Category: threatpost

threat post logo
Cyber

NSA Warns Public Networks are Hacker Hotbeds

Agency warns attackers targeting teleworkers to steal corporate data.

The U.S. National Security Agency is offering advice to security teams looking for wireless best practices to protect corporate networks and personal devices. The recommendations, while pedestrian in scope, do offer system administrators a solid cheat sheet to share with their work-from-home crowd and mobile workforces.
For starters the NSA, in a public service announcement posted on Thursday (PDF), urged security teams to be mindful of the wireless threats employees face when using Wi-Fi networks. It also lumps Bluetooth technology and Near Field Communications (NFC) into its list of worrisome protocols.
By now, café-based workers have likely mastered both public bathroom and Wi-Fi hotspot hygiene. But, for anyone who hasn’t the NSA advises: “Data sent over public Wi-Fi—especially open public Wi-Fi that does not require a password to access— is vulnerable to theft or manipulation.”

Advice also includes warnings of fake access points that can vacuum up user credentials and skim other personal data retrieved on the “evil twin” access points.
NSA Warns of Bluetooth
More interestingly, the agency cites Bluetooth as a convenient protocol for private use, but when used in public settings it can be a nasty security liability. The NSA advises turning off Bluetooth in public, lest a user be open to a range of attacks such as BlueBorne or BlueBugging – both used to access and exfiltrate corporate data on targeted devices.
Just last May, security researcher Fabian Braunlein with Positive Security identified Apple’s Send My Bluetooth exploit which allowed data to be exfiltrated from a device to an attacker-controlled Apple iCloud server.
Worrisome NFC
The NSA also touched on Near Field Communications (NFC), a handy tool for contactless payments. It said data transfer between devices using NFC can be a cybersecurity minefield of pitfalls. With just a tap data, is moved across a radio network from one device to another.
Andy Norton a cyber-risk officer with Armis told Threatpost security teams are lagging behind when it comes to securing NFC communications.
“Radio connected devices represents a huge risk blind spot for organizations,” Norton said. “These are very much the soft underbelly of information security controls –– the majority of energy, focus, and money from a cyber resilience perspective is spent on preventing attacks coming through the internet connected attack surface. Very little is being done to access the risk from near field radio connections.”
He added on just about every job his team finds a “rogue antenna device and shadow IT activity from antenna-enabled IoT devices.”
In its security bulletin, the NSA suggests:

Disable NFC feature when not needed (if possible).
Do not bring devices near other unknown electronic devices. (This can trigger automatic communication.)
Do not use NFC to communicate passwords or sensitive data.

“Users should consider additional security measures, including limiting/disabling device location features, using strong device passwords, and only using trusted device accessories, such as original charging cords,” said the NSA.
User Behavior Biggest Cybersecurity Challenge
The NSA’s wireless warnings, while basic, still go unheeded by too many. Sadly, the practical and basic advice still needs promoted, experts said.
“My fear is that the don’ts are ingrained, existing behaviors that are not easy to change and at times unavoidable,” Setu Kulkarni with NTT Application Security said. “For example, while it is easy to say ‘Do not bring devices near other unknown electronic devices,’ is that practical?”
Kulkarni added in an ideal world one key employee cybersecurity rule companies should have in place is keeping personal stuff of their business devices. Enforcing compliance gets much trickier.
“These tips are as relevant in 2021 as they were in 2015, but with the shift to more remote work, there are more people using public Wi-Fi,” said Tim Erlin with Tripwire. “While these tips are useful, it can be hard for the average user to understand how to implement them. There’s really a substantial amount of work here for the average user to comply with the recommended settings.”
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Cyber

Novel Meteor Wiper Used in Attack that Crippled Iranian Train System

A July 9th attack disrupted service and taunted Iran’s leadership with hacked screens directing customers to call the phone of Iranian Supreme Leader Khamenei with complaints.

An attack earlier this month on Iran’s train system, which disrupted rail service and taunted Iran’s leadership via hacked public transit display screens, used a never-before-seen wiper malware called Meteor that appears to have been design for reuse, a security researcher has found.
The initial attack, dubbed MeteorExpress, occurred July 9, when “a wiper attack paralyzed the Iranian train system,” according to a report by Juan Andres Guerrero-Saade at Sentinel Systems.
That attack disrupted service and directed customers via all of the displays and message boards at the train station to call “64411”–the number for the office of Supreme Leader Ali Khamenei—for more information.

The next day, attackers also hit the website and computer systems of the staff of Iran’s the Ministry of Roads and Urban Development, according to a published report.
SentinelLabs researchers reconstructed most of the attack chain in the train-system and discovered the novel wiper, which the threat actors—who also appear to be a new set of adversaries still finding their attack rhythm–refer to as Meteor, Guerrero-Saade wrote.
Guerrero-Saade credited security researcher Anton Cherepanov with identifying an early analysis of the event written in Farsi by an Iranian antivirus company as helping researchers recreate the attack.
What they discovered is that “behind this outlandish tale of stopped trains and glib trolls” are “the fingerprints of an unfamiliar attacker,” using a wiper that “was developed in the past three years and was designed for reuse,” Guerrero-Saade wrote.
Reconstructing the Attack
Overall, the toolkit that orchestrated the attack was comprised of a combination of batch files that implemented different components dropped from RAR archives, according to SentinelLabs. Attackers used the batch files, nested alongside their respective components, in a chain to successfully execute the attack.
“The wiper components are split by functionality: Meteor encrypts the filesystem based on an encrypted configuration, nti.exe corrupts the MBR, and mssetup.exe locks the system,” Guerrero-Saade wrote.
Researchers recovered “a surprising amount of files” for a wiper attack, but did not manage to reconstruct them all. One missing notable component was the MBR corrupter, nti.exe; its absence is significant because files overwritten by this component are the same as those overwritten by the notorious NotPetya ransomware, which crippled organizations around the world in 2017, Guerrero-Saade noted.
Despite the attack’s success, however, researchers found “a strange level of fragmentation to the overall toolkit,” he said.
“Batch files spawn other batch files, different RARarchives contain intermingled executables, and even the intended action is separated into three payloads: Meteor wipes the filesystem, mssetup.exe locks the user out, and nti.exe presumably corrupts the MBR,” Guerrero-Saade wrote.
Specific Attack Components
Researchers identified and elaborated two of those three payloads in the report. One is the main payload, the Meteor wiper, which comes in the form of an executable dropped under env.exe or msapp.exe,and is executed as a scheduled task with a single argument–an encrypted JSON configuration file, msconf.conf, that holds values for corresponding keys contained in cleartext within the binary, according to the report.
“At its most basic functionality, the Meteor wiper takes a set of paths from the encrypted config and walks these paths, wiping files,” Guerrero-Saade wrote. “It also makes sure to delete shadow copies and removes the machine from the domain to avoid means of quick remediation.”
The wiper also includes much more functionality that was not used in the Iranian train attack, he noted. It can: change passwords for all users; disable screensavers; terminate processes based on a list of target processes; install a screenlocker; disable recovery mode; changesboot policy error handling; create scheduled tasks; and log off local sessions, among other actions.
The fact that it has such broad capabilities seems to suggest that Meteor is not merely a one-off, but that its creators intend for it to be used in other attacks, Guerrero-Saade noted.
MeteorExpress attackers also dropped a standalone screenlocker, mssetup.exe,that blocks user input before creating a window that fills the entire screen before disabling the cursor and locking the user out entirely, according to the report.
Novice Attackers?
Despite its success in the MeteorExpress attack, the threat group seems still to be honing their skills and finding their way, as evidenced by the “contradictory” practices of Meteor’s code and capabilities, researchers observed.
“First, the code is rife with sanity checks, error checking, and redundancy in accomplishing its goals,” Guerrero-Saade wrote. “However, the operators clearly made a major mistake in compiling a binary with a wealth of debug strings meant for internal testing.”
The guts of Meteor also include a “bizarre amalgam of custom code” that leverages open-source components and “practically ancient” software–FSProLabs’ Lock My PC 4, pointing to the general experimental nature of the attackers’ approach, he said.
However, “while that might suggest that the Meteor wiper was built to be disposable, or meant for a single operation,” this code is “juxtaposed with an externally configurable design that allows efficient reuse for different operations,” Guerrero-Saade wrote.
Overall, the components of MeteorExpress that researchers examined point to a new, intermediate-level player in the attack landscape “whose different operational components sharply oscillate from clunky and rudimentary to slick and well-developed,” he concluded.
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

