InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
As-a-service attacks continue to dominate the threat landscape, with Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) tools making up the majority of malicious tools in use by attackers, according to Darktrace.
Cybercriminals exploit as-a-Service tools
As-a-Service tools can provide attackers with everything from pre-made malware to templates for phishing emails, payment processing systems and even helplines to enable criminals to mount attacks with limited technical knowledge.
The most common as-a-Service tools Darktrace saw in use from July to December 2023 were:
Malware loaders (77% of investigated threats), which can deliver and execute other forms of malware and enable attackers to repeatedly target affected networks.
Cryptominers (52% of investigated threats), which use an infected device to mine for cryptocurrency.
Botnets (39% of investigated threats) enrol users in wider networks of infected devices, which attackers then leverage in larger-scale attacks on other targets.
Information-stealing malware (36% of investigated threats), malicious software like spyware or worms, designed to secretly access and collect sensitive data from a victim’s computer or network.
Proxy botnets (15% of investigated threats), more sophisticated botnets that use proxies to hide the true source of their activity.
Phishing threats escalate in business communications
Darktrace identified Hive ransomware as one of the major Ransomware-as-a-Service attacks at the beginning of 2023. With the dismantling of Hive by the US government in January 2023, Darktrace observed the rapid growth of a range of threats filling the void, including ScamClub, a malvertising actor notorious for spreading fake virus alerts to notable news sites, and AsyncRAT, responsible for attacking US infrastructure employees in recent months.
As businesses continue to rely on email and collaboration tools for communication, methods such as phishing continue to cause a headache for security teams. Darktrace detected 10.4 million phishing emails across its customer fleet between the 1st September and the 31st December 2023.
But the report also highlights how cybercriminals are embracing more sophisticated tools and tactics designed to evade traditional security parameters. One example is the rise of Microsoft Teams phishing in which attackers contact employees through Teams, posing as a co-worker and tricking them into clicking malicious links.
In one case in September 2023, Darktrace identified a suspected Teams phisher attempting to trick users into clicking a SharePoint link that would download the DarkGate malware and deploy further strains of malware across the network.
Multi-function malware on the rise
Another new trend identified is the growth of malware developed with multiple functions to inflict maximum damage. Often deployed by sophisticated groups like cyber cartels, these Swiss Army knife-style threats combine capabilities.
For example, the recent Black Basta ransomware also spreads the Qbot banking trojan for credential theft. Such multi-tasking malware lets attackers cast a wide net to monetise infections.
“Throughout 2023, we observed significant development and evolution of malware and ransomware threats, as well as changing attacker tactics and techniques resulting from innovation in the tech industry at large, including the rise in generative AI. Against this backdrop, the breadth, scope, and complexity of threats facing organizations has grown significantly,” comments Hanah Darley, Director of Threat Research, Darktrace. “Security teams face an up-hill battle to stay ahead of attackers, and need a security stack that keeps them ahead of novel attacks, not chasing yesterday’s threats.”
Cybersecurity products can get pricy but there are many excellent open source tools to help secure your systems and data. Here’s a list of some of the most popular with cyber pros.
Cybersecurity tools aren’t just for the enterprise anymore; they’re essential for every type and size of organization.
Some tools specialize in antivirus, while others focus on spear phishing, network security or scripting. Even the best cybersecurity products can only do a few things very well, and there is no room for error.
Effective products, coupled with in-depth cybersecurity planning, are a must for all. Whether businesses have an in-house security team or outsource these services, every entity needs cybersecurity pros to discover and fix any points of weakness in computer systems. This reality can tax the bottom line, but luckily there are many free cybersecurity tools available.
Here is a rundown of some of the top free tools cybersecurity professionals use every day to identify vulnerabilities.
1. Aircrack-ng
Aircrack-ng is a must-have suite of wireless security tools that focus on different aspects of Wi-Fi security. Aircrack-ng focuses on monitoring, attack testing and cracking your Wi-Fi network. This package of tools can capture, analyze and export packet data, spoof access points or routers and crack complex Wi-Fi passwords. The Aircrack-ng suite of programs includes Airdecap-ng, which decrypts WEP or WPA-encrypted capture files; Airodump-ng, a packet sniffer; Airtun-ng, a virtual tunnel interface creator; and Packetforge-ng, which creates encrypted packets for injection. All of it is free and open source.
