InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Aembit Becomes the First Workload IAM Platform to Integrate with the Industry-Leading CrowdStrike Falcon Platform to Drive Workload Conditional Access
Aembit, the Workload Identity and Access Management (IAM) platform that enables DevOps and security teams to discover, manage, enforce and audit access between workloads, today announced the availability of a new integration with the industry-leading CrowdStrike Falcon® platform to give enterprises the ability to dynamically manage and enforce conditional access policies based on the real-time security posture of their applications and services.
This integration signifies a significant leap in Aembit’s mission to empower organizations to apply Zero Trust principles to make workload-to-workload access more secure and manageable.
Workload IAM transforms enterprise security by securing workload-to-workload access through policy-driven, identity-based, and secretless access controls, moving away from the legacy unmanaged, secrets-based approach.
Through this partnership, the Aembit Workload IAM solution checks to see if a CrowdStrike Falcon agent is running on the workload and evaluates its real-time security posture to drive workload access decisions to applications and data.
With this approach, now enterprises can protect their workloads from unauthorized access, even against the backdrop of changing conditions and dynamic access requirements. Additional customer benefits from this partnership include:
Managed Workload-to-Workload Access: Enforce and manage workload access to other applications, SaaS services, and third-party APIs based on identity and policy set by the security team, driving down risk.
Seamless Deployment: Drive consolidation by effortlessly integrating the Aembit Workload IAM Platform with the Falcon platform in a few clicks, providing a unified experience for managing workload identities while understanding workload security posture.
Zero Trust Security Model: Embrace a Zero Trust approach, ensuring that every access request, regardless of the source, is verified before granting access rights. Aembit’s solution enforces the principle of least privilege based on identity, policy, and workload security posture, minimizing potential security vulnerabilities.
Visibility and Monitoring: Gain extensive visibility into workload identities and access permissions, enabling swift detection and response to potential security threats. Monitor and audit access logs based on identity for comprehensive security oversight.
This industry-first collaboration builds on the recent CrowdStrike Falcon Fund strategic investment in Aembit, underscoring the global cybersecurity leader’s commitment to fostering innovation within the space. The investment reflects the recognition of the growing demands for securing workload access.
Today, DDoS attacks stand out as the most widespread cyber threat, extending their impact to APIs.
When successfully executed, these attacks can cripple a system, presenting a more severe consequence than DDoS incidents targeting web applications.
The increased risk amplifies the potential for reputational damage to the company associated with the affected APIs.
How Does DDoS Affect Your APIs?
A DDoS attack on an API involves overwhelming the targeted API with a flood of traffic from multiple sources, disrupting its normal functioning and causing it to become unavailable to legitimate users.
This attack can be particularly damaging as APIs play a crucial role in enabling communication between different software applications, and disruption can impact the overall functionality of interconnected systems.
The impact of DDoS attacks is particularly severe for businesses and organizations that depend on their APIs to deliver essential services to customers. These attacks, employing methods such as UDP floods, SYN floods, HTTP floods, and others, pose a significant threat.
Typically orchestrated through botnets—networks of compromised devices under the control of a single attacker—DDoS attacks can cripple a target’s functionality.
DDoS attacks on APIs focus on the server and each part of your API service. But how do attackers manage to exploit DDoS attacks on APIs?
This Webinar on API attack simulation shows an example of a DDoS attack on APIs and how WAAP can protect the API endpoints.
Several factors can make APIs vulnerable to DDoS attacks:
Absence or insufficient Rate-Limiting: If an API lacks robust rate-limiting mechanisms, attackers can exploit this weakness by sending a massive volume of requests in a short period, overwhelming the system’s capacity to handle them.
Inadequate Authentication and Authorization: Weak or compromised authentication measures can allow malicious actors to gain unauthorized access to an API. Once inside, they may misuse the API by flooding it with requests, leading to a DDoS scenario.
Insufficient Monitoring and Anomaly Detection: Ineffective monitoring and anomaly detection systems can make identifying abnormal traffic patterns associated with a DDoS attack challenging. Prompt detection is crucial for implementing mitigation measures.
Scalability Issues: APIs that cannot scale dynamically in response to increased traffic may become targets for DDoS attacks. A sudden surge in requests can overload the system if it cannot scale its resources efficiently.
How Do WAAP Solutions Protect Against DDoS Attacks on API?
Web Application and API Protection (WAAP) platform offers in-line blocking capabilities for all layer seven traffic, comprehensively securing web applications and APIs.
To guarantee robust security, WAFs incorporated into WAAP solutions provide immediate defense by filtering, monitoring, detecting, and automatically blocking malicious traffic, thereby preventing its access to the server.
Active monitoring of traffic on an API endpoint enables the identification of abnormal traffic patterns commonly linked to DDoS attacks. Instances of sudden spikes in traffic volume serve as red flags for potential attacks, and a proficient monitoring system can promptly detect and address such increases.
In addition, WAAP enforces rate limits by assessing the number of requests from an IP address. API rate limiting is critical in mitigating DDoS damage and reducing calls, data volume, and types. Setting limits aligned with API capacity and user needs enhances security and improves the user experience.
To avoid impacting genuine users, find solutions that use behavioral analysis technologies to establish a baseline for rate limiting.
AppTrana WAAP’s DDoS mitigation employs adaptive behavioral analysis for comprehensive defense, detecting and mitigating various DDoS attacks with a layered approach. It distinguishes between “flash crowds” and real DDoS attacks, using real-time behavioral analysis for precise mitigation. This enhances accuracy compared to static rate limit-based systems.
Scammers are targeting multiple brands with “job offers” on Meta’s social media platform, that go as far as to offer what look like legitimate job contracts to victims.
A fresh wave of job scams is spreading on Meta’s Facebook platform that aims to lure users with offers for remote-home positions and ultimately defraud them by stealing their personal data and banking credentials.
Researchers from Qualys are warning of “ongoing attacks against multiple brands” offering remote work through Facebook ads that go so far as to send what look like legitimate work contracts to victims, according to a blog post published Jan. 10 by Jonathan Trull, Qualys CISO and senior vice president of solutions architecture.
