North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign

Vulnerability
  • A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.

    That’s according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple.

    Targets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain.

    Roughly 100GB of data is estimated to have been exported by the hacking crew following the compromise of an unnamed customer, with the digital break-in likely taking place in the third quarter of 2022.

    “The threat actor gained access to the network by exploiting a vulnerable Zimbra mail server at the end of August,” WithSecure said in a detailed technical report shared with The Hacker News.

    The security flaws used for initial access are CVE-2022-27925 and CVE-2022-37042, both of which could be abused to gain remote code execution on the underlying server.

    This step was succeeded by the installation of web shells and the exploitation of local privilege escalation vulnerability in the Zimbra server (i.e., Pwnkit aka CVE-2021-4034), thereby enabling the threat actor to harvest sensitive mailbox data.

    Subsequently, in October 2022, the adversary is said to have carried out lateral movement, reconnaissance, and ultimately deployed backdoors such as Dtrack and an updated version of GREASE.

    GREASE, which has been attributed as the handiwork of another North Korea-affiliated threat cluster called Kimsuky, comes with capabilities to create new administrator accounts with remote desktop protocol (RDP) privileges while also skirting firewall rules.

    Dtrack, on the other hand, has been employed in cyber assaults aimed at a variety of industry verticals, and also in financially motivated attacks involving the use of Maui ransomware.

    “At the beginning of November, Cobalt Strike [command-and-control] beacons were detected from an internal server to two threat actor IP addresses,” researchers Sami Ruohonen and Stephen Robinson pointed out, adding the data exfiltration occurred from November 5, 2022, through November 11, 2022.

    Also used in the intrusion were tools like Plink and 3Proxy to create a proxy on the victim system, echoing previous findings from Cisco Talos about Lazarus Group’s attacks targeting energy providers.

    North Korea-backed hacking groups have had a busy 2022, conducting both espionage-driven and cryptocurrency heists that align with the regime’s strategic priorities.

    Most recently, the BlueNoroff cluster, also known by the names APT38, Copernicium, Stardust Chollima, and Copernicium, and Stardust Chollima, and TA444, was connected to wide-ranging credential harvesting attacks aimed at education, financial, government, and healthcare sectors.

    – Source

  • DownPWundefined DownPW marked this topic as a regular topic on
  • @DownPW Thanks very much for this. For anyone else looking to get access to constantly updated vulnerability and breach information, I created a site some time ago that is fully automated, and ingests data from a variety of sources - effectively creating a single pane of glass to obtain information from well-known and respected information sources.

    The site is Hostrisk

    https://hostrisk.com

  • @phenomlab better to post hère or on histrisk?

  • @DownPW here. Hostrisk is automated and doesn’t accept registrations.


  • 4 Votes
    4 Posts
    65 Views

    @phenomlab said in TikTok fined £12.7m for misusing children’s data:

    Just another reason not to use TikTok. Zero privacy, Zero respect for privacy, and Zero controls in place.

    https://news.sky.com/story/tiktok-fined-12-7m-for-data-protection-breaches-12849702

    The quote from this article says it all

    TikTok should have known better. TikTok should have done better

    They should have, but didn’t. Clearly the same distinct lack of core values as Facebook. Profit first, privacy… well, maybe.

    Wow, that’s crazy! so glad I stayed away from it, rotten to the core.

  • 5 Votes
    6 Posts
    652 Views

    Missed out on this deal ? Windscribe offer a limited free version. More about that here
    https://sudonix.org/topic/13/which-product-is-the-best-for-vpn/164?_=1652206628456

  • 0 Votes
    1 Posts
    140 Views

    1622032930658-hacked_listen-min.webp

    I’ve been a veteran of the infosec industry for several years, and during that time, I’ve been exposed to a wide range of technology and situations alike. Over this period, I’ve amassed a wealth of experience around information security, physical security, and systems. 18 years of that experience has been gained within the financial sector - the remaining spread across manufacturing, retail, and several other areas. I’ve always classed myself as a jack of all trades, and a master of none. The real reason for this is that I wanted to gain as much exposure to the world of technology without effectively “shoehorning” myself - pigeon holing my career and restricting my overall scope.

    I learned how to both hack and protect 8086 / Z80 systems back in 1984, and was using “POKE” well before Facebook coined the phrase and made it trendy (one of the actual commands I still remember to this day that rendered the CTRL, SHIFT, ESC break sequence useless was

    POKE &bdee, &c9

    I spent my youth dissecting systems and software alike, understanding how they worked, and more importantly, how easily they could be bypassed or modified.

    Was I a hacker in my youth ? If you understand the true meaning of the word, then yes - I most definitely was.

    If you think a hacker is a criminal, then absolutely not. I took my various skills I obtained over the years, honed them, and made them into a walking information source - a living, breathing technology encyclopedia that could be queried simply by asking a question (but not vulnerable to SQL injection).

    Over the years, I took an interest in all forms of technology, and was deeply immersed in the “virus era” of the 2000’s. I already understood how viruses worked (after dissecting hundreds of them in a home lab), and the level of damage that could be inflicted by one paved the way for a natural progression to early and somewhat infantile malware. In its earliest form, this malware was easily spotted and removed. Today’s campaigns see code that will self delete itself post successful execution, leaving little to no trace of its activity on a system. Once the APT (Advanced Persistent Threat) acronym became mainstream, the world and its brother realised they had a significant problem in their hands, and needed to respond accordingly. I’d realised early on that one of the best defences against the ever advancing malware was containment. If you “stem the flow”, you reduce the overall impact - essentially, restricting the malicious activity to a small subset rather than your entire estate.