threat post logo
Cyber

UC San Diego Health Breach Tied to Phishing Attack

Employee email takeover exposed personal, medical data of students, employees and patients.

Authorities at the University of California San Diego Health reported a phishing attack lead to a major breach of its network, which allowed an adversary to gain access to sensitive patient, student and employee data.
A Wednesday notice from UCSD Health explains the attack occurred between Dec. 2, 2020 and April 8, 2021 and exposed personal information including full names, addresses, date of birth, email, social security number and the date and cost of medical services.
UCSD Health said the matter was referred to the Federal Bureau of Investigation.“This process of analyzing the data in the email accounts is ongoing,” the notice said. “UC San Diego Health is moving as quickly as possible while taking the care and time to deliver accurate information about which data was impacted. At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, and employee community. This review will be complete in September.”
Dangers of Stolen Data
Post investigation, UCSD Health said it will contact individuals whose personal data was exposed and offer them a year of free identity theft protection services. However, experts point out, the potential risks associated with this type of data loss could impact victims for years.
“Fraudsters can leverage the medical records, lab results, Social Security numbers and government identification numbers to impersonate legitimate patients and commit insurance fraud, seek covered medical care and refill unauthorized prescriptions,” Robert Prigge, CEO of Jumio said. “It’s also possible the exposed information is already circulating on the dark web – where it can command a high value since there’s more personal information in health records than any other electronic database.”
James Carder CSO at LogRhythm added the data could be used in threats far more sinister than identity theft.
“They could also face extortion-based attacks threatening to disclose sensitive medical diagnosis or images if payments are not made,” Carder said. “Additionally, it is conceivable that the medical state, diagnosis or prescription information for high profile patients could be of interest to nation states, terrorist groups, or other threat actors looking to do physical harm.”
Healthcare Diagnosis: Weak Security
Still, despite the rising number of attacks against the health care sector throughout the COVID-19 pandemic, medical cybersecurity hasn’t kept apace, said Anurag Kahol, CTO and Cofounder of Bitglass.
Kahol points out between 2019 and 2020 the number of healthcare breaches spiked by 55.1 percent.
“Due to the massive amounts of personal health information (PHI) healthcare institutions store in their systems, the sector as a whole must take a more vigilant approach to security,” Kahol said. “As such, these organizations must leverage a Zero Trust framework to ensure all their resources and data are granularly secure. Additionally, deploying multi-faceted cybersecurity platforms that include data loss prevention (DLP), multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) can provide them with full visibility and control over their entire network.”
Regardless of the approach, it’s evident healthcare organizations need better cybersecurity than basic firewall and employee awareness training. A recent Cloudian report found 65 percent of organizations that fell victim to phishing attacks had previously conducted employee cybersecurity training.
Alicia Townsend, technology evangelist, OneLogin pointed out that UCSD Health, in its public breach notification statement, suggested that even basic user training was lacking.
“UC San Diego Health has stated that they have taken steps to enhance their security processes and procedures,” Townsend said.  “But even they admit that they need the ‘community to remain alert to threats.’ We have stated it before, and it needs to be stated again: healthcare institutions must implement security training for all of their users. Everyone needs to be educated on how to spot phishing attempts, how to keep their passwords secure, the importance of using additional authentication factors, and what to do in case they suspect an attack.”
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 a.m. EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11 a.m. EST for this LIVE discussion.

threat post logo
Cyber

CISA’s Top 30 Bugs: One’s Old Enough to Buy Beer

There are patches or remediations for all of them, but they’re still being picked apart. Why should attackers stop if the flaws remain unpatched, as so many do?

In a perfect world, CISA would laminate cards with the year’s top 30 vulnerabilities: You could whip it out and ask a business if they’ve bandaged these specific wounds before you hand over your cash.
This is not a perfect world. There are no laminated vulnerability cards.
But at least we have the list: In a joint advisory (PDF) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the vulnerabilities that were “routinely” exploited in 2020, as well as those that are most often being picked apart so far this year.

The vulnerabilities – which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian – include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.
“Cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” according to the advisory. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”
So far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.
All of the vulnerabilities have received patches from vendors. That doesn’t mean those patches have been applied, of course.
Repent, O Ye Patch Sinners
According to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was patched at the age of 17 in 2017.
Why would they stop? As long as systems remain unpatched, it’s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.
Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. —Advisory
In fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.
The top four:

CVE-2019-19781, a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent – about one in five of the 80,000 companies affected – hadn’t patched.
CVE 2019-11510: a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for Active Directory accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.
CVE 2018-13379: a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.
CVE 2020-5902: a critical vulnerability in F5 Networks’ BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.

The cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can’t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).
If IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.
2020 Top 12 Exploited Vulnerabilities
Here’s the full list of the top dozen exploited bugs from last year:

Vendor
CVE
Type

Citrix
CVE-2019-19781
arbitrary code execution

Pulse
CVE 2019-11510
arbitrary file reading

Fortinet
CVE 2018-13379
path traversal

F5- Big IP
CVE 2020-5902
remote code execution (RCE)

MobileIron
CVE 2020-15505
RCE

Microsoft
CVE-2017-11882
RCE

Atlassian
CVE-2019-11580
RCE

Drupal
CVE-2018-7600
RCE

Telerik
CVE 2019-18935
RCE

Microsoft
CVE-2019-0604
RCE

Microsoft
CVE-2020-0787
elevation of privilege

Netlogon
CVE-2020-1472
elevation of privilege

Most Exploited So Far in 2021
CISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:

Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a patching frenzy. The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to ProxyLogon.
Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, to attack U.S. defense targets, among others.
Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including on Shell. Around 100 Accellion FTA customers, including the Jones Day Law Firm, Kroger and Singtel, were affected by attacks tied to FIN11 and the Clop ransomware gang.
VMware: CVE-2021-21985: A critical bug in VMware’s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company’s affected system.

The advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they’re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.
Can Security Teams Keep Up?
Rick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an “influential tool to help teams stay above water and minimize their attack surface.”
The CVEs highlighted in Wednesday’s alert “continue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,” he told Threatpost on Thursday.
Recent research (PDF) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it’s become ever more vital for enterprise IT security stakeholders to make “meaningful changes to their cyber hygiene efforts.” That means “prioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.”
Granted, vulnerability management is “one of the most difficult aspects of any security program,” he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. “Taking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.”
072921 15:02 UPDATE: Corrected misattribution of quotes.
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

threat post logo
Cyber

Israeli Government Agencies Visit NSO Group Offices

Authorities opened an investigation into the secretive Israeli security firm.

Authorities from multiple agencies of the Israeli government paid a visit the offices of the NSO Group as part of a new investigation into claims that the secretive firm is selling its spyware to threat actors for targeted attacks, according to the Israeli Ministry of Defense.
A single tweet from the ministry announced the raid on Wednesday, but did not disclose exactly which government agencies participated. Specifically, Israeli agents visited NSO Group’s offices in Herzliya, near the city of Tel Aviv, according to a post by analyst firm Recorded Future’s The Record.
“Representatives from the number of bodies came today to NSO to examine the publications and claims raised in the matter,” the ministry tweeted (Google translated from Hebrew).NSO Group is working “in full transparency” with authorities, the firm told The Record.
“We are confident that this inspection will prove the facts are as declared repeatedly by the company against the false allegations made against us in the recent media attacks,” the company said, according to the post.
However, security experts and industry watchers aren’t so sure of the company’s claim of innocence in the matter.
“NSO insists that the report is wrong, but also that it’s fine to spy on people, and also that terrorists will murder us all if they aren’t allowed to reap vast fortunes by helping the world’s most brutal dictators figure out whom to kidnap, imprison and murder,” tweeted Cory Doctorow, an author, journalist and activist.
“As I say, all of this is rather ordinary. The NSO Group’s bloody hands, immoral practices and vicious retaliation against critics are well established,” he added in a separate tweet.
Open Investigation
According to Israeli news outlet Calcalist, the Israeli government’s actions are the start of an effort to get to the bottom of a report called the Pegasus Project that examined leaked data from the NSO Group and spurred an international incident that’s rapidly escalating.
The report in the Guardian newspaper revealed a cache of more than 50,000 mobile phone numbers worldwide that the firm was storing and alleged that Pegasus malware is being used to target activists, journalists, business executives and politicians on a widespread level, using a variety of exploits — including a zero-click zero-day in Apple’s iOS.
Seventeen media organizations participated in the investigative effort, which also accused NSO Group of selling Pegasus to unidentified third-parties, including governments. These entities then use it to infect the phones of dissidents and other people who may be critical of a given regime.
The malware can secretly take remote control of the phone to monitor activity, enabling “customers” to even read encrypted messages of their targets sent via Signal and Telegram.
The report triggered a global response against NSO’s alleged activities, with human rights organization Amnesty International calling “the vast scale of violations perpetrated through secretive cyber surveillance” “a global human rights crisis.”
Security experts also weighed in, with one–Paul Bischoff, a privacy advocate at Comparitech—calling NSO an “weapons dealer.” Others, nothing how Pegasus has been exploiting an iOS zero-day flaw, took aim at Apple for its proprietary security ecosystem.
Still, while many criticized NSO Group for its activities, some see the report and subsequent investigation as an effort to damage the reputation of the Israeli cyber industry at a time when Israel has come under fire internationally for its continued military actions against the Palestinian state.
“They are trying to hurt the Israeli cyber industry reputation, and NSO won’t be their first neither their last,” tweeted @IntelMA, a user who claims to be part of the North and West Africa military intelligence. “They have an agenda, and it’s clear.”
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 a.m. EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11 a.m. EST for this LIVE discussion.

Cyber

Six Malicious Linux Shell Scripts Used to Evade Defenses and How to Stop Them

Uptycs Threat Research outline how malicious Linux shell scripts are used to cloak attacks and how defenders can detect and mitigate against them.

Siddartha Sharma and Adhokshaj Mishra
Evasive techniques used by attackers, date back to the earlier days, when base64 and other common encoding schemes were used. Today, attackers are adopting new Linux shell script tactics and techniques to disable firewalls, monitoring agents and modifying access control lists (ACLs).
In previous Uptycs Threat Research posts, we discussed the common utilities in Linux, which are generally used by threat actors in the attack chain. In this report, we highlight those common defense evasion techniques, which are common in malicious Linux shell scripts. And then, we outline how Uptycs spots and mitigates against them.
In this post, we cover common evasive shell-script techniques as:

Uninstalling monitoring Agents
Disabling Firewalls and Interrupts
Disabling Linux Security Modules (LSMs)
Modifying ACLs
Changing Attributes
Renaming common Utilities

The hash 39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae will be used to demonstrate and explain these techniques.
Technique 1: Uninstalling monitoring Agents
Monitoring agents are the software components that regularly monitor the activities going on in the system related to process and network. Various logs are also created by the monitoring agents, which helps as an aid during any incident investigation.
The malicious script, we found in our in-house osquery based sandbox tries to:

Uninstall cloud related monitoring agent Aegis (Alibaba Cloud threat detection agent), stopping the Aliyun service.
Uninstall YunJing which is a host security agent from Tencent.

Uninstall BCM client management agent which is generally installed on Endpoints for risk mitigation.

Technique 2: Disabling Firewalls and Interrupts
Most of the systems and servers deploy firewalls as a defense mechanism.In the malicious script, attackers try to disable the firewall i.e., uninterrupted firewall (ufw) as a defense evasive tactic. Along with that, attackers also remove iptables rules (iptables -F) because it is widely used for managing the firewall rules on Linux systems and servers. (see figure 2)

Attackers also used the commands to disable non-maskable Interrupt(nmi). Watchdog is basically a configurable timer mechanism which generates interrupt at a particular given condition and time. In case of the system freeze, the nmi watchdog interrupt handler would kill the task which is responsible for the system freeze. To evade this defense mechanism, attackers disable watchdog feature using sysctl command or temporarily disabling it by setting the value to ‘0’. (see figure 3)

Technique 3: Disabling Linux Security Modules (LSMs)
The malicious shell script also disables Linux security modules like SElinux, Apparmor. These modules are designed to implement mandatory access control(MAC) policies. A server administrator could simply configure these modules to provide the users restricted access to the installed or running applications in the system.
AppArmour
AppArmour is a security feature in Linux which is used to lock down applications like Firefox for increased security. A user can restrict an application in Ubuntu’s default configuration by giving limited permission to a certain application.