The attackers dangle offers of work-at-home opportunities to lure Facebook users to install or move to a popular chat app with someone impersonating a legitimate recruiter to continue the conversation. Eventually, attackers ask for personal information and credentials that potentially can allow attackers to defraud them in the future.
Likely aiming to take advantage of people’s tendency to make resolutions in the new year, these fake job ads — a persistent online threat — typically “see a rise in prevalence following the holidays” when people are primed for new opportunities, Trull wrote.
Qualys Caught Up in Scam
The researchers discovered the scams because fake recruiters were purporting to be from Qualys with offers of remote work. The company, however, never posts its job listings on social media, only on its own website and reputable employment sites, Trull said.
The initial text lures for the scam occur in group chats that solicit users to move to private messaging with the scammer who posts the job opening. “In several cases, the scammer appears to have compromised legitimate Facebook users and then targeted their direct connections,” Trull wrote.
Once a victim installs Go Chat or Signal — the messaging apps used in the scam — attackers ask for additional details so they can receive and sign what appears to be an official Qualys job offer complete with logos, correct corporate addresses, and signature lines.
Attackers then ask victims to send a copy of a government-issued photo ID, both front and back, and told to digitally cash a check to buy software for a new computer that their new employer will ship to them.
Qualys has notified both Facebook and law enforcement of the scam and encourages users to do the same if they observe it on the platform. The blog post did not list the names of other companies or brands that might also be targeted in the attacks.
Avoid Being Scammed
Job scams are indeed a constant online security issue, one that’s on the rise, according to the US Better Business Bureau (BBB). Online ads and phishing campaigns are popular conduits for job scammers, which use social engineering to bait people into responding and then either steal their personal data, online credentials, and/or money. Scams also can have a negative reputational impact on the companies whose brands are used in the scam.
To avoid being scammed by a fake job listing, Qualys provided some best practices for online employment seekers to follow when using the Internet to search for opportunities.
In general, a mindset of “if it’s too good to be true, it probably is” is a good rule of thumb to approaching online job listings, Trull wrote. “Listen to your intuition,” he added. “If it doesn’t feel right, you should probably not proceed.”
Qualys also advised that people always verify offers by looking up a job opening on an organization’s official website and contacting the company directly instead of using social media contacts that could be abused as part of a scam.
People also should be “highly skeptical” of any job solicitation that doesn’t come from an official source, even if the social media source making the offer appears trusted. Since social media accounts can be hijacked, the source can appear legitimate but isn’t.
Further, if an online recruiter asks a person to install an app to apply for a position, it’s probably a scam, Trull warned. “Real recruiters will call you, email, or set up a multimedia interview call at their expense without any concern — they are set up for it if they are a recruiter,” he wrote.
The latest stable channel update for Google Chrome, version 120.0.6099.199 for Mac and Linux and 120.0.6099.199/200 for Windows, is now available and will shortly be rolled out to all users.
Furthermore, the Extended Stable channel has been updated to 120.0.6099.200 for Windows and 120.0.6099.199 for Mac.
There are six security fixes in this release. Three of these flaws allowed an attacker to take control of a browser through use-after-free conditions.
Use-after-free is a condition in which the memory allocation is freed, but the program does not clear the pointer to that memory. This is due to incorrect usage of dynamic memory allocation during an operation.
Use after free in ANGLE in Google Chrome presents a high-severity vulnerability that might have led to a remote attacker compromising the renderer process and using a crafted HTML page to exploit heap corruption.
Google awarded $15,000 to Toan (suto) Pham of Qrious Secure for reporting this vulnerability.
This high-severity flaw was a heap buffer overflow in ANGLE that could have been exploited by a remote attacker using a crafted HTML page to cause heap corruption.
Toan (suto) Pham and Tri Dang of Qrious Secure received a $15,000 reward from Google for discovering this vulnerability.
A high-severity use after free in WebAudio in Google Chrome might potentially allow a remote attacker to exploit heap corruption through a manipulated HTML page.
Google awarded Huang Xilin of Ant Group Light-Year Security Lab a $10,000 reward for finding this issue.
A remote attacker may have been able to exploit heap corruption through a specifically designed HTML page due to high severity vulnerability in Google’s use after free in WebGPU.
The details about the reporter of this vulnerability were mentioned as anonymous.
The use after free conditions existed in Google Chrome before version 120.0.6099.199. To avoid exploiting these vulnerabilities, Google advises users to update to the most recent version of Google Chrome.
How To Update Google Chrome
Open Chrome.
At the top right, click More.
Click Help About Google Chrome.
Click Update Google Chrome. Important: If you can’t find this button, you’re on the latest version.
Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.
According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.
The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.
The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).
A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”
This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.
Karthick told The Hacker News that three different token-cookie generation scenarios were tested –
When the user is logged in with the browser, in which case the token can be used any number of times.
When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.
If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.
When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.
“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”
“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”
The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.
“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”
“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previouslydisclosed details of the exploit late last year.
“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”
(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)
Barracuda Email Security Gateway (ESG) Appliance has been discovered with an Arbitrary code Execution vulnerability exploited by a China Nexus threat actor tracked as UNC4841.
Additionally, the vulnerability targeted only a limited number of ESG devices.
However, Barracuda has deployed a security update to all the active ESGs to address this vulnerability, and has been automatically applied to all the devices, which does not require any action from the user.
The new vulnerability has been assigned to CVE-2023-7102, and the severity is yet to be categorized.
Chinese Hackers Exploit New Zero-Day
This vulnerability exists due to using a third-party library, “Spreadsheet::ParseExcel,” in the Barracuda ESG appliances.
This open-source third-party library is vulnerable to arbitrary code execution that can be exploited by sending a specially crafted Excel email attachment to the affected device.
The Chinese Nexus threat actors have been using this vulnerability to deploy new variants of SEASPY and SALTWATER malware to the affected devices.
However, Barracuda has patched these vulnerabilities accordingly. Moreover, Barracuda stated, “Barracuda has filed CVE-2023-7102 about Barracuda’s use of Spreadsheet::ParseExcel which has been patched”.
Another vulnerability, CVE-2023-7101, affected the same spreadsheet: ParseExcel, and no patches or updates were available.
Nevertheless, both of these vulnerabilities were associated with a previously discovered vulnerability, CVE-2023-2868, that was exploited by the same threat group in May and June 2023.
