Ethical Hacking

Wade Mackey

Ethical Hacking

MIS 5211.702 ■ Fall 2020 ■ Wade Mackey

Main Content

Spear-phishing Attack on Companies Involved in Covid-19 Vaccine Distribution

By Leave a Comment

Hackers are targeting companies that are involved in distributing an Covid-19 Vaccines. Accordingly to a new research the attackers are performing an spear-phishing attack the organizations that are distributing Covid-19 vaccines since September 2020. IBM Security X-Force researchers said that the attacks are being aimed at vaccine cold chain. The companies are responsible for storing and delivering vaccines at a safe temperatures.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert informing an organizations that are involved in storing and delivering Covid-19 vaccines to review the indicator of compromise and increase their defenses.  It has been unclear if there were any of the phishing attacks were successful.  IBM has said that the attackers are trying to steal an credential for the companies to get access of their network and get unauthorized access to the sensitive information regarding to the Covid-19 vaccines.

 

References:

Lakshmanan, R. 2020. Hackers Targeting Companies Involved in Covid-19 Vaccine Distribution. Retrieved from: https://thehackernews.com/2020/12/hackers-targeting-companies-involved-in.html

Week 14: In the News

By Leave a Comment

Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak

Due to a cloud misconfiguration users of a popular reservation platform threaten travelers with identity theft, scams, credit-card fraud and vacation-stealing. The misconfigured Amazon Web Services S3 bucket. Revealed the records include sensitive data and credit-card details. The Prestige Software’s “Cloud Hospitality” is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com.
The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks, “The S3 bucket contained over 180,000 records from August 2020 alone. Many of them related to hotel reservations being made on numerous websites, despite global hotel bookings being at an all-time low for this period.”

Phishing attack to gain Microsoft Teams credentials

by Leave a Comment

There are new phishing email that are impersonates as an automated email from Microsoft Teams (Zurier, 2020).

The email is being sent to the user with the header “There’s new activity in Teams”. Which also includes the content that would be in the real Microsoft
Teams automated email. It includes the notification that someone within their team is trying to reach them and it urges the user to click on reply bottom to  reply to that user. By clicking the reply button, it takes the user to a phishing website that look similar to Microsoft Teams login page which includes the username and password fields. If the user logs in to the impersonated website their login credential as well as their information stored within their account will be compromised.

Accordingly to the Abnormal Security blog, cooperate users are more likely to fall victim for this phishing email since they would believe the email is originated from their organization and by view the content in the email that are same as Microsoft Teams automated email (Zurier, 2020).

References:

Zurier, S. 2020. Attackers prey on Microsoft Teams accounts to steal credentials. Retrieved from: https://www.scmagazine.com/home/security-news/vulnerabilities/attackers-prey-on-microsoft-teams-accounts-to-steal-credentials/

Week #10: Reading Discussions

by Leave a Comment

Burp Suite Guide:

  • Burp proxy: used to intercept traffic between the browser and target application -> similar to a man-in-the-middle attack.
  • Burp Sitemap and Site proxy: shows sitemap and site scope -> lets you choose the scope of security testing
    • Displays various sections of a particular domain (ex. Google)
    • shows how to execute search
  • Burp Spider: used to get a complete list of URLs and parameters of each site. Looks through each page manually and finds the links within the testing scope.
    • Using spider: Proxy and interceptors should be off. -> Manually visiting more sites will give spider a larger coverage area.

Questions:

  1. Is Burpsuite similar to anything you have used before?
  2. What can be potential issues using this software?

Week #10: In the News

by Leave a Comment

Cyber-criminals Target Naked Zoom Users

Cybercriminals used a floating zero-day security vulnerability on the Zoom App to engage in sextortion scams. Many users such as TV Analyst Jeffrey Toobin was caught in a sexual act over the video call and the criminal managed to obtain the video recordings. Zoom’s vulnerability allowed attackers to take over the camera and also accessing metadata from the account.

The criminal sent emails to the victims explaining that he was under duress because he lost his job and had no other choice but to extort for money. The scammer sent emails threatening that a ransom of $2,000 in bitcoin within 3 days or the footage will be made public. There has not been public word from Zoom.

Ransomware surge imperils hospitals as pandemic intensifies

by Leave a Comment

Hackers are stepping up attacks on health care systems with ransomware in the United States and other countries, creating new risks for medical care as the global coronavirus pandemic accelerates. Alerts from US authorities and security researchers highlight a wave of cyberattacks on hospitals coping with rising virus infections. An unusual warning this week from the FBI with the Departments of Homeland Security and Health and Human Services, underscored the threat. The three agencies “have credible information of an increased and imminent cybercrime threat to US hospitals and health care providers,” said the alert issued Wednesday, calling on health systems to “take timely and reasonable precautions to protect their networks from these threats.”