2. Burp Suite
Burp is a suite of tools specifically focused on debugging and testing web app security. Burp Suite includes a spider for crawling web app content, a randomness tool for testing session tokens and a sophisticated request repeater to resend manipulated requests. The real power of Burp Suite, however, is the intercepting proxy tool, which enables Burp to intercept, inspect, modify and send traffic from the browser to a target. This powerful feature makes it possible to creatively analyze a web app’s attack vectors from all angles — a key reason it’s often ranked as one of the best free cybersecurity tools. The community version of Burp Suite is free, but there is also a paid Enterprise Edition designed for enabling testing in DevSecOps.
3. Defendify
Defendify is an all-in-one product that provides multiple layers of protection and offers consulting services if needed. With Defendify, organizations can streamline cybersecurity assessments, testing, policies, training, detection and response in one consolidated cybersecurity tool.
Features include cybersecurity risk assessments, technology and data use policies, incident response plans, penetration testing, threat alerts, phishing simulations and cybersecurity awareness training.
4. Gophish
Many of the costliest data breaches and ransomware attacks in recent years can be traced back to simple phishing campaigns because many company workers fall for them. One of the best protections is to secretly test your staff to see who is gullible, and for that you can use the free program Gophish. Gophish is open source and provides a full-featured toolkit for security administrators to build their own phishing campaigns with relative ease. The overall goal is not to embarrass staff, but find out who needs greater phishing awareness and foster better security training within their organization.
5. Have I Been Pwned
Created by award-winning cybersecurity thought leader and teacher Troy Hunt, Have I Been Pwned is a website where you enter your email address to check if your address has been revealed in a data breach. Have I Been Pwned’s database is filled with billions of usernames, passwords, email addresses and other information that hackers have stolen and published online. Just enter your address in the search box.
6. Kali Linux
Kali Linux is a Debian Linux derivative specifically designed toward testing for security tasks, such as penetration testing, security auditing and digital forensics. Kali includes roughly 600 pre-installed programs, each included to help computer security experts carry out a specific attack, probe or exploit against a target. Aircrack-ng, Nmap, Wireshark and Metasploit are a few of the pre-installed tools that ship with the Kali Linux download.
7. Metasploit Framework
Similar to Kali Linux but at the application layer rather than OS, the Metasploit Framework can test computer system vulnerabilities or can be used to break into remote systems. It is, in other words, a network penetration “Swiss Army knife” used by both ethical hackers and criminal gangs to probe networks and applications for flaws and weaknesses. There is both a free and a commercial version — known as the Framework and Pro editions, respectively — which are available for trial. Both editions are de facto standard for penetration testing with more than 1,500 exploits. Metasploit comes pre-installed on Kali Linux.
8. Nmap
Nmap is a free network mapper used to discover network nodes and scan systems for vulnerability. This popular free cybersecurity tool provides methods to find open ports, detect host devices, see which network services are active, fingerprint operating systems and locate potential backdoors.
While Nmap provides users immense power and capability to explore networks, the program has a rather steep learning curve to get over before one becomes truly proficient in using it.
9. Nikto
Nikto is an ultra-powerful, command-line tool useful for uncovering vulnerabilities in web apps, services and web servers. Originally launched in the early 2000s, Nikto is still widely used by both blue and red teams that want to quickly scan web servers for unpatched software, misconfigurations and other security issues. The program also features built-in support for SSL proxies and intrusion detection system evasion. Nikto can run on any computer capable of supporting the Perl programming language.
10. Open Vulnerability Assessment Scanner
OpenVAS is an all-in-one vulnerability scanner that comprehensively tests for security holes, misconfigured systems and outdated software. The scanner gets the tests for detecting vulnerabilities from a feed with daily updates. Much of the program’s power stems from its built-in programming interface, which enables developers to create custom scans that fit niche needs.
