New articles!
- Cyber threats
Distributed Denial of 2023?
- Cyber threats
Domain Spoofing
Categories
Articles
- Cyber threats
Writeup Drive Hackthebox
Writeup Drive Hackthebox The aim of this write-up is to explain how to initiate a search process used in a pentest and the various methods used to gain access to the machine, then gain privileges. All commands will be explained in detail, as will the choices made. The first step is to launch the scanning phase. To do this, we'll run an Nmap scan. To begin with, we'll run a simple Nmap scan with the following parameters: -sC: Specifies basic script execution for service information and vulnerability detection. -sV: Determines the versions of services running on open ports. This can help identify specific vulnerabilities associated with specific software versions. -p-: Specifies to test all 65,535 ports to ensure that none are missed. Nmap has identified the opening of 2 ports: SSH and HTTP. Our priority will be to explore the HTTP port first. This decision stems from our assessment of the difficulty of the challenge, which clearly indicates the absence of default identifiers. Furthermore, the use of brute force techniques or automated exploits is not considered the appropriate method in this context. Doodle Drive, present on the HTTP port, is a file-sharing service: We don't
- Vulnerabilities
Citrix NetScaler flaw exposing sensitive data
Citrix NetScaler flaw exposing sensitive data Introduction On 10th of October 2023 Citrix Systems released a security bulletin for one critical and one high severity vulnerabilities. Critical vulnerability identified as CVE-2023-4966, was discovered in Citrix NetScaler ADC and NetScaler Gateway, categorized as "sensitive information disclosure." This flaw, with a significant CVSS score of 9.4, poses a risk to the security framework of the affected systems. Key Takeaways NetScaler ADC and NetScaler Gateway exhibit a critical vulnerability tied to unauthenticated buffer overflow, identified as CVE-2023-4966. This flaw, causing sensitive information disclosure in certain configurations (Gateway or AAA virtual server), holds a high CVSSv3 score of 9.4, emphasizing its critical nature. A patch addressing this issue is now available, mitigating the risks associated with the unauthenticated buffer overflow. Given the critical severity, this vulnerability is notably concerning as hackers frequently target Citrix products, often deployed within large organizations possessing valuable assets. Recommendations It is recommended to users of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible. No mitigation methods were provided by the vendor. Technical details Citrix NetScaler ADC and NetScaler Gateway are affected
- Vulnerabilities
Using EDR telemetry for offensive research
Using EDR telemetry for offensive research About EDR EDR – Endpoint Detection and Response – is a type of security solution, with agents running on endpoints (workstations, servers, etc.). Its first role is detection of incidents and threats. The second role is response, not only based on automatic prevention, but also giving Blue Teams the ability to perform various actions on endpoints, like downloading samples, dumping memory, or isolating the host from the network. EDRs have become a game changer in the cybersecurity landscape, with their origin dating back one decade ago. This article explores the notion of using EDR telemetry as a source of knowledge on software behaviors, and how to query that source to find potential security vulnerabilities. Telemetry To monitor systems for threats and malicious activities, EDRs collect relatively broad set of event information, commonly referred to as EDR telemetry. Those events include, but are not limited to, process creation (and termination), file creation/modification/removal, network connections, registry operations, various system events etc. In the rest of the article, I refer to them as base events. The exact list of supported base events, their names, properties, and information they provide varies between vendors. The telemetry from each endpoint is
- Vulnerabilities
Roaming and racing to get SYSTEM – CVE-2023-37250
Roaming and racing to get SYSTEM – CVE-2023-37250 Introduction In my previous blog post (Creating Persistent Local Privilege Escalation with Temporarily Elevated Legitimate Installers) I mentioned potential local privilege escalation issues based on the pattern of highly-privileged processes executing code from files controlled by regular users. One such example that caught my attention was the Windows version of Parsec (150.88.0.0 and earlier) - a remote desktop solution owned by Unity Inc. After deployment, there is a component running as a service with NT AUTHORITY/SYSTEM privileges, created from C:Program FilesParsecparsecd.exe executable (the default installation path). The user-facing component docked in the system tray and providing the interface, is also started from the same executable - but interactively, by regular users. So, whenever a regular user wants to use Parsec, they create their own instance of parsecd.exe with their own privileges and Medium integrity, while another instance of parsecd.exe is already running as a service with SYSTEM integrity. In the affected version, upon user initialization, both instances load a DLL file named parsecd-150-87d.dll, located in the %APPDATA%RoamingParsec directory of the regular user who initiated the process (e.g. C:UsersjohnAppDataRoamingParsec