SElinux
SElinux is another security feature in Linux systems by which a security administrator could apply security context on certain applications and utilities. On some web servers, the shell is disabled or restricted so for RCE (Remote Code Execution) adversaries usually bypass/disable this:

Technique 4: Modifying ACLs
ACLs, or Access Control Lists, contain the rules by which permissions on files and utilities are granted. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed. Setfacl utility in Linux is used to modify, remove the ACL, in the script we can see the usage of setfacl which sets permissions of chmod for the user:

Technique 5: Changing Attributes
Chattr in Linux is used to set/unset certain attributes of a file, more on chattr utility here. Adversaries use this for their own dropped files or to make their files immutable so that a user cannot delete it:

Another scenario:

Technique 6: Renaming common Utilities
One of the malicious scripts (d7c4693f4c36d8c06a52d8981827245b9ab4f63283907ef8c3947499a37eedc8) also contained common utilities like wget,curl used with different names. These utilities are generally used to download files from the remote IP. Attackers use these utilities to download malicious files from C2.Some of the security solutions whose detection rules monitor the exact names of the utilities might not trigger the download event if wget,curl are used under different names.

Uptycs EDR Detections
Uptycs EDR armed with YARA process scanning detected these malicious scripts with a threat score of 10/10.

Uptycs EDR Queries
Alongside the detections, Uptycs EDR also records all the events we mentioned above in the process_events table. Using the queries below, incident response analysts can easily identify such malicious events:
Firewall disabling
select * from process_events where exe_name = ‘ufw’;
ACL modification
select * from process_events where exe_name = ‘setfacl’;
Chattr utility usage
select * from process_events where exe_name = ‘chattr’ and cmdline = ‘chattr +ia /home/hilde/.ssh/authorized_keys2’;
Checking renamed common utilities (wget,curl)
select * from process_events where exe_name = ‘mv’;
Conclusion
As attackers are using more sophisticated and novel methods for evasion, it becomes increasingly important to monitor and record the activities happening in the system. Uptycs EDR offers the added benefit of taking a deep dive into the events logged, providing more insights of an attack. The reactive nature of Uptycs’ EDR helps to log everything whatever goes on in the system.
We recommend the following measures:

Regularly monitor the suspicious processes, events, and network traffic spawned on the execution of any untrusted binary.
Keep systems and firmware updated with the latest releases and patches.

Hashes

39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae
1ad0104478301e73e3f49cdeb10f8c1a1d54bccf9248e34ff81352598f112e6b
b60ffcc7153650d6a232b1cb249924b0c6384c27681860eb13b12f4705bc0a05
3b280a4017ef2c2aef4b3ed8bb47516b816166998462899935afb39b533890ad
7b6f7c48256a8df2041e8726c3490ccb6987e1a76fee947e148ea68eee036889
d7c4693f4c36d8c06a52d8981827245b9ab4f63283907ef8c3947499a37eedc8

Want to Learn More About How Uptycs Can Help Secure Your Linux Environments? Watch A 15-Minute Demo!

Cyber

Reboot of PunkSpider Tool at DEF CON Stirs Debate

Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON.

Researchers will release a reboot of a controversial tool that crawls the web to identify back-end vulnerabilities in websites in the hopes that companies will quickly fix them and reduce security risks.
However, experts have mixed feelings about the tool called PunkSpider, created by the analytics firm QOMPLX. They fear the tool could be hijacked by hackers to exploit vulnerabilities before companies have time to patch them.
Alejandro Caceres, director of computer network exploitation at QOMPLX, and hacker Jason Hopper will introduce a revamped version of PunkSpider at the upcoming DEF CON gathering next week.QOMPLX cited the rise of ransomware as one of the reasons for a reboot of PunkSpider, which provides “a simple and massively scalable monitoring tool that quickly identifies gaps in collective defenses by highlighting which websites can easily fall prey to attackers,” according to a press release.  The tool can provide internet users and the cyber community a “shared perspective” on the specific dangers of the web, the company said.
“We want everyone to be able to answer a simple question: how dangerous is the internet I use?” said Jason Crabtree, CEO of QOMPLX, said in a press statement “Our extensive research revealed a large but unfortunately not surprising number of basic vulnerabilities across the web. The common exploits that PunkSpider detects serve as a key proxy for risk overall, and frankly if website owners are not fixing the fundamentals it’s unlikely they’re fully addressing bigger vulnerabilities.”
Back by Popular Demand?
Caceres and Hopper said demand was another reason to update and reintroduce the tool after a years-long hiatus, adding that myriad issues and negative attention forced the tool, originally funded by the Defense Advanced Research Projects Agency, into hibernation.
“We’ve been getting asked a lot for ‘that tool that was like Shodan but for web app vulns,’” they wrote in a write-up for their session at DEF CON. “PunkSpider … was taken down a couple of years ago due to multiple … issues and threats. We weren’t sure in which direction to keep expanding, and it ended up being a nightmare to sustain.”
The new and improved PunkSpider is a “completely re-engineered” system that also expands the capabilities of the tool to find vulnerabilities, they wrote.
“It is not only far more efficient with real-time distributed computing and checks for way more vulns, we [also] had to take some creative ways through the woods,” Caceres and Hopper wrote.
The new tool in fact will have its own dedicated ISP and data center in Canada to integrate “freely available data that anyone can get but most don’t know is available,” they said. The data they refer to will be a massive collection of known web vulnerabilities.
Caceres and Hopper also plan to release tens of thousands of vulnerabilities at the conference and will ask for suggestions about what to search for to uncover even more.
Circa 2017: This message greeted visitors to PunkSpider’s website promoting its 3.0 version of its offensive cybersecurity testing tool.
Bug Bounty Bonanza?
As its creators know well, not everyone is thrilled about PunkSpider’s comeback, however.
In comments emailed to Wired, Electronic Frontier Foundation analyst Karen Gullo said that while the folks behind PunkSpider have “good intentions,” making the vulnerabilities public could backfire and have the opposite effect that its creators intended.
“Making them public might be the thing that pushes administrators to fix [these vulnerabilities]. But we don’t recommend it,” she told Wired. “Bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches.”
And while many on Twitter have voiced support for the tool—with cybersecurity expert Stephen Frei observing that “you can’t manage what you can’t measure”– critics also took to the social-media platform to express consternation about PunkSpider.
One suggested that it may limit the opportunity for ethical hackers to win rewards for finding vulnerabilities that companies currently give them. “Ok so maybe I’m dumb but doesn’t a tool like this make bug bounties pointless?” questioned Twitter user @thedragonisreal.
A reply to the Tweet countered that PunkSpider certainly won’t pick up every vulnerability, so there will still be plenty for ethical hackers and researchers to dig up and submit to company’s vulnerability-reward programs.
Another Twitter user raised an ethical issue with the tool, suggesting it is needlessly calling out site insecurities without proof that companies respond accordingly and make necessary changes to protect themselves.
“Not sure if exposing sites like this is a good idea without data showing it lead to meaningful changes the first time around,” tweeted a user called @cypnk who is in the medical hardware industry. “If it didn’t, then it’s needlessly malicious.”Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

threat post logo
Cyber

Podcast: Why Securing Active Directory Is a Nightmare

Researchers preview work to be presented at Black Hat on how AD “misconfiguration debt” lays out a dizzying array of attack paths, such as in PetitPotam.