            Ransomware is a longstanding security issue and health care has been a frequent target. A September attack disrupted Universal Health Services, which operates hospitals in the US and Britain. But security experts say the attacks are accelerating as the pandemic worsens. Researchers at the security firm Check Point said its survey showed health care has been the most targeted industry by ransomware, with a 71 percent jump in attacks on US providers in October from a month earlier. Check Point said there have been significant rises in ransomware attacks on hospitals in Asia, Europe and the Middle East as well. Globally, the firm said ransomware attacks were up 50 percent in the third quarter compared with the first half of this year . Many of the attacks use a strain of ransomware known as Ryuk, which security researchers say may be tied to North Korean or Russian cybercriminals. The US government warning said health organizations are being targeted by phishing attacks to get access to the systems, with hackers using sophisticated tools including TrickBot software which can harvest credentials and exfiltrate data. The Canadian government’s Cyber Centre issued a similar warning in early October, warning of Ryuk ransomware “affecting multiple entities, including municipal governments and public health and safety organizations in Canada and abroad. “The ransomware problem is steadily worsening and a solution desperately needs to be found,” said Brett Callow of the security firm Emsisoft”.

 

In the News – Week 10: FBI warning: Trickbot and ransomware attackers plan big hit on US hospitals

by Leave a Comment

US Healthcare providers have been warned that Trickbot malware and ransomware is targeting the sector.  Trickbot emerged in 2016 as a banking trojan but evolved into a multi-purpose malware downloader that infected systems that were sold on to other criminal groups as a service.  Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.

The Anchor_DNS backdoor forces infected PCs to communicate with command-and-control servers over DNS to bypass network defense products and hide malicious communications with legitimate DNS traffic.  Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic.  CISA has now listed several indicators of compromise that security teams should look for.  It notes that the Trickbot malware for Windows copies itself as an executable file with a 12-character (includes .exe), randomly generated filename – for example, mfjdieks.exe – and places this file in the directories, C:\Windows\, C:\Windows\SysWOW64\, and C:\Users\[Username]\AppData\Roaming\.

https://www.zdnet.com/article/fbi-warning-trickbot-and-ransomware-attackers-plan-big-hit-on-us-hospitals/#ftag=RSSbaffb68

Week 10 Readings

by Leave a Comment

Readings this week had a concentration in Burp Suite and injection attacks.  Injection attacks have dominated the top of web application vulnerability lists for much of the past decade.  XSS remains the most prevalent vulnerability, while SQL injection is the most often exploited of these vulnerabilities.  Injection attacks are preferred by malicious users as a way to obtain restricted data from a back end database or to embed malicious code onto a web server that will in turn serve up malware to unsuspecting clients.

 

Questions for the class:

What is an example of a SQLi?  Meaning what input would the attacker put in the URL to try a SQLi?

Credential Stuffing Attacks

by Leave a Comment

Credential stuffing attack is an form of an attack with uses the stolen username/password from one website and uses those credentials to login to other websites. Attackers uses an specific tools to send the stolen credentials from one website to other websites. This types of attacks are successful to gain access of other’s accounts since there are many people that uses an same credential for multiple websites.

Credential stuffing attack work by attacker first gaining access to the credential from the previous data breach. Then the attacker uses an specific software to inject those and other hundred or thousands of credentials to targeted websites. Once the attacker is able to obtain the access to the users account attacker would be able to get all the personal information of the user that is being saved on that account.

There are many ways to save your accounts from this credential stuffing attack. One of the way to protect the account is by using different password on all of the accounts. Another way to protect the account from this attack is to use the multi-factor authentication.

 

Reference:

Bannister, A. 2020. Credential stuffing attacks: How to protect your accounts from being compromised. Retrieved from: https://portswigger.net/daily-swig/credential-stuffing-attacks-how-to-protect-your-accounts-from-being-compromised

Week #9: In the News

by Leave a Comment

Nando’s Customers Hit by Credential Stuffing Attacks

The popular chicken chain, Nando’s, has been cyber-attacked; attackers hijacked online accounts to place large orders. Due to covid-19, the restaurant industry has been attempting to find a way to optimize service while restrictions are in places such as QR codes and online ordering. Most orders are made online and picked up using a QR code in-store, however, attacks have used a tactic called “credential-snuffing”. By using stolen customer credentials used elsewhere, they can use the same information to access their Nando’s account. Since then, Nando’s has promised to reimburse customers for any fraudulent orders.

Since July 2018- June 2020, there has been 64 billion credential snuffing attempts in the retail, hospitality, and travel sectors. This can be remediated by having MFA on accounts or even just using different passcodes for each account.

*I thought this was interesting because I was also hacked using a fake KFC account*

 

https://www.infosecurity-magazine.com/news/nandos-customers-hit-credential/

Week #9 Reading Discussions: OWASP Top 10

by Leave a Comment

OWASP Top 10

  • Broken authentication: when authentication and session management are implemented incorrectly, attacks can compromise the user’s credentials and exploit their identities. I see this happen frequently and there are industry standards such as lock-out policies, timeout sessions that can help mitigate this security risk. However, many organizations fail to do so because they are unaware of the severity of these flaws.
  • Broken access control is when restrictions on authenticated users are not properly reinforced. From a security standpoint, less is more. Users with administrative privileges should only be limited to admins of the system, if a standard user’s credentials were hacked and access controls weren’t in place, the scope of damage would increase significantly.

 

Questions

  1. What security risk have you encountered? Or what do you think can lead to the most damage?
  2. What are some mitigation tactics companies can have to protect themselves against these risks?