- Incident response
Outlaw APT group - From initial access to crypto mining
Outlaw APT group - From initial access to crypto mining Foreword Eviden Digital Security regularly performs incident response and gathers information on various groups of attackers. In the summer 2022, a company discovered one of their machines was performing SSH brute-force attempts and scanning ports on external targets. The company contacted Eviden Digital Security to manage the crisis and remediate the incident. Eviden Incident Response Team gathered information about malicious activities on the victim’s machine, which revealed one of the company’s servers had been used to mine Monero with the XMRig cryptominer. Eviden Incident Response Team attributed the attacks to the Outlaw threat actor with a high level of confidence. Attribution was performed by linking information from Eviden public and private sources to the Indicators of Compromise (IoCs) as well as to the Tactics, Techniques and Procedures (TTPs) observed on the machine. This article describes the results of the investigations conducted on this group, its modus operandi and attacks campaigns. Threat overview The Outlaw threat group is a cryptocurrency mining threat actor that has first been discovered by TrendMicro Researchers in November 2018 . The group is believed to originate in Romania, based on the language, tools and infrastructure it
- Cyber threats
Insider Threat – What if the Big Bad Wolf was already in?
Insider Threat – What if the Big Bad Wolf was already in? Insider threat is considered as one of the top-10 concerns in cyberspace in 2023. It is as prominent cause of concern than external attacks. According to the Ponemon Institute, insider threat incidents have risen 44% over the past two years. The costs per incident have also gone up more than a third to US$15.38 million. Even worse, over 70% of insider attacks are not publicly reported and thus we may not have a clear picture of how many of them occur and what damage they cause. Insiders as a threat Cyberattacks are initiated and carried out by human beings. Technology is only a tool in their hands. With insiders are several actors meant. It refers to employees, organization members, and those to whom the organization has given sensitive information and access. But also, to contractors, vendors, custodians, or repair persons. Basically, anyone that the organization has given access to sensitive information is considered as an insider. The phenomenon of insider threat is twofold. The insiders are considered as both non-hostile threat agents (i.e. distracted employees) as well as hostile ones (i.e. disgruntled employees). The
- Cyber threats
CA/Browser Forum S/MIME Certificate Requirements, what is it and what to do about it?
CA/Browser Forum S/MIME Certificate Requirements: what is it and what to do about it? Introduction Protecting email is an often overlooked but sometimes necessary feature. Email can be encrypted to prevent anyone but the recipient reading it and signed to prevent people altering or forging the content. S/MIME certificates are the way to sign and encrypt email. The new CA/Browser Forum Requirements A key standards body when it comes to public certificates is the CA/Browser forum, which consists of over 50 of the Public CA and over 10 Consumer members, the latter including among others the four leading Browser suppliers: Apple, Google, Microsoft, and Mozilla. This forum produces requirements for certificates as well as public CAs and sometimes validation of certificates that have a global adoption. On January 1st, 2023, the forum produced a new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates. The requirements will become effective September 1st 2023 and apply to certificates issued by Public PKIs issued after that date. This is the first set of requirements for this type of certificates written by the CA/Browser Forum. The most important elements in the requirements are the following
- Vulnerabilities
Detailed analysis of the Zero- Day vulnerability in MOVEit transfer
Detailed analysis of the Zero- Day vulnerability in MOVEit transfer Key Takeaways A common feature among all exploited devices is a webshell named 'human2.aspx' located in the 'C:MOVEitTransferwwwroot' public HTML folder. Multiple IP addresses have been associated with the attacks, and the attacks reportedly started on May 27th. The exploitation method strongly resembles the mass exploitations of GoAnywhere MFT and Accellion FTA servers in January 2023 and December 2020 respectively. These previous incidents were linked to the Clop ransomware gang, who exploited managed file transfer platforms for data theft and extortion. The threat actor Lace Tempest has been officially linked to the exploitation of a critical flaw in Progress Software's MOVEit Transfer application. Their apparent collaboration with the cl0p ransomware group, as evidenced by ransom notes found on compromised hosts, reinforces the urgent need for users to promptly apply security patches. The PoC exploit code for MOVEit Transfer was released by Horizon3 company. On June 15th, a third vulnerability (CVE-2023-35708) in Progress Software's MOVEit Transfer was found. This vulnerability could allow users to gain elevated rights and potentially unapproved access to the environment. The vulnerability's specific characteristics that enable worming are unknown. In addition