Its capabilities include unauthenticated and authenticated testing, high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
11. OSSEC
OSSEC is a free program for cybersecurity professionals that’s been touted as one of the most popular systems for intrusion detection and prevention. Made up of multiple components — including a server, agent and router monitor — OSSEC is capable of rootkit detection, system integrity checking, threat alerts and response. One of OSSEC’s highlights is its comprehensive log analysis tool, empowering users to compare and contrast log events from many different sources.
OSSEC comes in three versions: standard; OSSEC+, which includes machine learning and real-time community update; and Atomic OSSEC, with more advanced functions.
12. Password managers
Using only strong passwords — and keeping them secure — is an essential step in the security of any system. But since a best practice is to use a unique password for every website, app and service, that can get tricky. A good password manager makes it possible to safely store all passwords together so a user only needs to remember one master key rather than dozens of unique passwords. This is especially true for cybersecurity professionals tasked with guarding passwords to mission-critical systems. Fortunately, there are free password management tools. Three good, free options for cybersecurity pros are KeePass, Bitwarden and Psono.
13. PfSense
The firewall/router software pfSense can be installed on either a physical computer or virtual machine to protect networks. PfSense is based on the FreeBSD OS, and has become one of the most popular open source firewall/router projects available. PfSense can also be configured for intrusion detection and prevention, traffic shaping, load balancing and content filtering. The pfSense site includes a tour, a community page, a link to both training and support and a download of the latest version of the community edition of the software.
14. P0f
Endpoint fingerprinting is analysis of web traffic to find patterns, responses and packets sent and received in a particular direction — even if they are encrypted. This works even with “dumb” devices that don’t interact with the network but can still enable unauthorized access to an organization’s systems.
P0f is a simple yet powerful network-level fingerprinting and forensics program. While other free cybersecurity programs do a similar job, p0f is unique in that it’s designed for stealth. Where most other programs rely on active scanning and packet injection, p0f can identify fingerprints and other vital information without network interference. Being passive rather than active means p0f is nearly impossible to detect and even harder to block, making it a favorite tool for ethical hackers and cybercriminals alike.
15. REMnux
Normally the dissection and examination of malware is left to the antimalware vendors. But if you would like to do the job yourself, there is REMnux, a free Linux toolkit for reverse-engineering and analyzing malware.
Included in every REMnux distribution are tools to analyze Windows executables, reverse-engineer binaries and inspect suspicious documents. It also includes a collection of free tools cybersecurity professionals can use to monitor networks, gather data and conduct memory forensics.
16. Security Onion
Security Onion is an open source software collection based on the Linux kernel that helps cybersecurity professionals develop a comprehensive profile of their system’s security posture. Security Onion provides network monitoring using full packet capture, host-based and network-based intrusion detection systems, log indexing, search and data visualization features.
The operating system emphasizes ease of use and makes it possible to interweave data and analytics from multiple tools into a unified dashboard. The overarching goal of the project is to offer teams a foolproof security monitoring solution that reduces decision paralysis and false alerts.
17. Snort
Snort is an open source network intrusion prevention and intrusion detection system capable of real-time traffic analysis and logging. It uses a series of rules to identify malicious network activity, find the packets and generate alerts. This packet sniffer — managed by Cisco — actively searches and analyzes networks to detect probes, attacks and intrusions. Snort accomplishes this by fusing a sniffer, packet logger and intrusion detection engine into a single package.
Its developer recently released version 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, use of a shared configuration and attribute table, access to more than 200 plugins, rewritten TCP handling and new performance monitoring.
18. Sqlmap
Sqlmap is an open source penetration testing tool that automates detecting and exploiting SQL injection flaws of database servers, enabling a remote hacker to take control. It comes with a detection engine and many niche features for the ultimate penetration tester. It supports a variety of databases — including Oracle and open source — and a number of injection types.
19. Wireshark
Wireshark is considered by many to be an indispensable tool to locate, identify and examine network packets to diagnose critical issues and spot security weaknesses. The website for Wireshark outlines its broad set of features and provides a user’s guide and other resources for putting this free cybersecurity tool to best use.