    I began collaborating with various stakeholders in the organisations I worked for over the years, carefully explaining how modern threats worked, the level of damage they could inflict initially from an information and financial perspective, extending to reputation damage and a variety of others as campaigns increased in their complexity). I recall one incident during a tenure within the manufacturing industry where I provided a proof of concept. At the time, I was working as a pro bono consultant for a small company, and I don’t think they took me too seriously.

    Using an existing and shockingly vulnerable Windows 2003 server (it was still using the original settings in terms of configuration - they had no patching regime, meaning all systems were effectively vanilla) I exhibited how simple it would be to gain access first to this server, then steal the hash - effortlessly using that token to gain full access to other systems without even knowing the password (pass the hash). A very primitive exercise by today’s standards, but effective nonetheless. I explained every step of what I was doing along the way, and then explained how to mitigate this simple exploit - I even provided a step by step guide on how to reproduce the vulnerability, how to remediate it, and even provided my recommendations for the necessary steps to enhance security across their estate. Their response was, frankly, shocking. Not only did they attempt to refute my findings, but at the same time, dismissed it as trivial - effectively brushing it under the carpet so to speak. This wasn’t a high profile entity, but the firm in question was AIM listed, and by definition, were duty bound - they had a responsibility to shareholders and stakeholders to resolve this issue. Instead, they remained silent.

    Being Pro Bono meant that my role was an advisory one, and I wasn’t charging for my work. The firm had asked me to perform a security posture review, yet somehow, didn’t like the result when it was presented to them. I informed them that they were more than welcome to obtain another opinion, and should process my findings as they saw fit. I later found out through a mutual contact that my findings had been dismissed as "“unrealistic”, and another consultant had certified their infrastructure as “safe”. I almost choked on my coffee, but wrote this off as a bad experience. 2 months later, I got a call from the same mutual contact telling me that my findings were indeed correct. He had been contacted by the same firm asking him to provide consultancy for what on the face of it, looked like a compromised network.

    Then came the next line which I’ll never forget.

    “I don’t suppose you’d be interested in……”

    I politely refused, saying I was busy on another project. I actually wasn’t, but refused out of principle. And so, without further ado, here’s my synopsis

    “…if you choose not to listen to the advice a security expert gives you, then you are leaving yourself and your organisation unnecessarily vulnerable. Ignorance is not bliss when it comes to security…”

    Think about what you’ve read for a moment, and be honest with me - say so if you think this statement is harsh given the previous content.

    The point I am trying to make here is that despite sustained effort, valiant attempts to raise awareness, and constantly telling people they have gaping holes in systems for them to ignore the advice (and the fix I’ve handed to them on a plate) is extremely frustrating. Those in the InfoSec community are duty bound to responsibly disclose, inform, educate, raise awareness, and help protect, but that doesn’t extend to wiping people’s noses and telling them it wasn’t their fault that they failed to follow simple advice that probably could have prevented their inevitable breach. My response here is that if you bury your head in the sand, you won’t see the guy running up behind you intent on kicking you up the ass.

    Security situations can easily be avoided if people are prepared to actually listen and heed advice. I’m willing to help anyone, but they in return have to be equally willing to listen, understand, and react.

  • 0 Votes
    1 Posts
    143 Views

    1621959888112-code.webp
    Anyone working in the information and infrastructure security space will be more than familiar with the non-stop evolution that is vulnerability management. Seemingly on a daily basis, we see new attacks emerging, and those old mechanisms that you thought were well and truly dead resurface with “Frankenstein” like capabilities rendering your existing defences designed to combat that particular threat either inefficient, or in some cases, completely ineffective. All too often, we see previous campaigns resurface with newer destructive capabilities designed to extort both from the financial and blackmail perspective.

    It’s the function of the “Blue Team” to (in several cases) work around the clock to patch a security vulnerability identified in a system, and ensure that the technology landscape and estate is as healthy as is feasibly possible. On the flip side, it’s the function of the “Red Team” to identify hidden vulnerabilities in your systems and associated networks, and provide assistance around the remediation of the identified threat in a controlled manner.

    Depending on your requirements, the minimum industry accepted testing frequency from the “Red Team” perspective is once per year, and typically involves the traditional “perimeter” (externally facing devices such as firewalls, routers, etc), websites, public facing applications, and anything else exposed to the internet. Whilst this satisfies the “tick in the box” requirement on infrastructure that traditionally never changes, is it really sufficient in today’s ever-changing environments ? The answer here is no.

    With the arrival of flexible computing, virtual data centres, SaaS, IaaS, IoT, and literally every other acronym relating to technology comes a new level of risk. Evolution of system and application capabilities has meant that these very systems are in most cases self-learning (and for networks, self-healing). Application algorithms, Machine Learning, and Artificial Intelligence can all introduce an unintended vulnerability throughout the development lifecycle, therefore, failing to test, address, and validate the security of any new application or modern infrastructure that is public facing is a breach waiting to happen. For those “in the industry”, how many times have you been met with this very scenario

    “Blue Team: We fixed the vulnerabilities that the Red Team said they’d found…” “Red Team: We found the vulnerabilities that the Blue Team said they’d fixed…”

    Does this sound familiar ?