- Cyber threats
Snake Malware
Snake Malware Taken down by the FBI after 20 years of existence Key Takeaways In a coordinated operation FBI with other organizations took down the Snake malware operational infrastructure. Snake malware has been linked with the Russian Center 16 of FSB and being used for almost 20 years. It has been used in various targeted operations to collect and extract valuable data and information from government and NATO organizations. Introduction Snake is a malware that was originally developed by the FSB (Federal Security Service of the Russian Federation) in late 2003 under the name “Uroburos”. The development ends in early 2004 and moments later it starts conducting cyber operations. Snake has been one of the major tools used by Center 16 of the FSB. It has been in use for almost 20 years and FSB conducted a vast amount of operations with it. Snake is also a part of the Turla family toolset which is used by Russia. Its usage has been detected in 50 countries around the globe since being in operational use. Countries targeted are from both North and South America, Europe, Africa, Asia, and Australia. Snake operators do not target specific industries but it is worth mentioning
- Incident response
BumbleBee hunting with a Velociraptor
BumbleBee hunting with a Velociraptor BumbleBee, a malware which is mainly abused by threat actors in data exfiltration and ransomware incidents, was recently analyzed by Angelo Violetti of SEC Defence - the Digital Forensics and Incident Response team of SEC Consult, an Eviden business. During his research, he used several tools and techniques to define ways to detect the presence of BumbleBee on a compromised infrastructure. The various detection opportunities described in the report can be useful for organizations to detect an infection in its first stages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community. Introduction Ransomware attacks, combined with data exfiltration, are one of the most relevant cyber threats for companies worldwide, as reported by the Enisa Threat Landscape 2022. According to the NIST's Incident Handling guide, the prevention and detection phases of those types of attacks can be crucial to minimize the potential incident's impacts (e.g., operational, legal, etc.). To gain initial access into a victim’s infrastructure, ransomware operators abuse mostly the following techniques: Phishing campaigns
- Cyber threats
Cl0p Ransomware Group activity related to data leaks from GoAnywhere MFT
Cl0p Ransomware Group activity related to data leaks from GoAnywhere MFT The essentials The Threat Actor TA505 is deemed as a trendsetter for its ever-changing tactics, techniques, and procedures (TTPs) It targets numerous countries, but it omits close allies of Russia. Is known to use quadruple extortion techniques – including targeting executives and contacting customers to add pressure to pay the ransom Latest campaign saw at least 132 companies breached in some way, with 12 already having their data exposed on the darknet Recommendations Create detection rules based on the groups’ TTPs and IoCs Block the infrastructure (C2s, domains, hashes) of the operators. Ensure you keep regular backups stored on a remote server Make sure system services are kept up to date with patches Regarding GoAnywhere MFT service: Review all administrator users for attacker accounts Update to version 7.1.2 or higher Alternatively apply mitigation configuration - details Introduction Clop is an example of ransomware as a service (RaaS) that is operated by a Russian-speaking group. It was discovered in 2019 after being used by TA505 in a spear phishing campaign. Clop (or Cl0p) is one of the most prolific ransomware families in recent years. It’s infamous for compromising
- Vulnerabilities
Creating persistent local privilege escalation with temporarily elevated legitimate installers