Furthermore, a complete report about these vulnerabilities, along with additional information, has been published, which provides detailed information about this vulnerability and the previously discovered vulnerabilities.
Hi, I’m Monique, an investigative reporter here at The Markup. There are a few key moments in my 15-year career that have led me on a quest to phone anonymity:
When a dark-tinted sedan followed me home after I published a controversial story, which led to the resignation of someone in power.
When a reader published my personal address in a virtual chatroom filled with thousands of people—the reader used my phone number to do a reverse look-up search, and found my address.
The last straw?
When the federal government traced my phone number back to me and blocked me from communicating with incarcerated people during the COVID-19 pandemic.
When I joined the team in August, my first order of business was making sure I had a secure way to connect with the people trusting me with their lives, while simultaneously keeping myself safe. I needed an off-the-grid phone.
Enter Wesley Callow, our IT support specialist.
What happens next is straight out of a scene of your favorite detective movie as he went about procuring the gear to build a phone that would protect my privacy. Just picture him in a cloak.
If I’ve learned anything from this, it’s that cash is king. And, I need a trench coat.
Step 1: Cash, Cards, and a SIM
Just think of me, Wesley, as a London Fog trench coat, collar-popped-to-perfection kind of guy. When Monique reached out, I embarked on a trip into the world of phone anonymity—a meticulous descent into the “no half measures” underworld, to borrow from the series Breaking Bad, a place where digits and data are in disguise.
First thing: In order to make an anonymous purchase, I needed cash—bank and credit cards leave toomuch of a trace. I drove to our local grocery store and bought some groceries for my teenage boys. This is an almost daily trip, so definitely no suspicious behavior to be spotted. I chatted up the self-checkout assistant about the boys and got an extra $60 in cash back.
When it comes to service providers, Mint Mobile emerged as a top contender, providing relative ease in activation without demanding personal details. They’re like that low-profile café where the barista doesn’t ask for your life story.
I then ventured off to two local Targets where, to my dismay, there were no Mint Mobile prepaid SIM cards. For my third attempt, I tried Best Buy.
I walked in, head down, headed to the cellphone section. Then, the prepaid carrier section. I perused the spinning display, and then, at the very bottom, there was ONE prepaid Mint Mobile SIM left! It was meant to be. For $45, I got three months of service.
I then headed to my next destination: a nearby drug store. I purchased an Apple Store gift card for $10, again using cash. (You could take an Android phone off the grid too, though, but we’re a Mac newsroom).
It was perfect. Zero people were in the store and the clerk was not chatty. I dropped the cash down, exact change—and bounced from the scene. Now I was ready.
Step 2: Wipe the Phone
I had a phone plan. Now, I needed a phone. To begin, Apple/Mac experts suggest purchasing a used, budget-friendly iPhone exclusively with cash. This method, they insist, guarantees no direct ties to one’s identity. Monique had an old phone hiding in her drawer. But first, I needed to make sure it had amnesia.
I had Monique send me her old iPhone via a box I shipped to her with a return label inside of it. Once I received it, I wiped the phone back to its factory settings and made sure there was no preexisting SIM card inside.
Then I put the phone into recovery mode, connected it to an old Mac with no Apple ID, and reformatted it again. Now, it’s double wiped for safety.
Everyone loves a fresh start, right?
Step 3: Identity
For my public Wi-Fi, I infiltrated my local Starbucks. The scent of caramel frappuccinos and whispered secrets filled the air. Here, amidst the caffeine loyal, I set up accounts with Mint, Proton Mail, and Apple. The creation of a disposable email account is essential (Proton Mail is the favored platform), followed by setting up an Apple ID (You’ll need it to download apps on your phone) with your Apple gift card. And if you’re prompted to provide a billing address? Input a random, unrelated location. You won’t ever be connecting a credit card with a real billing address anyway.
Opt for a six-digit security code—not 123456.
Using this now-naked phone, my fresh Mint Mobile SIM card, and an Apple gift card, I sought out a public space with no association to me, such as a library or café—anywhere that has communal computers and Wi-Fi, so we can activate the phone’s service. But wait, Wesley, I thought public Wi-Fi was insecure! Like all things, you have to weigh the pros and cons. The odds of being compromised on a public Wi-Fi network are low in the time it would take to set up the accounts we need, and in return, we don’t have personal location data or a personal IP address attached to those accounts.
Once your accounts are set up, turn off Wi-Fi.
For security purposes, Face ID and Touch ID are a no-go. The unanimous advice: opt for a six-digit security code. And don’t make it 123456.
Step 4: Customizing An Anonymous Device
Post-setup, disable Bluetooth. This is important because Bluetooth signals can be intercepted by third-party devices within range, and that allows hackers to access sensitive information, such as your phone’s contacts and messages. The throwaway Proton Mail email address plays another vital role, acting as the gateway to access Proton, a virtual private network (VPN) that masks all phone application traffic.
It’s like giving your phone a discreet disguise—instead of my trench coat, think Harry Potter’s invisibility cloak.
Always keep your VPN on, and routinely check that it’s working. Subsequently, any required apps should only be downloaded with the VPN engaged.
The Hard Part: Staying Anonymous
Maintaining this cloak of invisibility comes with challenges. If you find this overwhelming, we totally get it. But doing at least some of these steps will protect you—just find the balance and tradeoffs that work for you. For day-to-day usage, some golden rules emerge:
This phone should strictly be used for its principal purpose. Do not use it for casual online strolls, superfluous apps, or note storage.
Cash is essential, but getting your hands on it requires a bit of effort in this cashless society. To keep your phone off the grid, you have to repeat the same routine: take out cash and buy gift cards. You can’t use a credit or bank card.
Add more data to your SIM card and pay your phone bill with a gift card. Don’t opt into auto-renewal, since that requires that you use a credit card.
After using public Wi-Fi, go into Network Settings, and “forget” the network, so you leave no digital trail.
Instead of home Wi-Fi, use your phone’s data plan and Proton VPN to go online. Proton VPN will make sure your IP address is obscured.
If you’re traveling with your off-the-grid phone and a personal phone, turn Wi-Fi off on one phone, if you’re using it on the other. Or, turn off your off-the-grid phone entirely, and only turn it back on when you’re at your destination. The goal here is to prevent any overlap between which networks your phones connect to.
