legitimacy. Phishing attacks are one of the most easily used social engineering attacks, many clients untrained in identifying the signs fall easily into giving up their PII. In July, HSBC Bank also faced a similar attack and prompted users to give up their credentials.

https://www.infosecurity-magazine.com/news/phishing-scam-lloyds-bank-customers/

 

Discussion Questions:

1. What are the attacks targeted audience demographic for phishing attacks?
2. How can companies resolve the issue internally as well? (As many employees are also susceptible to these attacks)

Tesla was confirmed to be the target of a ransomware conspiracy by Russian hacker Egor Igorevich Kriuchkov(Muncaster 2020). He approached a Tesla worker and teamed up to deploy malware that can help steal sensitive data, the firm was required to pay up for lost information or risk it going public.

The malware was deployed by the insider with network access, there was a separate DDoS attack made to distract Tesla’s IT Team. Kriuchkov first approached the Tesla employee via WhatsApp before meeting with them socially and offering a $1m to help with the plot.

Apparently Kriuchkov had successful schemes before and had received over $4m payout from other corporations. This reinforces the importance of ransomware victims to refuse payout, as it leads to more leverage to exploit.

Muncaster, P. 2020. Tesla Was Target of Russian Ransomware Conspiracy.  Retrieved from: https://www.infosecurity-magazine.com/news/musk-tesla-target-russian/

Discussion Question:

1. What type of screening does Tesla require for their employees?
2. How can they better train their workers on social engineering and is there any incentive to be the “whistleblower”?