This week, Microsoft rushed out a fix for a Windows NT LAN Manager exploit dubbed “PetitPotam” that forces remote Windows systems to reveal password hashes that can be easily cracked.
The frenzy begs the question: Why is securing Microsoft Active Directory (AD) such a nightmare?
When security researcher Gilles Lionel first identified the bug last week, he also published proof-of-concept (PoC) exploit code to demonstrate the attack. The PoC demonstrated how a PetitPotam attack can be chained to an exploit targeting Windows Active Directory Certificate Services (AD CS), which provides public key infrastructure (PKI) functionality.

Attack paths in AD are a huge issue for enterprises. It’s not just PetitPotam; AD was also part of the problem during the SolarWinds attacks.
SpecterOps researchers Lee Christensen and Will Schroeder, who recently published a report on abusing AD CS titled Certified Pre-Owned (PDF) that they’ll also be doing a session on at Black Hat next week, are trying to get the security community to think about the AD problem in terms of “misconfiguration debt”: as in, incremental misconfigurations that build up over time, such that attackers are virtually guaranteed to find an attack path to their objective on any network.
It’s a serious situation. AD is used by over 90 percent of the Fortune 1000 for identity and access management. Organizations need solutions that can simplify protection: solutions that can cut through the haze to gain better visibility into AD.
Christensen and Schroeder were kind enough to come on the Threatpost podcast to talk about the issue and to bring good tidings about new tools that can help. They were joined by their colleague Andy Robbins, a co-creator of a free and open-source attack path mapping tool called BloodHound.
See below for links to the tools that our guests discussed, as well as links to their paper and blog post.
You can download the podcast here, listen to the episode below, or scroll down to read a lightly edited transcript.

Get the Tools
Below are links to the tools discussed in the podcast, as well as a link to the researchers’ blog post, plus a link to the full, 140-page white paper:

BloodHound
PSPKAudit and Certify on GitHub
AD Certificate Services research blog post
AD Certificate Services research full white paper (PDF)

Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.
Lightly Edited Transcript
Lisa Vaas: Welcome to the Threatpost podcast. I’m your host, Lisa Vaas. My guests today are Lee Christiansen and Will Schroeder, the SpecterOps researchers behind a recent report entitled Certified Pre-owned: Abusing Active Directory Certificate Servers, about attack paths in Microsoft Active Directory.
This is a huge issue for enterprises. In fact, Active Directory was part of the problem during the SolarWinds attack. We’re also joined by their colleague, Andy Robbins, a co-creator of a free and open- source attack path mapping tool called BloodHound. The trio will be hosting a session on this research at Black Hat.
Welcome, Lee, Will and Andy, it’s a pleasure to have you on the show. Could you give us a little about your backgrounds?
Will Schroeder: Sure. My name is Will Schroeder. My handle is @harmj0y on Twitter, GitHub and everywhere else. I’m a technical architect, with SpecterOps, and I’ve been involved in offensive security, PowerShell, Active Directory, attack tooling, these types of things for a good number of years.
Lee Christensen: My name is Lee Christiansen. I go by @tifkin_ on Twitter, and I’m also a technical architect here at SpecterOps. And I’ve been involved with red teaming and research and development and capability development here at SpecterOps. Helping support our offensive services.
Andy Robbins: My name is Andy Robbins. I’m like you mentioned, Lisa I’m one of the co-creators of the free and open source tool BloodHound. Will is actually also a, one of the co-creators of that. My background is in managing Active Directory environments. And then for the past six or seven years also on the red team side, and now full time I work on BloodHound development.
Lisa Vaas: Well, great. Thank you so much. It’s a pleasure to have you here.
So take it away, gentlemen. We’re all eager to hear what a nightmare it is to secure Active Directory, how that’s worked in attackers’ favor and how security professionals are tackling the issue today. So go right on.
Will Schroeder: Yeah. I will say that, you know, one of the things people tend to ask is like why Active Directory is such a problem.
You know, it’s, there’s a lot of different parts to this answer. So I was kind of the first part and then lean and you can kind of follow on, but one of the things is that it’s definitely ubiquitous. So like 90, 95 percent of enterprises will use Active Directory in some form. So part of this, this means that attackers just need to refine their skills against Active Directory.
And they’re able to reuse those same attacks, tooling skills, and anything to attack a large number of organizations across the globe. So there’s definitely a really high attacker kind of payoff for investing in tooling and offensive research against Active Directory because it can be reused to attack a large number of organizations.
Lee Christensen: Yeah, I I’d say also another large aspect of this is that Active Directory is being central authentication system in most Windows environments. So that means it’s responsible for managing the users, the passwords and the accounts of just everybody and configuring, you know, the computers in the, in the entire organization and as such I like to say it has a large blast radius. So if something gets compromised in Active Directory, a lot of times the entire network can get compromised. And so there’s a lot of components to it as well that can be abused. And so like, depending on, you know, these different components you get access to, you can, you know, achieve other objectives.
So beyond just authentication so you can compromise, you know, a server, you can get access to the data. Just by abusing all of these features that come as a part of Active Directory.
Andy Robbins: Yeah, I think the only thing I would add so Will and Lee, you mentioned that Active Directory, it’s ubiquitous, it’s powerful.
And for most organizations it’s foundational, their entire business processes are built on and rely on the availability, stability, and security of Active Directory. The only other thing I would add is that while Active Directory is incredibly powerful for the business and for attackers, you know, from our perspective being attackers, it’s relatively easy to attack. It’s incredibly difficult to appropriately defend. I think the biggest reason for that in my mind is Active Directory and Windows both have this opacity to them in that it’s very difficult to answer the question of, who has control of any other object or who has control of the computer, or even the other way around: Given any user, any group, how powerful is that user or that group?
The built-in tooling that is afforded to admins in Windows and Active Directory makes it incredibly difficult to answer those questions. And so things like least privilege access that are supposedly best practice are totally impractical for most organizations to implement in the first place. Let alone maintain over time.
Will Schroeder: And the last thing I’ll add on to that last kind of point is just the complexity of Active Directory along with, you know, how easy it can occasionally be to where one of the things we’ve seen and a term we’ve tried to help kind of push is misconfiguration debt, where we see Active Directory has been in an environment for a long period of time.
These seemingly small changes, they might look, you know, innocuous or whatever can start to build up and can start to be chained together to result in unintentional environment compromise. So, and it’s difficult for administrators to see the impacts that those really small little changes might have on the, you know, the security of the entire system
Lisa Vaas: You’ve called it a nightmare to configure Active Directory.
Will Schroeder: It can be. All three of us have been involved in securing and attacking Active Directory for a long, you know, a large number of years. And as an example, the research that Lee and I performed on Active Directory Certificate Services that we’re talking about, at Black Hat, you know, introduces this whole additional, like attack surface that a lot of people didn’t really fully know about or understand that’s been around for decades, you know, this part of Active Directory and it provides a common way for organizations to misconfigure their environments in a different way that allows complete domain compromise. We’ve seen that a lot from departments, people. You know, weren’t even fully aware to the extent that, you know, their teams were running Active Directory Certificate Services or what the security implications could be.
So I think it’s a good example of even though the system has been around Active Directory has been around for a long time, there’s still things that pop up that we, as an industry or as organizations didn’t completely understand the security implications of. You can’t secure for things that you don’t fully understand, and it’s just, you know, more and more things seem to come up.
Lee Christensen: Yeah. I think that kind of speaks to kind of a problem. Our industry as a whole is deprecating and modernizing older technologies that we have. You look at things like Active Directory Certificate Services, or like some of the recent vulnerabilities that have been coming out and like spooler, and like these old technologies that have been around forever.
You know, they haven’t been stopped yet by Microsoft or others. like you look at other vendors to upgrade their technologies to modern technologies. So kind of maybe rewriting it in a more secure language or deprecating features. And so there’s, there tends to be a much higher focus on adding new features, which in the attacker’s eyes, that’s just adding more attack surface.
That’s more I can try and abuse and exploit, whereas there’s very little focus on, you know, turning off things that don’t need to be enabled anymore. Or, you know, a lot of this code was written maybe 20 years ago, let’s rewrite that and maybe a newer, safer language like Rust or, you know, just these newer languages that are just safer.
Rather than, you know, running these old, you know, dangerous memory, unsafe languages.
Lisa Vaas: Fair enough. And Andy, how about from your point of view?
Andy Robbins: Admins may do one thing in the environment. Maybe that one thing is they add a principal to a security group, or they grant a permission on a particular object.
Nothing in Active Directory happens in a vacuum. There are connections, and there are relationships between all these different objects. So because someone is added to a security group, that means that they gain all the privileges of that security group. And the privileges that that group had, can be abused to form full attack paths that then result in the compromise of a domain admin or an enterprise admin or whatever, and something that Will and Lee both mentioned as well, is that there’s all this misconfiguration debt that builds up over the years.
It’s built on older technology. So a lot of Active Directory was written 20 years ago. A lot of current Windows operating systems get code from Windows NT or maybe even Windows 95. And so these attack paths that present themselves or emerge from these disparate and seemingly unrelated configurations and user behaviors.
There’s nothing new, those attack paths they’ve been there the entire time, but they’ve been invisible to AD admins. And because you can’t see those attack paths, you can’t really hope to do anything about them.
Lisa Vaas: So it sounds like visibility is a huge issue.
Andy Robbins: Absolutely. Yes. Yeah.
And is that where the mapping come in, is that where BloodHound comes in?
Sure. Yeah. So we created, Will, Rowe Hunt and I created BloodHound from our red team perspective. What, six years ago? Five years ago in 2016. And we use it. We built it originally for that exact purpose, for mapping those attack paths. And what we discovered was that there was this tedious, but very reliable attack technique called derivative, local admin or identity snowball attack.
So our team, other teams, we all landed on that same kind of methodology. Especially as Microsoft was getting better and not having server side exploits all over the place and software vendors were getting better at the same organizations.
We’re getting better at their vulnerability management practices. And so the old- school, throw a Metasploit exploit, get a shell that started to go to the wayside. But these attack paths that we could find by hand, they had been there the entire time. We just didn’t really need to sniff them out with BloodHound.
BloodHound, totally automates the process of finding those attack paths for us. And so, the free and open source version of BloodHound. It is built for red teamers by red teamers for that particular use case. But it does offer that visibility that you’re talking about, Lisa, that you can easily answer questions like who is a local admin on this computer.
It’s actually amazingly difficult to answer that question just with Windows or who can perform the DC synced attack. Very hard to tell that and audit that with built-in tooling, from Microsoft, easy as pie with free and open source BloodHound. And so defenders, they can use that free software to see how big of a problem they have with attack paths.
And I’m here to tell you that the problem is usually pretty big. They can also use that free version of the software to easily audit those permissions, both inbound. So who has permissions, inbound against anything, but also outbound. So, you know, my user, they’re not supposed to have local admin. Where does it, and how does it, does it have local admin somewhere, maybe through a group membership, maybe through an attack path and they can use that free version of the software also to make really big wins on knocking out frankly, millions of attack paths with relatively minimal efforts. So making just little permission changes on this object here, making little user behavior changes for these users here can result in seeing those numbers of attack paths go down just with using the freestyle.
Lisa Vaas: That sounds like a good outcome, Andy, before we go on you used a term credential shuffling that I’m not familiar with. I can kind of guess what it might be, but do you want to just explain what that is?
Andy Robbins: Sure. Yeah. So let’s say that, you know, I’m just a, a low, normal user, you know, I’m doing my thing and you know, Let’s let’s say accounting, just as just give a canonical example and let’s say that, well, you know what, it turns out that I have local admin on the computer that Lee uses, and then it turns out that Lee has local admin on the computer that will use this.
And so even though I don’t directly have that local admin on Will’s computer, I can kind of go to Lee’s computer, steal his credential and then kind of shuffle it. And turn that into admin on Will’s computer so I can execute that attack path. Then in that context, it relies on credentials. And so that’s why the credential shuffle term originated.
But these attack paths are not limited whatsoever just to credentials, they’re control of other objects, control of certificate templates control of anything else control of no you, whatever you like.
Lisa Vaas: Thank you for that explanation. What are our security professionals doing about this problem right now?
Will Schroeder: You know a lot of security professionals, not all, but you know, many tend to focus on a particular attack or kind of whatever is new without holistically understanding, you know, the entire system of Active Directory and how it can really affect an organization with a lot of these new attacks.
So like for example, the PetitPotam type thing that’s shown up in the news over the last week, that’s kind of used in combination with our Active Directory Certificate Services research. That’s great to be able to use that attack and show that something can be compromised and the risks for an organization.
But that’s just part of this one huge system like Andy had talked about and the complexity of this, it takes time and effort to try to understand. Professionals don’t have a complete, full grasp over kind of the intricacies of the entire system and how those things can really affect.
Like, that’s why Lee and I started diving into the Active Directory Certificate Services, for example, because we didn’t fully understand it. And then we realized all these types of new attack paths and attacker tradecraft, and things kind of fell out of that reason.
Lisa Vaas: When did you start to delve into this issue and why? What prompted you to look at this?