The final and perhaps the most vital rule: This phone should strictly be used for its principal purpose. Do not use it for casual online strolls, superfluous apps, or note storage, though I know that last one will be hard for journalists. If you must keep notes, disable any notes apps from creating a file in the cloud: Settings → Apple ID → iCloud → Apps Using iCloud → Show All.
The Takeaway
Monique here. Do you feel like you just ran a marathon after reading that? Do you need a moment to process? I sure did.
As a gritty street reporter at heart, I’ve learned true and complete anonymity isn’t easy. But in this line of work, it’s worth it. That means constantly backing up my documents and keeping a duplicate contact list elsewhere, in case my line is compromised and I need a new burner.
Wait, did I just use the word “burner”? Feels like I’m living in an episode of How to Get Away with Murder. (Hi, Viola Davis!)
Covering criminal justice, immigration, social justice, and government accountability means my cellphone is my best friend. It’s not only the first line of communication with my sources, but it’s my first line of trust. My phone hosts applications to make contact with people behind bars—oftentimes the only line the incarcerated has to the outside world. It’s the device that rings in the middle of the night from inconsolable parents who have been separated from their children at the border.
Additionally, it confidentially stores my emails and documents people send to me, and it lets me access encrypted chatrooms that help me better understand and network with the communities I cover.
In today’s hyper-connected era, the lengths some are going to preserve their phone anonymity are undeniably intricate. While not a path for everyone, this approach paints a vivid picture of the extreme measures individuals are willing to take in the name of privacy.
As for me, I keep a copy of Wesley’s guide tucked away, so I don’t forget the many, many rules of how to master this cash-gift-card-SIM-phone-wipedown operation. I want my sources—and people on the fence on whether or not to trust me—to know that I am committed to protecting their identity, privacy, and stories.
Cyberwar refers to the use of digital technology, including computer systems, networks, and electronic communication, as a means to conduct warfare in the virtual realm. In a cyberwar, conflicting parties leverage cyber capabilities to carry out attacks and defenses in an attempt to achieve strategic, political, or military objectives. These attacks can target a wide range of digital assets, including computer systems, networks, and information systems.
Cyberwarfare encompasses various tactics, techniques, and procedures, such as hacking, malware deployment, denial-of-service attacks, and information warfare. The goals of cyberwarfare can range from disrupting or destroying critical infrastructure to stealing sensitive information, conducting espionage, or influencing public opinion.
Key characteristics of cyberwar include its asymmetric nature, where a smaller, technologically sophisticated actor may pose a significant threat to a larger, conventionally powerful entity. Attribution, or determining the origin of cyber attacks, can be challenging, adding complexity to the dynamics of cyberwarfare.
Governments, military organizations, and other entities invest in cybersecurity measures to defend against cyber threats and protect their critical assets from potential attacks in the digital domain. The landscape of cyberwarfare is continually evolving as technology advances and new vulnerabilities emerge.
“The Cyber War Is Here” simplifies the complex world of cybersecurity, cyber risk, and the crucial relationship between corporate boards and Chief Information Security Officers (CISOs). Written by a distinguished cybersecurity expert and USAF Veteran, it emphasizes the strategic importance of cybersecurity in modern business. Marc highlights the evolving role of CISOs, emphasizing their shift from IT guardians to strategic advisors to the board. The book explores successful board-CISO interactions and the consequences of misalignment, offering a clear blueprint for effective partnership. “The Cyber War Is Here” dives into the national and economic security implications of cyber threats, stressing the critical link between cybersecurity and national defense. The book argues that strengthening digital defenses and fostering public-private sector collaboration is essential for national resilience. Designed for a broad audience, from individuals to boards of directors, CISOs, business executives, and policymakers, this book serves as a call to action for proactive cyber governance. It illuminates the interconnectedness of individual organizational security and national security, providing both a catalog of risks and strategies and a roadmap for action in the global cyber conflict arena. “The Cyber War Is Here” is a call to action for all.
It is so easy to vacuum up private data from vehicles that Andrea Amico taught his daughter how to extract text messages from her mom’s car when she was only eight years old.
Blue-haired and an engineer by training, Amico has a hacker’s mentality, which has manifested in giving drivers a way to protect their data and beat the system at no cost.
Amico is the founder and CEO of Privacy4Cars, the outfit behind a free app that lets individuals erase the astonishing amount of personal data — including text messages, biometrics and geolocation — that many automakers collect, store and often share with law enforcement, insurers and even data brokers.
Privacy4Cars also allows consumers to pull a full report on exactly what data their own car is scooping up, using nothing but a vehicle identification number.
Amico worked on car data privacy for years on what he called a “passion project” basis. After running a large car inspection business, he came to understand the scale of the problem — and the stakes — and founded Privacy4Cars in 2019.
Consumers can use the app to delete data retroactively, but there is no way to block its collection moving forward so those especially concerned about privacy have to regularly wipe the car’s data, which usually primarily resides in the infotainment system, Amico said.
The process for deletion is unique for most car models and types. Amico says the company has amassed step-by-step delete instructions for tens of thousands of vehicles, whose settings often differ by model, make, year manufactured and even how many extras customers pay for to enhance a given model.
The app typically works for four out of five cars. Wiping data can take as few as three commands, or as many as 50, Amico said. If a car owner has not downloaded a given car’s software updates, that can complicate matters.
Data linked to more than a million cars has been deleted using the app to date, Amico said.
With car data privacy in the spotlight recently, the demand is likely to rise.
Last month a Seattle-based federal judge declined to revive a class action lawsuit alleging four auto manufacturers had broken Washington state privacy laws by gathering and storing customers’ private text messages and mobile phone call logs.
The judge ruled the practice did not meet the threshold for an illegal privacy violation under state law, which requires plaintiffs prove that “his or her business, his or her person, or his or her reputation” has been threatened by the harvesting of private data.
Despite the ruling, car data privacy concerns are growing as more consumers become aware of their exposure, and even some industry figures concede more needs to be done to educate car owners about data practices.