20. Zed Attack Proxy (ZAP)
ZAP is an open source penetration testing tool designed specifically for testing web applications. It is known as a “man-in-the-middle proxy,” where it intercepts and inspects messages sent between browsers and web applications.
ZAP provides functionality for developers, testers new to security testing and security testing specialists. There are also versions for each major operating system and Docker. Additional functionality is available via add-ons in the ZAP Marketplace.
Every cybersecurity expert carries a different set of tools, depending on their mission and skill set. However, the free cybersecurity tools here serve as an entry point for those looking to increase their cybersecurity skills and knowledge. Cyberthreats are getting more lethal every year — and more efficient.
One of the best ways to stay safe and secure when using your computers and other electronic devices is to be aware of the risks. For the past decade, that’s precisely what I’ve been doing.
Most risks are obvious: use strong passwords, don’t download and install software from untrustworthy websites, or hand your unlocked device to a third party.
However, there are less obvious — yet equally dangerous — risks that can result in device or network intrusion, or even device destruction.
Watch out: Some of the most effective and dangerous hacking tools are hard to tell apart from benign devices. They can even be cute.
OSINVGPT is an AI-based system that helps security analysts with open-source investigations and tool selection. While this tool was developed by “Very Simple Research.”
This tool can assist security analysts in gathering relevant information, sources, and tools for their investigations. It even helps researchers produce reports and summaries of their results.
OSINVGPT is available on ChatGPT and is useful for security researchers as it saves both time and effort.
Here below, we have mentioned all the key aspects that OSINVGPT can do:-
Data Analysis
Interpretation
Guidance on Methodology
Case Studies
Examples
Document Analysis
Fact-Checking
Verification
Recommendations Based on External Sources
Ethical Considerations
OSINVGPT’s data analysis and interpretation involve examining information from diverse open sources to form readable narratives and address specific queries. At the same time, guidance is offered on conducting transparent and accurate open-source investigations.
Detailed insights and suggestions are provided using real-world examples within the knowledge base. Appropriate data is analyzed and extracted from the uploaded documents for open-source investigations.
To ensure investigation accuracy, assistance is given in fact-checking using open-source data. Recommendations based on external sources are provided for queries beyond the direct knowledge base, with a focus on ethical considerations in open-source investigations for responsible conduct.
Moreover, if you want, you can access the OSINVGPT tool from here for open-source investigation.
Open-source tools represent a dynamic force in the technological landscape, embodying innovation, collaboration, and accessibility. These tools, developed with transparency and community-driven principles, allow users to scrutinize, modify, and adapt solutions according to their unique needs.
In cybersecurity, open-source tools are invaluable assets, empowering organizations to fortify their defenses against evolving threats.
In this article, you will find a list of open-source cybersecurity tools that you should definitely check out.
Nemesis: Open-source offensive data enrichment and analytic pipeline
Nemesis is a centralized data processing platform that ingests, enriches, and performs analytics on offensive security assessment data (i.e., data collected during penetration tests and red team engagements).
SessionProbe is a multi-threaded pentesting tool designed to evaluate user privileges in web applications.
Mosint: Open-source automated email OSINT tool
Mosint is an automated email OSINT tool written in Go designed to facilitate quick and efficient investigations of target emails. It integrates multiple services, providing security researchers with rapid access to a broad range of information.
Vigil: Open-source LLM security scanner
Vigil is an open-source security scanner that detects prompt injections, jailbreaks, and other potential threats to Large Language Models (LLMs).
AWS Kill Switch is an open-source incident response tool for quickly locking down AWS accounts and IAM roles during a security incident.
PolarDNS: Open-source DNS server tailored for security evaluations
PolarDNS is a specialized authoritative DNS server that allows the operator to produce custom DNS responses suitable for DNS protocol testing purposes.
Targeted at the DevSecOps practitioner or platform engineer, Kubescape, the open-source Kubernetes security platform has reached version 3.0.
Logging Made Easy: Free log management solution from CISA
CISA launched a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free.
