Following a Kill Chain – Defending against Babuk group’s…

Washington Police Department Pwn3d by Ransomware Group Babuk

So it’s all over the news outlets, a police department (Washington DC PD) has been hit by a ransomware syndicate, Babuk. So firstly, let’s be realistic everyone can get pwn3d and at this time our thoughts go out to those affected and to the teams working the response. Being hit by ransomware is NOT fun and not something we would wish upon anyone. That being said this isn’t an ambulance chase, what I want to do hear is look at the TTPs from Babuk in a bit more detail so hopefully we can help inform and educate people so they can strengthen their security postures.

References

https://news.sky.com/story/russian-hackers-target-washington-dc-police-department-in-apparent-ransomware-attack-12288183

https://www.theregister.com/2021/04/27/washington_dc_police_ransomware/ Read more “Following a Kill Chain – Defending against Babuk group’s TTPs” →

Leadership

A Small Measure of Cyber Peace

The still of cyberspace

The alert queue is empty, the estate is patched, the whirr of fans hums in the background. In marketing everyone wants to be excited and to talk about the next big thing. Whilst the physical and digital worlds move at breakneck speed, there’s sometimes the opportunity to be still, to have no incidents to respond to, to have no major changes. These times can be rare, but they are also needed.

Often when I look at and use cyber maturity frameworks there is a lot of focus on cyber capabilities rather than business capabilities that are cyber enabled. What do I mean by cyber enabled? Well, you see, the way I view this game is that much like the roads serve no purpose if they are not travelled, cyber security capabilities are similar. What organisations should be looking for in my view is cyber enablement of the business rather than security as a separate domain. Integrating customer experiences with technology in a secure manner and adding value are often areas I see people not focus on. It’s a similar story with service management, the focus can be on the activity rather than the business outcomes that are enabled by digital services.

Guides

Secure Service Design: Practical Solution Architecture

The truth shall set you free

I’ve worked in technology a long time now (relatively for me). It’s now over 20 years professionally and when I was a kid, I used to remove malware from small business’s etc. I’ve travelled to some funky places and done some cool things, but I learn new things every day. I do however come across some repeating patterns in my adventures as a consultant. There is a hidden truth that many are scared to admit…

Most organisations are not very good at service design, let alone secure service design!

Ok so there it is, I hope that this blog doesn’t age very well, but I’m 20 years in and I chat with my dad about his past life in the corporate world and we both see the same things being repeated. So, what can we do about it? Well sharing is caring, so here’s some things to think about when planning and designing a new service. I’m going to focus on the technology and security aspects, clearly, I am not saying ignore the business and value alignment but for the purposes of this post I’m assuming that the functional service capabilities and alignment are in effect. I’m also assuming that business case is solid because you know, without £ it’s a bit hard to create an operate a service (that’s a whole new post!). Read more “Secure Service Design: Practical Solution Architecture” →

CTF

Server Message Block (SMB) Enumeration, Attack and Defence

Introduction

If you see a service with TCP port 445 open, then it is probably running SMB. SMB is used for file sharing services. You will also see it related to other protocols in its operation:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/06451bf2-578a-4b9d-94c0-8ce531bf14c4

Checklist

Here is a check list of common things to check:

Can you enumerate the server version?
Can you enumerate shares?
What versions of the protocol are enabled?
Can you connect using anon bind?
Are there any known vulnerabilities?
Can you enumerate usernames?
Is SMB signing enabled?
Are there other hosts in the subnet that can be used?

CTF

mRr3b00t Learns to play HTB again!

I rarely get a chance to play HTB these days 🙁 but today I thought i’d get back on it.. then I had a three hour battle with a graphics driver and Vmware Workstation so that basically ruined that idea…. but I thouht I’d try and remember how to CTF again.. and boy do you get slow fast! Well to try and help people and myself I’ve started to write down some notes to get my mind back into the CTF world of HTB!

Setup & Scope

Ok this is the setup phase. Let’s grab the details

Take note of the machine name
- Remember most boxes are called .htb or .htb.local
- There’s not an “internet” dns inside the arena so you need to update hosts files
Take note of the box author
- This is useful for OSINT
Take note of the IP
- This is your scope
Take note of the OS version
Get you digital notebook ready

Defense

Business Email Compromise in Office 365

BEC

Business email compromise can be a prelude to a range of attacks but commonly it’s either Ransomware of Scammers. In this post we are focsing on scammer activity which uses a ‘man in the mailbox’ attack to get in between two parties in an email converstation with the aim of attempting theft by fradulently altering a wire transfer so that the third party sends funds to the scammers not to the victim. There are cleary other avenues that can be leveraged (the compromised mailbox may be used to phish or email malware to another victim).

Initial Access

To gain access to the mailbox a range of techniques can be employed which includes:

Credential stuffing
Phishing and credential harvesting
Malware

Once they have your logon credentials, they now will attempt to access your mailbox.

Avoiding Geo Location Alerts

A scammer may use a public VPN service (such as services from AVAST etc.) to move their internet connection the target mailbox region. They can usually locate a person through some OSINT.

By moving to the normal area of the user they are less likely to trip geo location alerts. Read more “Business Email Compromise in Office 365” →

Defense

Cyber Defence is Hard

Introduction

If you read a book about management theory or specifically cyber security management you will find lots of frameworks, methods, formulas, models etc. None of them really let you know how insanely hard it can be to defend a moving target where regardless of how many controls you have, all it takes it someone doing something which may seem bonkers to you but perfectly reasonable for them. Their objective is to do business in an efficient manner, your objective is to protect the business in an efficient manner. Fundamentally these two things are not at odds, but there are a lot of human factors that come into play on top of some serious technical challenges. Read more “Cyber Defence is Hard” →