    What I’m alluding to here is that security isn’t “fire and forget”. It’s a multi-faceted, complex process of evolution that, very much like the earth itself, is constantly spinning. Vulnerabilities evolve at an alarming rate, and unfortunately, your security program needs to evolve with it rather than simply “stopping” for even a short period of time. It’s surprising (and in all honesty, worrying) the amount of businesses that do not currently (and even worse, have no plans to) perform an internal vulnerability assessment. You’ll notice here I do not refer to this as a penetration test - you can’t “penetrate” something you are already sitting inside. The purpose of this exercise is to engage a third party vendor (subject to the usual Non-Disclosure Agreement process) for a couple of days. Let them sit directly inside your network, and see what they can discover. Topology maps and subnets help, but in reality, this is a discovery “mission” and it’s up to the tester in terms of how they handle the exercise.

    The important component here is scope. Additionally, there are always boundaries. For example, I typically prefer a proof of concept rather than a tester blundering in and using a “capture the flag” approach that could cause significant disruption or damage to existing processes - particularly in-house development. It’s vital that you “set the tone” of what is acceptable, and what you expect to gain from the exercise at the beginning of the engagement. Essentially, the mantra here is that the evolution wheel in fact never stops - it’s why security personnel are always busy, and CISO’s never sleep 🙂

    These days, a pragmatic approach is essential in order to manage a security framework properly. Gone are the days of annual testing alone, being dismissive around “low level” threats without fully understanding their capabilities, and brushing identified vulnerabilities “under the carpet”. The annual testing still holds significant value, but only if undertaken by an independent body, such as those accredited by CREST (for example).

    You can reduce the exposure to risk in your own environment by creating your own security framework, and adopting a frequent vulnerability scanning schedule with self remediation. Not only does this lower the risk to your overall environment, but also provides the comfort that you take security seriously to clients and vendors alike whom conduct frequent assessments as part of their Due Diligence programs. Identifying vulnerabilities is one thing, however, remediating them is another. You essentially need to “find a balance” in terms of deciding which comes first. The obvious route is to target critical, high, and medium risk, whilst leaving the “low risk” items behind, or on the “back burner”.

    The issue with this approach is that it’s perfectly possible to chain multiple vulnerabilities together that on their own would be classed as low risk, and end up with something much more sinister when combined. This is why it’s important to address even low-risk vulnerabilities to see how easy it would be to effectively execute these inside your environment. In reality, no Red Team member can tell you exactly how any threat could pan out if a way to exploit it silently existed in your environment without a proof of concept exercise - that, and the necessity sometimes for a “perfect storm” that makes the previous statement possible in a production environment.

    Vulnerability assessments rely on attitude to risk at their core. If the attitude is classed as low for a high risk threat, then there needs to be a responsible person capable of enforcing an argument for that particular threat to be at the top of the remediation list. This is often the challenge - where board members will accept a level of risk because the remediation itself may impact a particular process, or interfere with a particular development cycle - mainly because they do not understand the implication of weakened security over desired functionality.

    For any security program to be complete (as far as is possible), it also needs to consider the fundamental weakest link in any organisation - the user. Whilst this sounds harsh, the below statement is always true

    “A malicious actor can send 1,000 emails to random users, but only needs one to actually click a link to gain a foothold into an organisation”

    For this reason, any internal vulnerability assessment program should also factor in social engineering, phishing simulations, vishing, eavesdropping (water cooler / kitchen chat), unattended documents left on copiers, dropping a USB thumb drive in reception or “public” (in the sense of the firm) areas.

    There’s a lot more to this topic than this article alone can sanely cover. After several years experience in Information and Infrastructure Security, I’ve seen my fair share of inadequate processes and programs, and it’s time we addressed the elephant in the room.

    Got you thinking about your own security program ?

  • 0 Votes
    1 Posts
    141 Views

    1631812756399-catfish-min.webp
    Anyone who uses dating agencies or even social media itself should be aware of the risk that a “catfish” poses. However, despite all of the media attention, catfish are constantly successful in their campaigns, and it seems as though everyday there is yet another victim. But why is this persistent campaign so successful ? In order to understand how a catfish scam operates, we first need to look at who they target, and why. Trust is gained as quickly as possible as the risk of being caught out very early in the process is much too high. Catfish campaigns tend to target individuals – particularly those considered vulnerable. But how do they know that these individuals are vulnerable and a healthy target in the first place ? More on that later. For now, let’s look at how a catfish will apply their skills on unsuspecting victims. By far the most common type of attack is via online dating, and seeing as there appears to be plenty of choice in terms of platforms and users adopting their services, the fruit on the tree is plentiful, and replenished at an alarming rate.

    How does a catfish select a target ?

    The more experienced catfish will have multiple targets and campaigns running concurrently. Adopting this approach as a “beginner” is actually unwise, as there is too much detail to remember in order to pull off an effective deception without raising suspicion. Can you imagine grooming a target then getting their name wrong, or other key information they may have unwittingly provided ? No. For this exact reason, the novice catfish will target one individual at a time. Whilst this doesn’t sound very enterprising, the experienced catfish, however, will operate multiple campaigns simultaneously. This produces a significantly higher yield, but it also means that the risk of exposure is greater. Based on this, each campaign is carefully tracked and “scripted” - in fact, each campaign has a written story - pretext if you will, that is simply copied and pasted in communications. This provides the assurance that the particular “story” being used does not stray off course, or arouse suspicion unintentionally. Based on official evidence, the origin of where most catfish campaigns originate from is Nigeria. In fact, it’s big business - well over USD 2bn in fact.