Running the report
Privacy4Cars offers a website feature which allows users to search their vehicle identification number and quickly learn the data their car gathers, pulling and crystallizing information from the small print manufacturers typically disclose in complex, dense and lengthy terms and conditions and privacy disclosures.
A recent search of what Privacy4Cars calls its “Vehicle Privacy Report” showed a variety of automakers disclosing they can or do pull, store and even sell a wide range of data, including:
Personal identifiers, which can include data as granular as a driver’s signature; Social Security number; passport number; insurance policy number; employment history and medical information, among other things
Biometrics, which can identify individuals, including through fingerprint mapping, facial recognition and retina scans
Geolocation data
Data collected and used to create profiles on drivers
Consumer data collected from synced phones like text messages and call logs. Often manufacturers don’t disclose whether they also gather data from drivers’ connected smart devices when third-party apps run on or sync with the infotainment system, the report said.
Many automakers also acknowledge they share data with law enforcement, insurers and data brokers.
While some cars searched on the Privacy4Cars website were silent on whether they collect data from synced phones, Sean McKeever, a senior security researcher at GRIMM, a cybersecurity company with an automotive division, said most cars do gather and store phone data.
“If the vehicle offers phone connectivity, you can assume there is some level of data being stored on the vehicle,” McKeever said via email.
Amico estimated that about two-thirds of U.S. auto manufacturers declare they collect data from synced phones, at least for some models.
“They’re also very quick to say that it’s none of their responsibility and essentially it’s the consumers’ fault if they leave this data behind,” he said in an interview.
To use the Privacy4Cars’ Vehicle Privacy Report search tool, drivers must have their vehicle identification number (VIN). A recent random check of the privacy report’s portal, using VIN numbers linked to used vehicles on Carmax, showed that many cars collect all of the data listed above and more.
Vehicles collecting synced phone data, for example, included a 2018 Vokswagen Atlas, a 2023 Audi Q4, a 2019 Volvo XC90 and a 2020 Honda Civic. All of these vehicles also collect location data and some gather biometric data along with compiling personal identifiers and user profiles.
None of the automakers offered comment except for Volkswagen. A spokesperson said that “when a customer syncs their phone via Bluetooth, the car can access phone data as granted by the customer and all of this data is stored within the vehicle.”
They added that customers can delete this data at any time through a factory reset and noted that “while the car itself will access the data, the car does not transmit this data beyond the car.”
A privacy report for a 2020 Volkswagen Tiguan.
Many of the cars Recorded Future News searched in the Vehicle Privacy Report also allowed data to be collected from Android Auto, Apple Carplay and Amazon Alexa.
Amico said that if your car uses Android Auto, for example: “Guess what? Google collects data from you as well.” Google does not have an Android Auto-specific privacy policy or data disclosure, Amico said. The data can also potentially be sold by Google for targeted advertising. Google did not respond to a request for comment.
Privacy4Cars also takes on data brokers, offering a way for consumers to easily reach them and tell them not to sell their data. An “Assert Your Rights” button on the upper right corner of the company’s homepage takes users to a place to share their information so that Privacy4Cars can submit consumer privacy requests to first-party businesses, data brokers, and third parties on their behalf.
Consumers in the dark
Most drivers have no idea what data their car is collecting because other than through Privacy4Cars it can be very hard to track down and digest the information. The privacy disclosures for the four cars mentioned above involved between nine and 12 unique documents, and each ran between 55,00 and 60,000 words, according to the Privacy4Cars site.
Older cars appear not to be immune. A check for a 2012 Honda Odyssey, for example, revealed the vehicle collects data from synced phones, geolocation information and compiles personal identifiers and user profiles.
Car owners should use the app to wipe data particularly when they buy or sell a used car and return vehicles to car rental agencies or leasing companies, Amico said, although most people don’t know they should do so.
Four out of five used cars contain the data of previous owners since most owners and subsequently car dealers don’t wipe them clean, he said.
In some cases cars even store pieces of code from previous drivers that can allow old owners to access new owners’ data. Most cars’ infotainment systems also store text messages and other unencrypted data.
Amico’s services aren’t foolproof. The FBI, for instance, still might be able to hack into the car’s systems and extract data. But they do make it a “hell of a lot harder” for them or anyone else to do so.
Even those unworried about getting entangled with the FBI have serious reasons to delete their data, he said.
“If you have a navigation system, you have about a 50/50 chance that you can press two buttons and show up inside the house of somebody because you press ‘go home’ and then you pop the garage open,” Amico said.
This is Part 1 of a three-part series on automobile privacy that will run through the month of December.
Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this year. The flaw, identified as CVE-2023-6345, is classified as an integer overflow in Skia, an open-source 2D graphics library written in C++.
“Google is aware that an exploit for CVE-2023-6345 exists in the wild,” Google said.
There are several potential risks associated with this high-severity zero-day vulnerability, including the execution of arbitrary code and crashes.
On November 24, 2023, Benoît Sevens and Clément Lecigne from Google’s Threat Analysis Group reported the issue.
Google has upgraded the Stable channel version 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, addressing the year’s sixth actively exploited zero-day vulnerability. This upgrade will be rolled out over the next few days/weeks.
Additionally, Google has fixed six high-severity security vulnerabilities with this update.
Details Of The Vulnerabilities Addressed
Type Confusion in Spellcheck is a high-severity bug that is being tracked as CVE-2023-6348. Mark Brand from Google Project Zero reported the issue.
Use after free in Mojo is the next high-severity bug, tagged as CVE-2023-6347. 360 Vulnerability Research Institute’s Leecraso and Guang Gong reported the issue, and they were rewarded with a bounty of $31,000.
Use after free in WebAudio is a high-severity issue identified as CVE-2023-6346. Following Huang Xilin of Ant Group Light-Year Security Lab’s disclosure, a $10,000 prize was given out.
A High severity bug in libavif, Out-of-bounds memory access, is tagged as CVE-2023-6350. Fudan University reported it, and $7000 was given out.
Use after free in libavif is a high-severity bug identified as CVE-2023-6351. Fudan University reported it, and $7000 was given out.
Update Now
To stop exploitation, Google highly advises users to update their Chrome web browser right away. The following are the easy procedures that you must follow to update the Chrome web browser:-
Go to the Settings option.
Then select About Chrome.