Lee Christensen: We started researching this at the beginning of this year, so, and about January and I mean, we’d known about Active Directory Certificate Services. We’d heard about it, some of the attacks that you can perform against it, but we hadn’t really dove in. And then I was reading some documentation online one day and found an interesting line: I was like, I didn’t know that you could authenticate using a certificate .
Or to LDAP in a specific way. And I, I messaged that to Will, and that just kind of kicked off all of our research here. Originally we just thought we saw a couple of things that were interesting . We dug into it. Like we found all these different ways that you can abuse Active Directory Certificate Services.
So originally we just wanted to write up a, like a short little blog post on it. And then as we continued our research that blog post grew into a 140- page white paper. You know, all the different kinds of tradecraft that attackers can abuse and defenses using Active Directory Certificate Services.
Active Directory Certificate Services has been around since the year 2000. So it was really, really old and it’s been in most networks. Most large networks have it. And it’s just been kind of chugging away, kind of like the old boiler in a basement, it’s working, but you don’t necessarily know the state of it or like how good it is.
In alot of companies, it’s been working just fine, but they haven’t really inspected it that well. And so. Since we’ve started looking at things, we’ve just noticed some massive misconfigurations in it. And I would say probably in like 80 to 90% of the networks we’ve looked at so far, we’ve found ways to escalate privileges, to like take over the network through Active Directory Certificate Services.
And it just kind of highlights to us the. Kind of the how little people are looking at it and how over time, like these misconceived misconfigurations have led to an insecure.
Lisa Vaas: How are you finding the misconfigurations? Are these in the networks of clients? Is this something that you can search online for using specific scanning tools?
Will Schroeder: This, well, sometimes there might be a little bit of occasionally there’s kind of some exposure through something like shouting We don’t perform anything like that. We do a lot of consulting for large enterprises, so we do a lot of offensive and defensive engagement. So as we start to develop new research, a trade craft, we work with a lot of our operators, too.
Examine the security posture of like current networks that we’re doing engagement sort of assessment stuff. So all the stuff that we verified, which, you know, again, it’s, you know, it’s not a complete sample set, but you know, our, our kind of sample of networks is based on real-world data, but it is run from.
And assessment engagement or internal type perspective. It’s not a, from what we’ve done is not like exposed on like the borders of the internet or something that can be scanned externally.
Lee Christensen: And, and most of this is we we’ve written some tools to help us in your mind this information. So. One of these tools we’ve already released.
So when we released our paper, we released a defensive tool called PSP K I audit, which is a defensive auditing tool that will identify all of these issues that we, we researched. And so that’s a great tool, highly recommend defenders to use it. And then on the offensive side at black hat this year, we’re going to be releasing an offensive tool called certify and it.
It also performs a similar type of enumeration, but in a more, you know, kind of attacker friendly way and both sides, like we, we both tools will accomplish the same goal. It’s just kind of different audiences for who they’re targeted for.
Will Schroeder: I was going to say, and we chose to kind of self-embargo, the offensive tool release for about 45 days after we had the defensive guidance on the paper in a defender focused tool set. That’s very difficult to use offensively to try to get to everyone, like kind of, you know, like, you know, full disclosure about, you know, these are the issues.
Here’s how you can find them. We assume. At the time, and this was confirmed that additional people will start building a tech tooling based on the information. But we wanted to give, you know, a pretty good window before we actually release our offensive tooling. And we’re also working on integrating a numeration of all the certificate service misconfigurations into bloodhounds as well.
So that from an offensive and defensive standpoint people will be able to audit these and then secure them. Well that
Lisa Vaas: I’m glad you spoke up about that because I was going to ask actually what the attackers are using in a, in an offensive way to scan for misconfigured systems.
Will Schroeder: At this point, you can do use.
So most of this information can be a numerated through Active Directory through eldap the protocol that pulls information about different Active Directory objects. So once a reasonably sophisticated attacker based on the research, once they knew what the misconfigurations were, is not that difficult for them to write their own tooling.
Those types of misconfigurations because we, you know, outline what the problems are and we had to detail what the problems were. So we’d outlined them in detail in the paper. So it’s not that hard for people to build their own kind of queries for these types of things. And again, we also built the defensive one with PSP K audit, and then the offensive kind of package tool is going to be released, you know, in the week and a half or so at the blackout talk.
And, then of course, integrate into bloodhounds.
Lisa Vaas: Integrating BloodHound into your tools.
Will Schroeder: Oh, sorry. Where we’re integrating the enumeration for the misconfigurations into the bloodstream as a separate effort. Yes, I’m sorry.
Lisa Vaas: That was my own confusion. Well, great. Do you guys want to continue with more good stuff from your research?
Ah, because if not, I’m going ask you to maybe chat a little bit about how these situations plays into Active Directory, which arm, which you mentioned something
Will Schroeder: I’ll just, oh yeah. Oh, we’d love to definitely would love to talk about that and how the stuff kind of fits in. I will just say a couple, couple of, kind of final points on the certificate research specifically.
Sure. It’s like the had mentioned it’s. It’s been around for a long time. So it has its own misconfiguration debt. And a lot of people don’t fully understand Astra directory, Certificate Services, even people that know Active Directory, you don’t fully understand active directory certificate services.
So we found has been very easy for people to misconfigure in a very severe way. And while it’s not installed by default, it’s extremely common in almost every environment we’ve looked at. They’ve had active directory certificate services. And like they had mentioned in about 80 to 90% of environments, there has been.
Flaws that allowed, allowed escalation of privileges to take over environments. And there’s a lot. Yeah. What we call like attack their tradecraft around active directory certificate services beyond the escalation aspect. So there’s stealing certificates or current users, there’s it can effectively be a different method for credential thefts without touching privilege processes and things like this.
It can be a way to persist for user accounts and machine accounts. We’ve also developed a way to, if you can steal the private key for a certificate authority and active directory certificate services, you can forge your own certificates and definitely in a way they can’t be revoked. So there’s a huge amount of Tradecraft that we cover in the paper that we researched beyond just the escalation primitives.
Along with that, there’s definitely a big lack of detection and incident response guidance, and just knowledge surrounding active directory certificate services to our most environments. Like Leah, we had said, you know, we very rarely seen, you know, incident response reports where people talked about, oh, we investigate and what certificates might’ve been issued to these people or these principles.
And we revoke them. So most people just don’t have the knowledge or the tooling. To actually deal with this from a defensive or instant response standpoint. So we do outline what we can in the paper for that. But we’re hoping to bring light to this specifically from a defensive side, so people can start better on responding to things. I don’t know if there’s anything to …
Lee Christensen: A good example of that is when we mention how there’s a lack of incident response and kind of detection, guidance. Something that came out of our research, we understood that if we compromise a machine, we can steal, you know, a certificate from a user and by default inactive.
Environments those certificates last, like they’re valid for up to like two years. And why that’s really valuable to me is because even if they wipe the machine or they reset that user’s password I can still use that certificate to log on as that user it’s a completely separate form of it’s like a completely separate credential from the password.
So, and in our experience, you know, nobody does. Is looking to see if attackers have stolen certificates before. And so that was really enlightening to me of being like, “wow”. A lot of attackers could still have access to networks if they have certificates and incident responders, you know, we, we asked some of our, our defensive team members, you know, is active directory certificate services, part of the incident response process at the companies you’re working with.
And I’ve yet to see. An environment where active directory certificate services was explicitly called out. So that was, you know, this is another huge goal of ours with the research is to kind of encourage organizations to, you know, look on the defensive side and incident response side into directory certificate services.
Yeah.
Lisa Vaas: Two years is a lot of time to do a lot of damage. Yeah, well we’re, we’re getting close to our allotted time. But I know you guys had advice on what the security community should be doing about this issue. Do you want to aluminate that for us?
Lee Christensen: So, I mean, there’s, there’s definitely a lot of things that people can do. I think. It there’s a Mo it’s a multi-pronged approach. So for one, like, I think Microsoft and the industry in better in general needs to be better about equipping it, administrators, to understand the impact of their actions.
So when they’re configuring things like an it administrator is just trying to do his job, like somebody joined a company, they need to be, you know, maybe added to a network chair or added to a group in active directory. But the it administrator, when they do that, They may unknowingly be granting that user access to hundreds of computers in the network.
And they just don’t realize that. And so I think there’s a lack of visibility that could be improved by like Microsoft and this isn’t just specific to active directory, but you know, a lot of products or things in the cloud, people just don’t understand the implications of their ant of their actions.
And so I think kind of, you know, a lot of products need to be better. Explain that to tighty administrators when they perform actions, I think that’s a big thing organizations and product companies needed to be doing.
Will Schroeder: That’s something that bloodhound, obviously we built to try to facilitate that kind of on our own.
We do have you know, kind of, similar to that, there’s an enterprise version of BloodHound that we’re launching very soon. That’s focused from a defensive standpoint that there’ll be information, you know Andy. No specific website, but we’ll be publishing over the next few weeks. But it’s, you know, that whole attack path type management of understanding the complexity of the system as a whole is a very hard problem, but it’s something that we spend a lot of time and effort to try to help, you know, administrators and organizations really understand if there’s anything to add, Andy.
Andy Robbins: I would add so Lisa you’re like your question as, you know, what should organizations do? Which Microsoft do, what should other companies like us do? I think one of the things that we all need to do is acknowledged the truth that on-prem active directory is here to stay. And the jury of just migrating off of one identity platform to another, or the dream of implementing something like legacy ESA.
For the vast majority of organizations is never going to happen. It’s totally impractical. It’s not worth the cost and the benefits, the benefits are immeasurable and not the good kind of immeasurable. As in they are non-empirical. You can’t say that they’re going to go from one identity platform to the other, and that’s going to solve all the problems that you have right now.
And so, because of that, when the time comes for someone to make the decision, are we going to move off of on-prem AD onto something else? 999 times out of a thousand. The answer is no. And it’s because of those reasons and like what is mentioning as far as. Attack path management and these little configurations having much greater impact.
One of the, one of the problems with a lot of the recommendations that our field gives to organizations is that they’re, they’re couched under the guise of best practice. A lot of times best practice is impractical in practice. But the bigger thing is like, like will mentioned earlier is that a lot of the people running active directory, their primary job is to keep the lights on and to keep those critical businesses, business processes, running and security serves the business, not the other way around.
And so when a recommendation comes down that says you should. Use this group policy to enforce this particular security control. And then the customer will very rightfully ask why. And a lot of times their response is “it’s best practice or it will reduce your attack surface.” That kind of recommendation is so easy to say no to.
Because there’s no, there’s no empirical evidence for why that is actually going to help. And so product companies, services companies need to get better at explaining the benefits of implementing security controls that come at a cost, whether that’s financial or labor, so that when a recommendation comes down that says you should do X.
And you should do that because it’s going to reduce your exposure to attack paths by 75.2%. That’s much harder to say no to it’s much easier to say yes to as much, as much easier for internal AD folks who kind of sell that remediation to each other or for a security team to sell that remediation to an ADA team.