    Here’s a video courtesy of ABC that describes some of the techniques I have mentioned above - including the “scripted” mechanism.

    The catfish selects their target based on a number of factors – with social skills being top the list. A personality of a wet blanket is seldom effective, so the catfish must create an online persona (usually a Facebook profile) that is credible, and can be reinforced and intertwined with real life events. Such an example of this is a soldier serving in Afghanistan (there are many others, although this is an active campaign which is known to succeed). It would appear that the military lifestyle, the uniform, and the exciting stories are enough to entice a lonely individual looking for friendship and romance. A vital component of the scam is that the occupation of a soldier allows multiple periods where contact can be minimal for various “military” reasons that the catfish informs their target they cannot divulge for official secrecy reasons.

    This actually provides the perfect cover in order for the scam to progress. Time is required in order to plan the next stages of the campaign if it is to succeed. Another important element to remember is that the catfish needs to be mindful of time zones – you cannot be based in Nigeria and use the same timezone when you are supposedly stationed in Afghanistan, for example. The catfish would have collected enough intelligence about their target to remain one step ahead at all times. This typically involves research, with most of the required information sadly provided by social media. This includes dates and places of birth, interests, hobbies, and a myriad of other useful data that all adds up to the success of the campaign. The catfish uses this information to form trust with the target, and, coupled with the online persona created previously, the wheels are firmly attached. The con is on, so to speak. Using the data collected earlier, the catfish makes use of a variety of techniques in order to gain confidence and trust, with the social element being of utmost importance. Another key point for the catfish is the ability to engage in discussion, be articulate, and most of all, come across as being intelligent. Spelling is important, as is the ability to use grammar and punctuation correctly.

    Those of us who are “grammar snobs” can easily spot a deception in the form of a social media message or email owing to the notoriously poor grammar – usually always the result of English not being the primary language in use. Bearing in mind that most initial contact is via instant messaging, online chat, and email, it is important for the catfish to avoid suspicion and early detection - and in essence, remain “under the radar” at all times.

    How much effort is involved ?

    The amount of effort a catfish will put in generally depends on multiple factors. The sole aim of the perpetrator is financial, and any seasoned criminal will be looking to gain trust quickly, and will always have a story prepared. The point here is that the target needs to be a willing participant – nobody is holding a gun to their head, and they must be convinced of the integrity of their new online beau in order to part with money of their own volition. The previously constructed story needs to be consistent, and plausible if the campaign is to succeed. Once the target is engaged, the catfish is then in a position to effectively “groom” the individual, and uses the response and personality of the target to gauge when the next part of the plan should be executed. This in itself can be a fine art depending on the target. If they are intelligent, it may take a considerable amount of time and effort to reel them in. Before the catfish makes this investment, they have to be sure it will be worth it. But how ? Again, social media to the rescue. You’d be hard pressed to believe this, but money and the associated social lifestyle it provides and promotes is a key focal point of social networking, and by definition, “engineering”.

    If the target regularly posts about dining out, drinking, holidays, etc., then this is a clear indicator that they are worth perusing and exploiting, as they clearly have money to spend. Once the catfish has been able to convince the target of their sincerity, the deception then proceeds to the next level. Using the tried and tested “soldier based in another country, shortly completing his tour of duty, and leaving the army” scam, this provides an ideal mechanism to extort money from the target after they have been convinced that the individual they have been talking to wants to start a business, and needs capital etc in order to get started. Another well-known and successful ruse is to claim that they have a sick child (or children) that need urgent hospital care, and they don’t have the money to finance this. Another additional means of topping up the “fund” is the additional ruse that the soldier is not a citizen in the target country, and wants to be with his “new partner”. The by now besotted target agrees to pay for air fare, visa costs, and other associated permits in order to make their dream romance a reality – without realising that they are parting with a significant sum that carries absolutely no guarantee that it will be delivered. In fact, this could not be further from the truth. In a cruel twist, the catfish instructs their target to pay the funds into an account setup and accessible by the criminals involved, where it is collected without delay - often by a “mule” (more on this later).

    The target is completely unaware this has taken place, and only realises what has happened after their romance never materialises, the person they trusted never arrives, and a gaping hole has appeared in their finances as a result. They are now left with the inevitable emotional and financial damage this scam creates, and they must somehow come to terms with the impact – and the associated consequences. The ultimate twist of fate is that the victim transferred their money of their own free will – it wasn’t stolen from them, and, believe it or not, no crime has been committed based on this fact (it sounds crazy, and it is absolutely fraud - but that’s the law). You will also find yourself hard pressed to convince any bank that you have not acted negligently.

    Reducing the risk

    So how can you reduce the risk ? Whilst the below list should start with “…never talk to strangers…”, its not that simple. The below points are guidelines, but should be used along with your own judgement. - Never engage in discussions of a financial or personal nature with people you do not know. The internet is a dangerous place, and the anonymity it provides only makes this worse.