Wait, as Chrome will automatically fetch and download the latest update.
Once the installation process completes, you have to restart Chrome.
The skills employed, the hacktivists and other threat actors are not going anywhere. Right now, Russia might be overwhelmingly interested in Ukraine, but their aims and goals remain global.
“These skills will be turned in other directions and other targets in the future, they will be shared in threat actor groups online. This is the world you need to be preparing for right now,” he added.
His warning echoed a similar one by Viktor Zhora, Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine.
Russia’s attack force consists of “hackers in uniform”, cybercriminals and hacktivists congregating in various Telegram channels, but the nation is also working on engaging ever more younger people in their cyber offensive campaigns. They are seeking talented individuals in schools (and not just tech universities), selecting the most talented and training them, he shared.
“The Russians are in it for the long run,” Zhora warned during his IRISSCON talk, and called on countries that are – or expect to be – targeted by cyber aggressive nations to create a cyber coalition so they can prepare, share their experiences, and exchange information.
OT under attack
We can’t talk about the war in Ukraine and not mention cyber attacks aimed at disrupting operational technology (OT) used by companies that are part of the country’s critical infrastructure (CI).
In his talk, Ferguson briefly passed through the known attacks that hit CI entities with OT-specific malware, starting with Stuxnet in 2010 and ending with CosmicEnergy in 2023.
Some of the attacks are believed to be the work of the US and Israel (Stuxnet), cybercriminals (EKANS ransomware, 2020) or are still unattributed (the destructive 2014 attack against a steel plant in Germany). But the rest, he noted, are all believed to have been mounted by Russian state-backed attackers.
And, he says, they are getting better at it. Mirroring the development of attacks against IT systems, they have recently begun exploiting legitimate tools found in OT environments, so they don’t need to develop customized malware.
Many attackers are scanning for OT-specific protocols and probing OT devices, Ferguson noted. While their actual exploitation hinges on the skills of the attackers, some modes of attack (e.g., DDoS and phishing) are available to those who are less skilled, but eager. Hacktivists can target critical infrastructure that’s exposed on the internet as it’s easily discoverable via online tools.
Unfortunately, securing OT systems comes with a host of challenges: a complex infrastructure; an increasing number of endpoints; OT devices insecure by design (and generally not meant to be connected to the internet); rarely integrated OT and IT security teams, a lack of visibility into the OT infrastructure – to name just a few.
A new level of cyber conflict
Since the start of the war, Russian hackers have been trying to shut down electrical power in the country, have gone after government agencies, IT companies, telecoms, software development firms, media houses, editors, and media personalities, Zhora noted.
While the initial attacks were mostly geared towards destruction, Russian cyber attackers are now also trying to get their hands on information that can help them determine the effectiveness of their kinetic attacks, discover whether their spies have been flagged by the Ukrainian authorities, and see what evidence those authorities have gathered about war crimes.
Clever and subtle psy-ops online campaigns are, as well, a favorite tactic employed by the Russian state to manipulate enemies. And, since the advent of generative AI, it has became easier to mount them, Ferguson added.
All these things should be taken in consideration by governments when preparing for the future. Looking at the cyber component of the unfolding wars in Ukraine and Israel, they can see what future conflicts will look like.
Zhora says that Ukraine is becoming more and more confident of its capacity to counter future attacks, but that each democracy needs to ask themselves: Are we prepared for a global cyber war? “And they need to be honest with the answer,” he noted.
If they are not, they should immediately begin investing in cyber defense and intensifying cooperation, he added.
SystemBC (aka Coroxy or DroxiDat) is a multifunctional malware known as Proxy, Bot, Backdoor, and RAT, adapting to attackers’ needs.
Since 2018, this multifunctional malware has been active, and it remains popular in underground markets, with consistent annual incidents.
Cybersecurity researcher, REXor (aka Aaron) recently discovered that several ransomware groups are employing SystemBC, a Swiss Knife proxy malware, for their illicit purposes.
Ransomware Groups Involved
Here below, we have mentioned all the ransomware groups that are involved in using this malware:-
Coroxy infiltrates systems using diverse methods tailored to the user group, employing:-
Reconnaissance
Lateral movement
Deploying SystemBC (often alongside CobaltStrike)
It’s also utilized in Spear Phishing campaigns, delivered via loaders or other malware for installation on victim systems.
SystemBC malware adapts its methods but maintains core tasks:-
Gather system info –> Establish persistence –> Create a Socks5 connection to the C&C server –> Transmit data –> Await attacker commands or malware launches
This backdoor enables attackers to operate from their infrastructure, and over time, numerous groups have used SystemBC.
SystemBC usage varies with each attacker’s access to the infrastructure. Studied samples show diverse executions yet share consistent core functions.
Usually, when an executable is run, a duplicate copy of SystemBC is made and persistence is established via tasks or registry entries.
Some samples may use a packer or need deobfuscation/extraction without a loader or malware.
Extracting from memory may be required, revealing identical copies in a temporary folder indicating malware duplication with dynamic filenames.
Coroxy employs a Mutex control in all examined samples that prevents multiple runs. It may generate a random string or deobfuscate a domain as a Mutex, adding complexity.
Samples establish persistence differently, as some create jobs or registry entries, often using PowerShell to execute SystemBC.
In certain versions, SystemBC launches a duplicate in the following paths:-
ProgramData
Roaming
Temp
SystemBC detects a2guard, a handy anti-analysis move to spot antivirus or disruptive software. It captures process snapshots, using ProcessFirst and ProcessNext to hunt for the binary.
This grants persistence, process control, and info gathering, with deobfuscation and decryption for future network connections.
After pinpointing the connection location, SystemBC establishes it through a loop, usually targeting a known server and port, reads the report.
Though versions may differ slightly, the core behavior remains the same. However, the analyst found a focus on Coroxy’s relevance, with active discussions and inquiries in forums.
Besides this, the identified infrastructure allows OS access for around $350 to $300, payable through active cryptocurrency wallets.
Active discussions and inquiries (Source – RexorVC0)
Dark forums and Telegram channels have become great places for threat actors to sell critical vulnerabilities and exploits.
