Uncategorized

An interesting article has been written by SAM IoT Security Lab, regarding the VPN service being deployed using Fortigate’s VPN appliances.
A Shodan search turned up more than 230,000 vulnerable FortiGate appliances using the VPN functionality, researchers found. Out of those, a full 88 percent, or more than 200,000 businesses, are using the default configuration and can be easily breached in an MitM attack.
In the case of the FortiGate router, it uses a self-signed, default SSL certificate, and it uses the router’s serial number to denote the server for the certificate.
While the issue exists in the default configuration of the FortiGard SSL-VPN client, Fortinet does not consider the issue to be a vulnerability, because users have the ability to manually replace the certificate in order to secure their connections appropriately.

This week’s reading article introduces us to ‘Netcat’ which has proven to be a very important tool for IT security admins in maintaining the security of their networks. Netcat is a Linux utility program which is used for reading and writing data using TCP and UDP protocols across networks. Netcat is very strong in creating connections using port filtering, with network devices, hence it is also used as a network debugging tool. The article illustrates further on various uses or circumstances in which netcat can be used by security admins as well as the relevant syntax which is used for carrying out specific actions using this tool.

Netcat= The TCP/IP Swiss Army Knife

• Netcat is used to write and read data across TCP/UDP network connections. It can be used to debug and explore target networks. It can create just about any network connections.
• Netcat can be used to scan ports, test firewalls, proxy gateways, script backends, and more.
• Using NetCat to remote command prompt: “nc -1 -p1234 -d -e cmd.exe -L”
  • Using Netcat to listen to port 1234, while running detached from the console, and execute command prompt when the connection is made.

 

1. NetCat is an extremely useful tool because it not only can scan for open ports, but it can also utilize these open ports to take over the target machine. What precautions can be made to avoid being exploited?
2. What are some ways hackers are able to hide NetCat on the target system?

Four former eBay executives have pleaded guilty for cyber-stalking and intimidating a Massachusetts couple. The married couple works as an editor and publisher; in their online newsletter, they wrote posts criticizing eBay. These executives retaliated by sending parcels such as bloody pig masks, live spiders, cockroaches, books on surviving the death of a spouse, funeral flowers, and pornographic magazines to their home. They even went as far as creating fake social media accounts threatening the couple and posting fake events that are supposedly happening at the couple’s home.

The defendants have all plead guilty to the crime and are among six former senior employees charged. Court documents have shown they even have the conspiracy to tamper with witnesses and commit more cyber-stalking.

LockBit was first discovered in September 2019 under the name of .AbCD virus. They have evolved in leaps and bounds since then. A common methodology of this cyber crime gang is to target organizations which do not deploy two factor authentication or weak encryption algorithms for their VPN connectivity.
Another cybercrime gang, Maze, host some of the stolen data by LockBit on their servers, suggesting a collaboration between these two gangs. According to McAfee, LockBit mostly targets organizations located in the U.S., the U.K, France, Ukraine, Germany, India, China, and Indonesia.

References:
https://cyware.com/news/lockbit-a-new-entrant-taking-big-leaps-23850c68

This week’s reading article summarized, the importance of performing in house scanning of IT Systems by organizations for vulnerabilities, to be up to date with the ever-changing threat landscape. The tool chosen in this article is Nessus, because of the automation it brings to ensure security of IT systems.
Nessus is freeware and does not require much processing power for hardware, it can be deployed on several systems throughout the network to scan different segments. The article delineates further on the installation and setup of Nessus tool. The scanner finds all the vulnerabilities associated with the plugins which are set before the scan is run, hence appropriate attention should be given in configuring Nessus. Discovered vulnerabilities are generally indicators of flawed security practices and policies. Hence it is important to evaluate the results of these vulnerability scans and close these vulnerabilities as per the risk appetite of the organization. The article also emphasizes that even though automated scanning tools like Nessus can help organizations in finding and remediating knows exploits and vulnerabilities, however, it is the security policies and good practices followed in the organization which are most important in securing the information.

Proactive Vulnerability Assessment w/ Nessus

• Nessus is an open-sourced free vulnerability scanner tool, it can be configured to auto-update when new vulnerabilities are discovered (900+ at the moment), beating even proprietary scanners. Plug-ins can be used to not only scan for existing vulnerabilities but also provide descriptions and instructions on how to fix it. ->can be seen as a “hacker tool”, finds vulnerabilities by exploiting them, and may crash the system.
• Nessus may also run into false positives if the target system is behind a firewall/packet filter device. A port scan can be changed to run against 65535 ports, not just the first 15000. It works as an initial scanner, showing POSSIBLE vulnerabilities. Further analysis should be done to see if they’re false positives or actual vulnerabilities(and what remediation needs to be done).

 

Discussion Questions:

1. Has anyone worked with using Nessus before? If so, what was your experience like?
2. Nessus can be used by both the “good guys”/”bad guys” to test the system. Using the reports, the “bad guys” can also find what to exploit. Are there any ideas about what can be done to get around that?

In the UK, educational institutions have been the target of many ransomware attacks. Due to the pandemic, there has been a heavy surge of reliance on using technology. Hackers are taking advantage of these circumstances and recent incidents have “observed more remote desktop protocols, unpatched software/hardware being utilized, and use of phishing emails to deploy ransomware”. They have also sabotaged any chances of backups or auditing devices that can be used to recover stolen data by encrypting virtual servers and using shell environments to deploy attacks. The complexity and scope of devices and environments colleges use makes it extremely difficult to monitor the system as a whole. The National Cyber Security Centre advises these institutions to have better vulnerability management and patching procedures, also to have safety protocols such as multi-factor authentication, enabling anti-virus, and phishing prevention training.

Source: https://www.infosecurity-magazine.com/news/universities-ransomware-attacks/

Google Chrome to add new features to protect against phishing attacks

Looking at the usefulness of Google in reconnaissance activities this week, I wanted to bring to light the latest development made by Google for safe browsing.

Google is working to add a feature to Google Chrome that warns users about similar or lookalike URLs that users may visit thinking they are legitimate sites.

This new feature will alert users when they visit URLs that pretend to lookalike a legitimate URL. For example, Appl3[.]com, tw1tter[.]com, m1crosoft[.]com.

Even though these features are currently available only in ‘Chrome Canary 74’, these are massive strides in the direction of safe internet browsing.

References:

https://cyware.com/news/google-to-add-a-feature-to-chrome-that-warns-users-about-lookalike-urls-481786c6

https://community.mis.temple.edu/mis5211sec702fall2020/2020/09/13/6661/