    If you join a dating agency, ensure that all requests for contact are fully screened by the agency themselves before being sent on to you. Most agencies now insist on home visits to new clients in order to combat this growing trend. Never agree to setup a new bank account, or transfer cash – this is a smoking gun, and should be avoided at all costs. Never allow the discussions to continue “off platform” – in other words, always use the dating agency’s systems so that any conversations are captured and recorded. This means no texts, no personal messaging systems, and strictly no contact over social media If someone sends you a friend request on Facebook, ask yourself basic questions, such as “do I actually know this person ?” and “why are they contacting me ?”. If you don’t know them, don’t accept. Try to avoid being tempted by emotional flattery. Whilst we all like praise and the feelgood factor it brings, don’t be reeled in by a catfish. This is one of the core weapons in their arsenal, and they will deploy it whenever necessary Remember – relationships have their foundations firmly rooted in trust. This has to be earned and established over the course of time – it’s not something that appears overnight.
  • 0 Votes
    1 Posts
    131 Views

    cropped-vault2-min.jpg.webp
    Over the years, I’ve been exposed to a variety of industries - one of these is aerospace engineering and manufacturing. During my time in this industry, I picked up a wealth of experience around processing, manufacturing, treatments, inspection, and various others. Sheet metal work within the aircraft industry is fine-limit. We’re not talking about millimeters here - we’re talking about thousands of an inch, or “thou” to be more precise. Sounds Imperial, right ? Correct. This has been a standard for years, and hasn’t really changed. The same applies to sheet metal thickness, typically measured using SWG (sheet / wire gauge). For example, 16 SWG is actually 1.6mm thick or thereabouts and the only way you’d get a true reading is with either a Vernier or a Micrometer. For those now totally baffled, one mm is around 40 thou or 25.4 micrometers (μm). Can you imagine having to work to such a minute limit where the work you’ve submitted is 2 thou out of tolerance, and as a result, fails first off inspection ?

    Welcome to precision engineering. It’s not all tech and fine-limit though. In every industry, you have to start somewhere. And typically, in engineering, you’d start as an apprentice in the store room learning the trade and associated materials.

    Anyone familiar with engineering will know exactly what I mean when I use terms such as Gasparini, Amada, CNC, Bridgeport, guillotine, and Donkey Saw. Whilst the Donkey Saw sounds like animal cruelty, it’s actually an automated mechanical saw who’s job it is to cut tough material (such as S99 bar, which is hardened stainless steel) simulating the back and forth action manually performed with a hacksaw. Typically, a barrel of coolant liquid was connected to the saw and periodically deposited liquid into the blade to prevent it from overheating and snapping. Where am I going with all this ?

    Well, through my tenure in engineering, I started at the bottom as “the boy” - the one you’d send to the stores to get a plastic hammer, a long weight (wait), a bubble for a spirit level, sky hooks, and just about any other imaginary or pointless tool you could think of. It was part of the initiation ceremony - and the learning process.

    One other extremely dull task was to cut “blanks’’ in the store room from 8’ X 4’ sheets of CRS (cold rolled steel) or L166 (1.6mm aerospace grade aluminium, poly coated on both sides). These would then be used to make parts according to the drawing and spec you had, or could be for tooling purposes. My particular “job” (if you could call it that) in this case was to press the footswitch to activate the guillotine blade after the sheet was placed into the guide. The problem is that after about 50 or so blanks, you only hear the trigger word requiring you to “react”. In this case, that particular word was “right”. This meant that the old guy I was working with had placed the sheet, and was ready for me to kick the switch to activate the guillotine. All very high tech and vitally important - not.

    And so, here it is. Jim walks into the store room where we’re cutting blanks, and asks George if he’d like coffee. After 10 minutes, Jim returns with a tray of drinks and shouts “George, coffee!”. George, fiddling with the guillotine guide responds with “right”…. See if you can guess the rest…

    George went as white as a sheet and almost fainted as the guillotine blade narrowly missed his fingers. It took more than one coffee laden with sugar to put the colour back into his cheeks and restore his ailing blood sugar level.

    The good news is that George finally retired with all his fingers intact, and I eventually progressed through the shop floor and learned a trade.

    The purpose of this post ? In an ever changing and evolving security environment, have your wits about you at all times. It’s not only your organisation’s information security, but clients who have entrusted you as a custodian of their information to keep it safe and prevent unauthorised access. Information Security is a 101 rule to be adhered to at all times - regardless of how experienced you think you are. Complacency is at the heart of most mistakes. By taking a more pragmatic approach, that risk is greatly reduced.

  • 0 Votes
    1 Posts
    132 Views

    When you look at your servers or surrounding networks, what exactly do you see ? A work of art, perhaps ? Sadly, this is anything but the picture painted for most networks when you begin to look under the hood. What I’m alluding to here is that beauty isn’t skin deep - in the sense that neat cabling resembling art from the Sistine Chapel, tidy racks, and huge comms rooms full of flashing lights looks appealing from the eye candy perspective and probably will impress clients, but in several cases, this is the ultimate wolf in sheep’s clothing. Sounds harsh ? Of course it does, but with good intentions and reasoning. There’s not a single person responsible for servers and networks on this planet who will willingly admit that whilst his or her network looks like a masterpiece to the untrained eye, it’s a complete disaster in terms of security underneath.

    In reality, it’s quite the opposite. Organisations often purchase bleeding edge infrastructure as a means of leveraging the clear technical advantages, enhanced security, and competitive edge it provides. However, under the impressive start of the art ambience and air conditioning often lies an unwanted beast. This mostly invisible beast lives on low-hanging fruit, will be tempted to help itself at any given opportunity, and is always hungry. For those becoming slightly bewildered at this point, there really isn’t an invisible beast lurking around your network that eats fruit. But, with a poorly secured infrastructure, there might as well be. The beast being referenced here is an uninvited intruder in your network. A bad actor, threat actor, bad guy, criminal…. call it what you want (just don’t use the word hacker) can find their way inside your network by leveraging the one thing that I’ve seen time and time again in literally every organisation I ever worked for throughout my career - the default username and password. I really can’t stress the importance of changing this on new (and existing) network equipment enough, and it doesn’t stop at this either.

