Threat Week 04-08-2018

Welcome to another threat update, this week we look at some interesting twitter dumpster fires and a highly targeted ransomware campaign

Unbackable wallets – would you trust your funds with this device?

You got root sir but that’s not a hack! The world turns upside-down and inside out when @cybergibbons and a band of hackers go on rage mode at the claims from John McAfee and BitFi that their wallet is un-hackable and the ‘restrictions’ placed on the bug bounty.

https://twitter.com/officialmcafee/status/1024385313966379010

Use a password manager, no really!

@ingnl caused some fun when they recommend not using password managers which went down well with the twitter infosec community. Just so everyone is aware, we recommend using a password manager.

Read more “Threat Week 04-08-2018” →

Defense

Office 365 Attack Simulator Overview

Probably the most common attack vector!

Phishing is very likely the most common attack vector, in fact so common that the following stat is called out:

“a 2016 study reports that 91% of cyberattacks and the resulting data breach begin with a phishing email”

Setting up the Social Engineering toolkit or custom phishing solution takes a little time, luckily Microsoft have added in attack simulation features into Office 365! This let’s in house teams perform a range of simulated attacks in safe manner against your organisation. In this post we are going to run through the steps required to create and run a phishing attack simulation!

Defense

A day out phishing

A common tactic for threat actors is to leverage weaknesses in human behaviour. Over the years a combination of poor configuration has led people to ‘click YES’ syndrome. A common vector for attackers is to send emails with document attachments using either embedded macros or abusing Office document OLE functionality.

Below we have a live sample of a phishing document. As you can see it’s been styled in a similar fashion to the Office user interface. Read more “A day out phishing” →

Threat Intel

July Threat Update

Welcome to another Threat Week update, today we are going to look at some of the active threats in the wild and in the news.

Top Threats

Attack Vectors

Common attack vectors are still the usual suspects. Phishing, drive by infections, insecure internet exposed services (e.g. FTP, RDP, SSH, web services etc.) We’ve seen phishing attacks using legitimate services such as Zoho CRM to hijack their mail domain to bypass mail filters, so again good education plus technical controls are the best defence against these attacks.

Firewall Analysis

Xservus run a vulnerable lab which hosts honeypots, web services and is used to detect threats. The following graph showcases external threats detected. Read more “July Threat Update” →

Hacking

Hail Hydra – RDP brute forcing with HYDRA

Securing services requires a broad range of knowledge of operating systems, networking, protocols and offensive capabilities. So I thought I would demonstrate some testing methods to show how a control is effective in blocking certain types of attack, so here’s some offensive and defensive guidance to limit RDP attacks. Please remember this is for educational purposes, do NOT break the law and only use these techniques where you have permission! #whitehat

Overview

This document provides a sample of the internal (white box) testing process and procedure for testing RDP controls against brute force attacks.

Test Objectives

Demonstrate only authorised users can access the service
Demonstrate Remote Desktop Services has a hardened configuration
Demonstrate a brute force attack

Method

Scope Evaluation
Testing
1. Enumeration
2. Vulnerably Assessment
3. Exploitation
Report Results

Reviews

Defending your cheque book as well as your endpoints

Since almost before time began (ok so 1974 – Rabbit) malware and viruses have existed on computers, since then the volume and level of sophistication of attacks has dramatically increased. You are no longer defending against viruses, you are defending against attacks from a whole range of threat actors. Aside from backups, antivirus is often one of the first and last lines of defence on systems, as such over the years a range of products and services have arisen (and far more opinions) in the antivirus space, so much so that now we have solution stacks named endpoint detection and response. So, to get to the point, the threat landscape is vast (this year alone there has been 6 million new malware samples discovered – https://www.av-test.org/en/statistics/malware/)

A new Superhero?

Windows defender was always an underdog in this space, if you google “Windows 10 defender reviews” you will see a range of star ratings such as, 3 out of 5, 2.5 out of 5, 2 out of five etc.

Security has never been more in focus with business, however there is always a driver to ensure costs are controlled and value is being added, so I thought I would write about Windows 10 defender and look at some of the reasons you may want to drop your 3^rd party solution. Read more “Defending your cheque book as well as your endpoints” →

Threat Intel

Welcome to Threat Week!

Welcome to the first instalment of threat week, the concept of threat week is to provide regular updates on threats, vulnerabilities, security news to provide you with a service that cuts through the noise and enables you to improve the security of your organisation.

To give people an idea of the content we will be producing we’ve published the following below. The concept is to tailor the content to your specific organisation as we’ve been doing with our customers. To start this process, after your subscribe one of the team will be in touch to discuss your specific requirements.

Vulnerabilities

Vmware releases patches for ESXi, Fusion and Workstation to remove data leakage vulnerabilities!

https://www.vmware.com/uk/security/advisories/VMSA-2018-0016.html

Hackers are targeting CISCO CVE-2018-0296

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Threat Trends

Threat Trend – Ransomware declines whilst Crypto mining malware becomes king of the hill for attackers

http://www.newsweek.com/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145

Security News

Ticketmaster breach – Most of you will be aware that Ticketmaster was involved in a cyber incident. The NCSC has published guidance for customers who suspect their account have been compromised.

https://www.ncsc.gov.uk/guidance/ncsc-advice-ticketmaster-customers

Read more “Welcome to Threat Week!” →