GOAD: Vulnerable Active Directory environment for practicing attack techniques
Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods.
Wazuh: Free and open-source XDR and SIEM
Wazuh is an open-source platform designed for threat detection, prevention, and response. It can safeguard workloads in on-premises, virtual, container, and cloud settings.
Yeti serves as a unified platform to consolidate observables, indicators of compromise, TTPs, and threat-related knowledge. It enhances observables automatically, such as domain resolution and IP geolocation, saving you the effort.
BinDiff: Open-source comparison tool for binary files
BinDiff is a binary file comparison tool to find differences and similarities in disassembled code quickly.
LLM Guard: Open-source toolkit for securing Large Language Models
LLM Guard is a toolkit designed to fortify the security of Large Language Models (LLMs). It is designed for easy integration and deployment in production environments.
Velociraptor: Open-source digital forensics and incident response
Velociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities.
In the realm of cybersecurity, where a constant influx of new “essential” products occurs, it’s tempting to be influenced into investing in unnecessary tools that not only expand your vulnerability but also provide minimal, if any, value. Let’s delve into the intricacies of security expenditure and the advantages of optimization, especially in times of economic uncertainty as we plan for the 2024 budget.
The culture of panic buying is real
This is an industry that uses fear, uncertainty, and doubt (FUD) as a selling tactic, making security leaders feel like every product is make-or-break for the wellbeing of their organization. The promise of a fix-it-all solution (the mythical silver bullet) is particularly tempting in this environment, especially for smaller organizations that most likely don’t have the budgets to implement a multitude of security tools or hire cyber specialists in-house. Vendors play on that desperation to make profits, and a lot of them are very good at it.
The fear mongering may also lead to impulsive decisions to invest in products that won’t configure correctly with the buyer’s current technology stack, thus introducing even more risk. The name of the game in a lean operation is a solution that is customizable and adaptable, and that will grow with the changing needs of an organization’s security team.
The consequences can cost millions
According to IBM’s 2023 Cost of a Data Breach Report, organizations are now paying $4.5 million to deal with breaches – a 15% increase over the last three years. Aside from spending cash to purchase the product, panic buying can result in a wider attack surface, costly auto-renews and misconfigurations.
There is no doubt that taking advantage of new technological solutions (with AI and machine learning being fan favorites right now), can be extremely beneficial from both a technological and reputational perspective. But without looking at the big picture and calculating the actual value of the product in question, it’s nearly impossible to make a well-informed investment decision.
To assess the value of a product, security leaders should examine whether it adds or minimizes organizational risk and whether their current cybersecurity personnel and tools will be able to interact with it effectively.
Calculating the value of a product doesn’t have to be a guessing game. Risk = likelihood x impact is a great equation to use to solve for the value of a product or service.
To calculate likelihood of an attack, examine the degree of difficulty to execute an attack and the exposure of your assets. Determine your organization’s acceptable risk and use that equation to work backwards to identify the monetary impact of an attack. If that impact is significantly higher than the price of the product or service, it may be worth looking elsewhere.
It’s easy to fall into the trap of impulse buying cybersecurity products that don’t improve security but instead leave you vulnerable to costly attacks. Organizations should aim to protect their most valuable assets and prioritize addressing threats to those critical puzzle pieces of their business.
The solution is possible, and relatively simple
Look inward and optimize. Companies need to understand what inside their networks and data is most attractive and most vulnerable to attackers. Get visibility into what you have, calculate the value of your tools, and use the information to move forward.
Understanding risk by gaining full visibility into what you already have can allow companies to communicate better with investors and the public in the case of an attack or breach. For example, they will be able to give clear information about the impact (or lack of impact) on the business when an attack occurs and lay out clear steps for remediation, not having to guess the next best course of action.
‘Tis the season to prioritize your security investments
It is important to remember that the goal is not to buy more tools to chase the growing number of vulnerabilities that experts find every day, but to protect the assets that are most relevant to overall vital business operations and limit the fallout of inevitable cyber incidents.
By attaching a dollar value to the cyber risks the organization is up against, you will be in a much better position to discuss your security plan and budgetary needs.