    Changing the default username and password is about 10% of the puzzle when it comes to security and basic protection principles. Even the most complex credentials can be bypassed completely by a vulnerability (or in some cases, a backdoor) in ageing firmware on switches, firewalls, routers, storage arrays, and a wealth of others - including printers (which incidentally make an ideal watering hole thanks to the defaults of FTP, HTTP, SNMP, and Telnet, most (if not all of) are usually always on. As cheaper printers do not have screens like their more expensive copier counterparts (the estate is reduced to make the device smaller and cheaper), any potential criminal can hide here and not be detected - often for months at a time - arguably, they could live in a copier without you being aware also. A classic example of an unknown exploit into a system was the Juniper firewall backdoor that permitted full admin access using a specific password - regardless of the one set by the owner. Whilst the Juniper exploit didn’t exactly involve a default username and password as such (although this particular exploit was hard-coded into the firmware, meaning that any “user” with the right coded password and SSH access remotely would achieve full control over the device), it did leverage the specific vulnerability in the fact that poorly configured devices could have SSH configured as accessible to 0.0.0.0/0 (essentially, the entire planet) rather than a trusted set of IP addresses - typically from an approved management network.

    We all need to get out of the mindset of taking something out of a box, plugging it into our network, and then doing nothing else - such as changing the default username and password (ideally disabling it completely and replacing it with a unique ID) or turning off access protocols that we do not want or need. The real issue here is that today’s technology standards make it simple for literally anyone to purchase something and set it up within a few minutes without considering that a simple port scan of a subnet can reveal a wealth of information to an attacker - several of these tools are equipped with a default username and password dictionary that is leveraged against the device in question if it responds to a request. Changing the default configuration instead of leaving it to chance can dramatically reduce the attack landscape in your network. Failure to do so changes “plug and play” to “ripe for picking”, and its those devices that perform seemingly “minor” functions in your network that are the easiest to exploit - and leverage in order to gain access to neighbouring ancillary services. Whilst not an immediate gateway into another device, the compromised system can easily give an attacker a good overview of what else is on the same subnet, for example.

    So how did we arrive at the low hanging fruit paradigm ?

    It’s simple enough if you consider the way that fruit can weigh down the branch to the point where it is low enough to be picked easily. A poorly secured network contains many vulnerabilities that can be leveraged and exploited very easily without the need for much effort on the part of an attacker. It’s almost like a horse grazing in a field next to an orchard where the apples hang over the fence. It’s easily picked, often overlooked, and gone in seconds. When this term is used in information security, a common parallel is the path of least resistance. For example, a pickpocket can acquire your wallet without you even being aware, and this requires a high degree of skill in order to evade detection yet still achieve the primary objective. On the other hand, someone strolling down the street with an expensive camera hanging over their shoulder is a classic example of the low hanging fruit synopsis in the sense that this theft is based on an opportunity that wouldn’t require much effort - yet with a high yield. Here’s an example of how that very scenario could well play out.

    Now, as much as we’d all like to handle cyber crime in this way, we can’t. It’s illegal 🙂

    What isn’t illegal is prevention. 80% of security is based on best practice. Admittedly, there is a fair argument as to what exactly is classed as “best” these days, although it’s a relatively well known fact that patching the Windows operating system for example is one of the best ways to stamp out a vulnerability - but only for that system that it is designed to protect against. Windows is just the tip of the iceberg when it comes to vulnerabilities - it’s not just operating systems that suffer, but applications, too. You could take a Windows based IIS server, harden it in terms of permitted protocols and services, plus install all of the available patches - yet have an outdated version of WordPress running (see here for some tips on how to reduce that threat), or often even worse, outdated plugins that allow remote code execution. The low hanging fruit problem becomes even more obvious when you consider breaches such as the well-publicised Mossack Fonseca (“Panama Papers”). What became clear after an investigation is that the attackers in this case leveraged vulnerabilities in the firm’s WordPress and Joomla public facing installations - this in fact led to them being able to exploit an equally vulnerable mail server by brute-forcing it.

    So what should you do ? The answer is simple. It’s harvest time.

    If there is no low-hanging fruit to pick, life becomes that much more difficult for any attacker looking for a quick “win”. Unless determined, it’s unlikely that your average attacker is going to spend a significant amount of time on a target (unless it’s Fort Knox - then you’ve have to question the sophistication) then walk away empty handed with nothing to show for the effort. To this end, below are my top recommendations. They are not new, non-exhaustive, and certainly not rocket science - yet they are surprisingly missing from the “security 101” perspective in several organisations.