These vulnerabilities and exploits were associated with the Elevation of Privilege, Authentication Bypass, SQL Injection, and Remote Code Execution in products like Windows, JetBrains software, Microsoft Streaming Service Proxy, and Ubuntu kernels.
Recent discoveries state that these vulnerabilities were sold in underground forums even before the Vendor officially assigned them.
One such example was the Microsoft Streaming Server vulnerability (CVE-2023-36802) that was on sale in February, though the CVE was officially assigned in September 2023.
Key Vulnerabilities
According to the reports shared with Cyber Security News, several critical and high-severity vulnerabilities were sold in the underground forums, which certain ransomware groups used to gain initial access and lateral movement inside the victim network.
Critical Vulnerabilities
CVE-2023-34362: MOVEit RCE Vulnerability (Exploited By Cl0p Ransomware Group)
This vulnerability was published in NVD on June 02, 2023. However, it was observed to be exploited by threat actors since May 2023. This vulnerability had a severity of 9.8 (Critical) and was patched by Progress.
This vulnerability arises due to insufficient sanitization of user-provided data, which enables unauthenticated remote attackers to access the MOVEit application. With this vulnerability, the Cl0p ransomware group targeted more than 3000 organizations in the US and 8000 organizations worldwide.
CVE-2023-3519: Citrix ADC And Gateway Vulnerability (Exploited By Unknown Threat Actor)
NVD published this vulnerability on June 19, 2023, and Citrix patched it in July 2023. However, threat actors were seen to be exploiting this vulnerability in June 2023, which affected Netscaler ADC and Gateway versions.
A threat actor can use this vulnerability to execute remote code on affected Citrix ADC and Gateway systems to steal sensitive information without any authentication. The severity of this vulnerability was given as 9.8 (Critical).
CVE-2023-42793: JetBrains Unauthenticated RCE (Exploited By North Korean Threat Actors)
This vulnerability could allow an unauthenticated threat actor to access the TeamCity server and execute remote code,, which could compromise the source code and add to a supply chain attack.
This vulnerability was published in NVD in September 2023 and was found to be sold in the underground forums in October 2023. This authentication bypass leading to RCE vulnerability was given a severity of 9.8 (Critical).
According to Microsoft, this vulnerability was potentially used by North Korean nation-state threat actors like Diamond Sleet and Onyx Sleet to install malware and backdoors on their targets.
A complete report about the vulnerabilities sold on the underground market, their associated threat groups, and other information has been published.
Users of these products are recommended to patch the affected versions accordingly and take precautionary measures to prevent them from getting exploited by threat actors.
In a recent and alarming development, the notorious Russia-linked threat actor Sandworm executed a sophisticated cyber-physical attack targeting a critical infrastructure organization in Ukraine.
The incident, responded to by cybersecurity firm Mandiant, unfolded as a multi-event assault, showcasing a novel technique to impact Industrial control systems (ICS) and operational technology (OT).
Unraveling Russia’s Cyber-Physical Capabilities
The attack, spanning from June to October 2022, demonstrated a significant evolution in Russia’s cyber-physical attack capabilities, notably visible since the invasion of Ukraine.
Sandworm, known for its allegiance to Russia’s Main Intelligence Directorate (GRU), has historically focused on disruptive and destructive campaigns, particularly in Ukraine.
The unique aspect of this attack involved Sandworm’s utilization of living-off-the-land (LotL) techniques at the OT level, initially causing an unplanned power outage in conjunction with missile strikes across Ukraine.
The threat actor further demonstrated its adaptability by deploying a new variant of the CADDYWIPER malware in the victim’s IT environment.
Mandiant’s analysis revealed the complexity of the attack, highlighting Sandworm’s ability to recognize novel OT threat vectors, develop new capabilities, and exploit various OT infrastructures.
The threat actor’s deployment of LotL techniques indicated a streamlined approach, reducing the time and resources required for the cyber-physical assault.
Concerns Over Sandworm’s Adaptive Capabilities
Despite being unable to pinpoint the initial intrusion point, Mandiant suggested that the OT component of the attack may have been developed in as little as two months.
This raises concerns about Sandworm’s capability to rapidly adapt and deploy similar attacks against diverse OT systems worldwide.
Sandworm’s global threat activity, coupled with its novel OT capabilities, prompted a call to action for OT asset owners worldwide.
Mandiant provided detailed guidance, including detection methods, hunting strategies, and recommendations for hardening systems against such threats.
The attack’s timing, coinciding with Russian kinetic operations, suggested a strategic synchronization, indicating that the threat actor may have been waiting for a specific moment to deploy its capabilities.
As observed in this incident, the evolution of Sandworm’s tactics offers insights into Russia’s ongoing investment in OT-oriented offensive cyber capabilities.
In conclusion, this Sandworm attack serves as a stark reminder of the escalating cyber threats faced by critical infrastructure globally.
The continuous evolution of cyber adversaries necessitates a proactive approach from governments, organizations, and asset owners to secure and safeguard vital systems against such sophisticated attacks.
Hackers opt for DLL hijacking as a technique to exploit vulnerable applications because it allows them to load malicious code by tricking a legitimate application into loading a malicious DLL.
This can give them unauthorized access and control over a system or application, enabling various types of attacks like:-
Privilege escalation
Data theft
System compromise
An active threat involves an Infostealer distributing a legitimate EXE file alongside a hidden malicious DLL in the same directory.
The legitimate EXE runs the malicious DLL, a technique known as DLL hijacking, commonly used for malware distribution.
Malicious DLL With Legitimate EXE Files
Malware posing as software cracks is growing at a rapid pace and is getting distributed by the threat actors using DLL hijacking.
Users searching for cracked software leads to malicious sites, and the downloads are encrypted RAR files with passwords.
Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report.
Distribution of the malware via webpages (Source – ASEC)
Malicious DLLs tweak part of legitimate DLLs as they decrypt and run data from a nearby file. Hiding data this way avoids altering DLL appearance, reducing detection risk.
For malware to work, the following elements are required to be placed in the same folder:-
Data
EXE
Modified DLL
Unzipping the password-protected file with the code “2023” gives you the following files:-
Contents of compressed file (Source – ASEC)
The following two files are genuine VLC files with valid signatures:-
Setup.exe
libvlc.dll
The “libvlccore.dll” is altered and lacks a matching signature, due to which the extra directories like demux and lua serve to mask its malicious nature.