Creating persistent local privilege escalation with temporarily elevated legitimate installers The interesting case of WinSCP A couple of months ago, while analyzing one of our environments, we had noticed instances of the LogonUI.exe process - running as NT AUTHORITY/SYSTEM - loading a DLL file named DragExt64.dll from local user %LOCALAPPDATA%ProgramsWinSCP directories, e.g., C:UsersbobAppDataLocalProgramsWinSCPDragExt64.dll. Since such DLL files are owned by the user (ownership by default inherited from the directory), but executed as SYSTEM, it was clear that this phenomenon created a potential vector for local privilege escalation, as simple as replacing the original DLL with a custom one, containing arbitrary code. Following up, it turned out that DragExt64.dll is an extension of WinSCP responsible for drag & drop support, distributed along with WinSCP. Further investigation revealed that in some systems that file could be found at C:Program Files (x86)WinSCPDragExt64.dll, while in other systems the location was the local user %LOCALAPPDATA%ProgramsWinSCP folder – suggesting that the difference came from whether the user, during installation, chose “Install for all users (recommended)” or “Install for me only”, as demonstrated in the screenshot below:The default and recommended option deploys WinSCP into C:Program Files (x86)WinSCP
- Incident response
SOCCRATES – Automation and Orchestration of Security Operations
SOCCRATES – Automation and Orchestration of Security Operations Automation and Orchestration of Security OperationsSOCCRATES (SOC & CSIRT Response to Attacks & Threats) is a EU-funded research and innovation project that brings together some of the best European expertise in the field to develop, implement and evaluate an automated security platform to support SOC analysts. Atos is a leading provider of Managed Detection & Response (MDR) services. Atos MDR offering is platform driven with AIsaac which is our AI platform for Cyber Analytics and Hybrid SecOps. We constantly collaborate for innovations in MDR. SOCCRATES is an initiative in this direction. This article will focus on the SOCCRATES Orchestrator and Integration Engine which is at the core of the SOCCRATES platform providing automation and orchestration of security operations to response on the different use cases covered by the project. As it was introduced in previous articles, there are many challenges that Security Operation Centres (SOCs), Computer Security Incident Response Teams (CSIRTs) and Managed Security Service Providers (MSSPs) must face to offer an efficient and quick answer to the increasing, evolving and more and more complex number of cyber-attacks the organizations are suffering. One of these challenges is to provide support to the
- Cyber threats
Are privacy-enhancing technologies the holy grail to privacy?
Are privacy-enhancing technologies the holy grail to privacy? The PET’s promise to unlock collaborative analysis in a secure way, even on regulated or sensitive data According to Gartner, by 2025, 60% of large organizations will use one or more privacy-enhancing computation techniques in analytics, business intelligence or cloud computing. PET (Privacy-enhancing technologies) are on the rise. Let’s see why you should have a look at those technologies! PET are bringing the lacking piece to fully comply with data sovereignty regulations There is a growing pressure of regulations around Personal Identifiable Information (PII) protection and data sovereignty (e.g. cross border data transfers to Cloud operators), with the difficult exercise for authorities to balance between latitudes to exploit personal data (social, economic benefits) and re-identification risk, or to enable economic benefits from Cloud while ensuring data sovereignty or IP protection. This is where PET bring their innovation. From the data sovereignty perspective, the emerging set of privacy-enhancing techniques shift the paradigm. While data encryption at rest or in transit were already efficiently addressed through existing encryption technologies, data protection in use (data-in-use) was the lacking piece in the triptych, meaning that data needed
- Vulnerabilities
Attacking local self-protection mechanisms – a case study of CVE-2019-3613 and CVE-2022-3859
Attacking local self-protection mechanisms – a case study of CVE-2019-3613 and CVE-2022-3859 Introduction to Trellix CVE 2022-3859 On 29th November Trellix (former McAfee) released a security bulletin addressing an issue tracked as CVE-2022-3859 (https://kcm.trellix.com/corporate/index?page=content&id=SB10391), which I discovered and responsibly disclosed a couple of months before. Its discovery was prompted by my earlier finding of the same nature, affecting the same product, 3 years earlier (CVE-2019-3613, https://kcm.trellix.com/corporate/index?page=content&id=SB10320). Since the official descriptions are rather general and cryptic, while both issues have been addressed, I thought that sharing some of the technical details could be valuable for other techies who are interested in things like security solutions, system programming or sample ideas on attacking software self-protection mechanisms. Self-protection mechanisms As early detection of malicious activity is critical at stopping incidents at their early stage, enterprise security solutions such as Anti-Virus agents and EDR sensors have been, for some time already, equipped with additional self-protection mechanisms. Those mechanisms are built on top of the security controls already provided by the operating system, trying to
Subscribe to Cyber shield blogs to stay one step ahead of evolving threats
Receive expert‑curated threat intelligence discoveries, technical breakdowns, and proactive defense insights directly from the Atos Threat Research Center(TRC).