    Change the default username and password on ALL infrastructure. It doesn’t matter if it’s not publicly accessible - this is irrelevant when you consider the level of threats that have their origins from the inside. If you do have to keep the default username (in other words, it can’t be disabled), set the lowest possible access permissions, and configure a strong password. Close all windows - in this case, lock down protocols and ports that are not essential - and if you really do need them open, ensure that they are restricted Deploy MFA (or at least 2FA) to all public facing systems and those that contain sensitive or personally identifiable information Deploy adequate monitoring and logging techniques, using a sane level of retention. Without any way of forensic examination, any bad actor can be in and out of your network well before you even realise a breach may have taken place. The only real difference is that without decent logging, you have no way of confirming or even worse, quantifying your suspicion. This can spell disaster in regulated industries. Don’t shoot yourself in the foot. Ensure all Windows servers and PC’s are up to date with the latest patches. The same applies to Linux and MAC systems - despite the hype, they are vulnerable to an extent (but not in the same way as Windows), although attacks are notoriously more difficult to deploy and would need to be in the form of a rootkit to work properly Do not let routers, firewalls, switches, etc “slip” in terms of firmware updates. Keep yourself and your team regularly informed and updated around the latest vulnerabilities, assess their impact, and most importantly, plan an update review. Not upgrading firmware on critical infrastructure can have a dramatic effect on your overall security. Lock down USB ports, CD/DVD drives, and do not permit access to file sharing, social media, or web based email. This has been an industry standard for years, but you’d be surprised at just how many organisations still have these open and yet, do not consider this a risk. Reduce the attack vector by segmenting your network using VLANS. For example, the sales VLAN does not need to (and shouldn’t need to) connect directly to accounting etc. In this case, a ransomware or malware outbreak in sales would not traverse to other VLANS, therefore, restricting the spread. A flat network is simple to manage, but a level playing field for an attacker to compromise if all the assets are in the same space. Don’t use an account with admin rights to perform your daily duties. There’s no prizes for guessing the level of potential damage this can cause if your account is compromised, or you land up with malware on your PC Educate and phish your users on a continual basis. They are the gateway directly into your network, and bypassing them is surprisingly easy. You only have to look at the success of phishing campaigns to realise that they are (and always will be) the weakest link in your network. Devise a consistent security and risk review framework. Conducting periodic security reviews is always a good move, and you’d be surprised at just what is lurking around on your network without your knowledge. There needn’t be a huge budget for this. There are a number of open source projects and platforms that make this process simple in terms of identification, but you’ll still need to complete the “grunt” work in terms of remediation. I am currently authoring a framework that will be open source, and will share this with the community once it is completed. Conduct regular governance and due diligence on vendors - particularly those that handle information considered sensitive (think GDPR). If their network is breached, any information they hold around your network and associated users is also at risk. Identify weak or potential risk areas within your network. Engage with business leaders and management to raise awareness around best practice, and information security. Perform breach simulation, and engage senior management in this exercise. As they are the fundamental core of the business function, they also need to understand the risk, and more importantly, the decisions and communication that is inevitable post breach.

    There is no silver bullet when it comes to protecting your network, information, and reputation. However, the list above will form the basis of a solid framework.

    Let’s not be complacent - let’s be compliant.

  • 0 Votes
    1 Posts
    158 Views

    1631812610135-security1.webp
    The recent high profile breaches impacting organisations large and small are a testament to the fact that no matter how you secure credentials, they will always be subject to exploit. Can a password alone ever be enough ? in my view, it’s never enough. The enforced minimum should be at least with a secondary factor. Regardless of how “secure” you consider your password to be, it really isn’t in most cases – it just “complies” with the requirement being enforced.

    Here’s classic example. We take the common password of “Welcome123” and put it into a password strength checker
    1564764162-304322-password1.png
    According to the above, it’s “strong”. Actually, it isn’t. It’s only considered this way because it meets the complexity requirements, with 1 uppercase letter, at least 8 characters, and numbers. What’s also interesting is that a tool sponsored by Dashlane considers the same password as acceptable, taking supposedly 8 months to break
    1564764192-579936-password2.png
    How accurate is this ? Not accurate at all. The password of “Welcome123” is in fact one of the passwords contained in any penetration tester’s toolkit – and, by definition, also used by cyber criminals. As most of this password combination is in fact made up of a dictionary word, plus sequential numbers, it would take less than a second to break this rather than the 8 months reported above. Need further evidence of this ? Have a look at haveibeenpwned, which will provide you with a mechanism to test just how many times “Welcome123” has appeared in data breaches
    1564764241-350631-hibp.png

    Why are credentials so weak ?

    My immediate response to this is that for as long as humans have habits, and create scenarios that enable them to easily remember their credentials, then this weakness will always exist. If you look at a sample taken from the LinkedIn breach, those passwords that occupy the top slots are arguably the least secure, but the easiest to remember from the human perspective. Passwords such as “password” and “123456” may be easy for users to remember, but on the flip side, weak credentials like this can be broken by a simple dictionary attack in less than a second.

    Here’s a selection of passwords still in use today – hopefully, yours isn’t on there
    1564764251-257407-passwordlist.jpeg
    We as humans are relatively simplistic when it comes to credentials and associated security methods. Most users who do not work in the security industry have little understanding, desire to understand, or patience, and will naturally choose the route that makes their life easier. After all, technology is supposed to increase productivity, and make tasks easier to perform, right ? Right. And it’s this exact vulnerability that a cyber criminal will exploit to it’s full potential.

    Striking a balance between the security of credentials and ease of recall has always had it’s challenges. A classic example is that networks, websites and applications nowadays typically have password policies in place that only permit the use of a so-called strong password. Given the consolidation and overall assortment of letters, numbers, non-alphanumeric characters, uppercase and lowercase, the password itself is probably “secure” to an acceptable extent, although the method of storing the credentials isn’t. A shining example of this is the culture of writing down sensitive information such as credentials. I’ve worked in some organisations where users have actually attached their password to their monitor. Anyone looking for easy access into a computer network is onto an immediate winner here, and unauthorised access or a full blown breach could occur within an alarmingly short period of time.