Running ‘Setup.exe’ activates ‘libvlccore.dll,’ triggering a modified function that reads and decrypts ‘ironwork.tiff’ in the same folder. This file holds code info. disguised as a PNG.
It loads “pla.dll” from SysWow64 and injects code into its memory differently than typical malware. This method uses NTDLL relocation, and for “cmd.exe,” it loads “pla.dll” and injects the malware into it.
A data file is written to %TEMP%. cmd.exe inherits it and has its EntryPoint changed to “pla.dll” code. This code decrypts a file, generates LummaC2 malware, and runs “explorer.exe,” injecting and executing the binary.
LummaC2 targets victims and installs malware from its C2 server, and it steals various sensitive data using JSON-formatted responses from C2.
The malware infects via legitimate EXE files, looking like original DLLs, posing a low detection risk.
According to a recent study published by the leading cybersecurity agency in France, a hacking organisation affiliated with Russia’s military intelligence agency has been spying on French colleges, corporations, think tanks, and government institutions. The research was published by the agency.
Since the second half of 2021, the group of hackers known as Fancy Bear or APT28 has been operating covertly into French computer networks in an effort to acquire a variety of sensitive sorts of data. According to the findings of the investigation conducted by the National Cybersecurity Agency of France, also known as ANSSI, the perpetrators of the attacks hacked systems that were not being actively watched, such as routers, and abstained from employing backdoors in order to avoid being discovered. These cyber attackers infiltrate peripheral devices on crucially important French organisational networks, according to a recent study published by France’s National Agency for the Security of Information Systems (ANSSI), and they do so without making use of backdoors in order to avoid detection. After conducting an analysis of the group’s Techniques, Tactics, and Procedures (TTPs), ANSSI came to the conclusion that APT28 infiltrates target networks via brute force and credential leaks in order to get access to accounts and Ubiquiti routers. In April of 2023, a phishing expedition was begun with the purpose of obtaining system settings, insights into operational operations, and other relevant data. Using the flaw identified as CVE-2023-23397, APT28 sent emails to Outlook users during the months of March 2022 and June 2023. In order to carry out reconnaissance and data collecting, the attackers made use of other vulnerabilities, such as CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in Roundcube webmail. Both of these vulnerabilities were exploited by the attackers.
In order to carry out their intrusions, the gang made use of applications such as the password harvester Mimikatz and the traffic relay tool reGeorg. Additionally, they made use of open-source services such as Mockbin and Mocky. It is important to understand that APT28 use a wide variety of different VPN clients.
As a cyber-espionage group, APT28’s primary mission is to gain unauthorised access and steal information from its targets. The hackers stole sensitive information from email accounts and stole authentication details by using common tools. The hackers also stole emails that were full of personal information. The Command and Control (C2) architecture is rooted on cloud services such as Google Drive and Microsoft OneDrive, which makes it more difficult to identify them.
ANSSI has mapped the TTPs (techniques, tactics, and procedures) of APT28 and found that the threat organisation breaches accounts and Ubiquiti routers on targeted networks by using brute-force attacks and leaked databases holding passwords.
In one incident that occurred in April 2023, the adversaries carried out a phishing effort that duped the receivers into executing PowerShell, which revealed their system settings, running processes, and other OS-related information.
APT28 is responsible for sending emails to Outlook users that attacked a zero-day vulnerability that is now known as CVE-2023-23397. These emails were sent between March 2022 and June 2023, which places the first exploitation a month earlier than what was previously revealed.
The ANSSI emphasises taking a comprehensive approach to security, which includes conducting risk assessments. In light of the dangers posed by APT28, there should be a special focus on ensuring the safety of email communications. The following is a list of the most important suggestions that the organisation has about the safety of email:
Protecting the privacy of email communications and preventing their disclosure via adopting secure exchange systems as a means of preventing the diversion or acquisition of email traffic. Reducing the potential points of attack on email online interfaces and managing the dangers posed by servers such as Microsoft Exchange and putting in place mechanisms that can identify malicious emails.
Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering Open ports, troubleshooting live systems, and services, and grabbing system banners.
The pen-testing helps the administrator to close unused ports, additional services, Hide or customize banners, troubleshoot services, and to calibrate firewall rules.
You should test in all ways to guarantee there is no security loophole.
Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.
The goal of a network penetration test is to identify vulnerabilities and weaknesses in the network’s defenses that malicious actors could potentially exploit.
Let’s see how we conduct step-by-step Network penetration testing by using some famous network scanners.
1. Host Discovery
Footprinting is the first and most important phase where one gathers information about their target system.
DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.
A – A record is used to point the domain name such as gbhackers.com to the IP address of its hosting server.
MX – Records responsible for Email exchange.
NS – NS records are to identify DNS servers responsible for the domain.
SRV – Records to distinguish the service hosted on specific servers.
PTR – Reverse DNS lookup, with the help of IP you can get domains associated with it.
SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
CNAME – Cname record maps a domain name to another domain name.
We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.
Perform port scanning using tools such as Nmap, Hping3, Netscan tools, and Network monitor. These tools help us to probe a server or host on the target network for open ports.
Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, and NMAP determines the operating system of the target host and the operating system.
Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.
Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.
These tools help us find vulnerabilities in the target and operating systems. With these steps, you can find loopholes in the target network system.
GFILanguard
It acts as a security consultant and offers patch management vulnerability assessment, and network auditing services.
Nessus
Nessus is a vulnerability scanner tool that searches for bugs in software and finds a specific way to violate the security of a software product.
Data gathering.
Host identification.
Port scan.
Plug-in selection.
Reporting of data.
5. Draw Network Diagrams
Draw a network diagram about the organization that helps you understand the logical connection path to the target host in the network.
The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.
6. Prepare Proxies
Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.
With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads and many others.
Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide from being caught.
6. Document All Findings
The last and very important step is to document all the findings from penetration testing.
This document will help you find potential vulnerabilities in your network. Once you determine the Vulnerabilities, you can plan counteractions accordingly.
You can download the rules and scope Worksheet here: Rules and Scope sheet
Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in terms of value and finance.
A privacy report for a 2020 Volkswagen Tiguan.