Cyber

No More Ransom Saves Victims Nearly €1 Over 5 Years

No More Ransom is collecting decryptors so ransomware victims don’t have to pay to get their data back and attackers don’t get rich.

To date, the No More Ransom repository of ransomware decryptors has helped more than 6 million victims recover their files, keeping nearly a billion euros out of the hands of cybercriminals, according to a Monday release.
Launched five years ago, No More Ransom is maintained via cooperation between the European Cybercrime Centre and several cybersecurity and other types of companies, including Kaspersky, McAfee, Barracuda and AWS. Its purpose is to keep victims from handing over the cash that helps fuel more ransomware attacks, according to Europol.

“The general advice is not to pay the ransom,” No More Ransom advises. “By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.”
Instead, the group directs victims to their Crypto Sheriff tool. There, victims can enter either the URL, onion or Bitcoin address given by the attacker to pay the ransom. The tool searches the No More Ransom database, where the offerings have grown from an initial four decryptors back in 2016 to the current roster of 121 tools to decrypt 152 ransomware families. It’s also free and available in 37 languages, according to the group.
If no decryptor is available for a given ransomware infection, keep checking back: No More Ransom regularly adds new unlock tools.

Don’t Pay the Ransom: Here’s Why
Ransomware victims are increasingly reluctant to pay ransom demands. A Threatpost poll from June found 80 percent of respondents who were hit by a ransomware attack flat out refused to pay for a decryptor that might, or might not, show up.
Worse yet, a June report from Cybereason indicates victims who are quick to pay identify themselves as easy prey. Cybereason reported that 80 percent of organizations that paid a ransom were hit with a follow-up attack. Half of those were attacked a second time by the same group, but a full third attracted additional threat actors smelling an easy payday.
No More Ransom is an answer to the rise of cyber insurance companies, which seem to be injecting massive amounts of cash into the ransomware ecosystem. During the first half of 2020, ransomware attacks made up 41 percent of the total cyber insurance claims, according to a June Cyber Claims Insurance report from Coalition.
Besides funding a criminal enterprise, payment of ransomware to sanctioned nation-state actors could put an organization in violation of the U.S. Department of Treasury, which added several ransomware groups to its sanctions list in October 2020.
Regular backups remain the best way to protect data from a ransomware attack, the Europol said. They further recommend users be mindful of the links they click on and update their security software. But most importantly, the cybercrime cops appeal to organizations to avoid handing over their money.
“If you become a victim, do not pay!” the Eurpol said. “Report the crime and check No More Ransom for decryption tools.”
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Categories