    Leaked credentials and attacks from within

    You could argue that you would need access to the computer itself first, but in several historical breach scenarios, the attack originated from within. In this case, it may not be an active employee, but someone who has access to the area where that particular machine is located. Any potential criminal has the credentials – well, the password itself, but what about the username ? This is where a variety of techniques can be used in terms of username discovery – in fact, most of them being non-technical – and worryingly simple to execute. Think about what is usually on a desk in an office. The most obvious place to look for the username would be on the PC itself. If the user had recently logged out, or locked their workstation, then on a windows network, that would give you the username unless a group policy was in place. Failing that, most modern desk phones display the name of the user. On Cisco devices, under Extension Mobility, is the ID of the user. It doesn’t take long to find this. Finally there’s the humble business card. A potential criminal can look at the email address format, remove the domain suffix, and potentially predict the username. Most companies tend to leverage the username in email addresses mainly thanks to SMTP template address policies – certainly true in on premise Exchange environments or Office 365 tenants.

    The credentials are now paired. The password has been retrieved in clear text, and by using a simple discovery technique, the username has also been acquired. Sometimes, a criminal can get extremely lucky and be able to acquire credentials with minimal effort. Users have a habit of writing down things they cannot recall easily, and in some cases, the required information is relatively easily divulged without too much effort on the part of the criminal. Sounds absurd and far fetched, doesn’t it ? Get into your office early, or work late one evening, and take a walk around the desks. You’ll be unpleasantly surprised at what you will find. Amongst the plethora of personal effects such as used gym towels and footwear, I guarantee that you will find information that could be of significant use to a criminal – not necessarily readily available in the form of credentials, but sufficient information to create a mechanism for extraction via an alternative source. But who would be able to use such information ?

    Think about this for a moment. You generally come into a clean office in the mornings, so cleaners have access to your office space. I’m not accusing anyone of anything unscrupulous or illegal here, but you do need to be realistic. This is the 21st century, and as a result, it is a security measure you need to factor in and adopt into your overall cyber security policy and strategy. Far too much focus is placed on securing the perimeter network, and not enough on the threat that lies within. A criminal could get a job as a cleaner at a company, and spend time collecting intelligence in terms of what could be a vulnerability waiting to be exploited. Another example of “instant intelligence” is the network topology map. Some of us are not blessed with huge screens, and need to make do with one ancient 19″ or perhaps two. As topology maps can be quite complex, it’s advantageous to be able to print these in A3 format to make it easier to digest. You may also need to print copies of this same document for meetings. The problem here is what you do with that copy once you have finished with it ?

    How do we address the issue ? Is there sufficient awareness ?

    Yes, there is. Disposing of it in the usual fashion isn’t the answer, as it can easily be recovered. The information contained in most topology maps is often extensive, and is like a goldmine to a criminal looking for intelligence about your network layout. Anything like this is classified information, and should be shredded at the earliest opportunity. Perhaps one of the worst offences I’ve ever personally experienced is a member of the IT team opening a password file, then walking away from their desk without locking their workstation. To prove a point about how easily credentials can be inadvertently leaked, I took a photo with a smartphone, then showed the offender what I’d managed to capture a few days later. Slightly embarrassed didn’t go anywhere near covering it.

    I’ve been an advocate of securing credentials for some time, and recently read about the author of “NIST Special Publication 800-63” (Bill Burr). Now retired, he has openly admitted the advice he originally provided as in fact, incorrect

    “Much of what I did I now regret.” said Mr Burr, who advised people to change their password every 90 days and use obscure characters.

    “It just drives people bananas and they don’t pick good passwords no matter what you do.”

    The overall security of credentials and passwords

    However, bearing in mind that this supposed “advice” has long been the accepted norm in terms of password securuty, let’s look at the accepted standards from a well-known auditing firm

    It would seem that the Sarbanes Oxley 404 act dictates that regular changes of credentials are mandatory, and part of the overarching controls. Any organisation that is regulated by the SEC (for example) would be covered and within scope by this statement, and so the argument for not regularly changing your password becomes “invalid” by the act definition and narrative. My overall point here is that the clearly obvious bad password advice in the case of the financial services industry is negated by a severely outdated set of controls that require you to enforce a password change cycle and be in compliance with it. In addition, there are a vast number of sites and services that force password changes on a regular basis, and really do not care about what is known to be extensive research on password generation.

    The argument for password security to be weakened by having to change it on a frequent basis is an interesting one that definitely deserves intense discussion and real-world examples, but if your password really is strong (as I mentioned previously, there are variations of this which are really not secure at all, yet are considered strong because they meet a complexity requirement), then a simple mutation of it could render it vulnerable. I took a simple lowercase phrase

    mypasswordissimpleandnotsecureatall

    1564764311-893646-nonillion.png
    The actual testing tool can be found here. So, does a potential criminal have 26 nonillion years to spare ? Any cyber criminal who possesses only basic skills won’t need a fraction of that time as this password is in fact made up of simple dictionary words, is all lowercase, and could in fact be broken in seconds.

    My opinion ? Call it how you like – the password is here to stay for the near future at least. The overall strength of the password or credentials stored using MD5, bCrypt, SHA1 and so on are irrelevant when an attacker can use established and proven techniques such as social engineering to obtain your password. Furthermore, the addition of 2FA or a SALT dramatically increases password security – as does the amount of unsuccessful attempts permitted before the associated account is locked. This is a topic that interests me a great deal. I’d love to hear your feedback and comments.