When budgets are tight, every purchase must be accounted for with a clear indication of its value to the business operation. This is especially true for security purchases, which tend to be costly line items.
In today’s economic climate, proving ROI for security spend is a big part of security leaders’ jobs. It is crucial that before purchasing a new cybersecurity tool, investing in a service, or hiring specialists, you understand their functionality and purpose.
COMPREHENSIVE ANALYSIS: TODDYCAT’S ADVANCED TOOLSET AND STEALTHY CYBER ESPIONAGE TACTICS
ToddyCat, an Advanced Persistent Threat (APT) group, has garnered attention for its clandestine cyber-espionage operations, utilizing a sophisticated toolset designed for data theft and exfiltration. The group employs a myriad of techniques to move laterally within networks and conduct espionage operations with a high degree of secrecy and efficiency. This article, incorporating insights from the article and other sources, aims to provide a detailed overview of ToddyCat’s toolset and operational tactics.
STEALTH AND SOPHISTICATION: TODDYCAT’S MODUS OPERANDI
ToddyCat employs disposable malware, ensuring no clear code overlaps with known toolsets, thereby enhancing its ability to remain undetected. The malware is designed to steal and exfiltrate data, while the group employs various techniques to move laterally within networks and conduct espionage operations.
EXPLOITATION TECHNIQUES AND MALWARE UTILIZATION
Disposable Malware: Utilized to enhance stealth and evasion capabilities.
Data Exfiltration: Malware designed to access and extract sensitive information.
Lateral Movement: Techniques employed to expand reach and access within compromised environments.
TOOLSET SUMMARY
Dropbox Exfiltrator: A tool designed to exfiltrate data, ensuring that stolen information can be securely and covertly transferred to the attackers.
LoFiSe: A tool that may be utilized for lateral movement and further exploitation within compromised networks.
Pcexter: A tool that may be used to send specific files or data to external servers, facilitating data exfiltration.
Dropper: A tool that may be utilized to deploy additional payloads or malware within compromised environments.
Standard Loaders: ToddyCat utilizes 64-bit libraries, invoked by rundll32.exe or side-loaded with legitimate executable files, to load the Ninja Trojan during the infection phase. Three variants of these loaders have been observed, each differing in aspects like the library loaded by, where the malicious code resides, the loaded file, and the next stage.
Tailored Loader: A variant of the standard loader, this is customized for specific systems, employing a unique decryption scheme and storing encrypted files in a different location and filename (%CommonApplicationData%\Local\user.key).
2. NINJA TROJAN
The Ninja Trojan, a sophisticated malware written in C++, is a potent tool in ToddyCat’s arsenal. It provides functionalities like:
Managing running processes
File system management
Managing multiple reverse shell sessions
Injecting code into arbitrary processes
Loading additional modules during runtime
Proxy functionality to forward TCP packets between the C2 and a remote host
3. LOFISE
LoFiSe is a component designed to find and collect files of interest on targeted systems. It tracks changes in the file system, filtering files based on size, location, and extension, and collects suitable files for further action.
4. DROPBOX UPLOADER
This generic uploader, not exclusive to ToddyCat, is used to exfiltrate stolen documents to DropBox, accepting a DropBox user access token as an argument and uploading files with specific extensions.
5. PCEXTER
Pcexter is another uploader used to exfiltrate archive files to Microsoft OneDrive. It is distributed as a DLL file and executed using the DLL side-loading technique.
POTENTIAL IMPACT AND THREAT LANDSCAPE
The emergence of ToddyCat’s new toolset and its sophisticated TTPs presents a significant threat to organizations, with potential impacts including data breaches, unauthorized access to sensitive information, and network compromise.
MITIGATION AND DEFENSE STRATEGIES
Enhanced Monitoring: Implementing monitoring solutions to detect anomalous activities.
User Education: Ensuring users are educated about potential threats and cybersecurity best practices.
Regular Patching: Keeping all systems regularly patched and updated.
Threat Intelligence: Leveraging intelligence to stay abreast of the latest TTPs employed by threat actors.
ToddyCat’s advanced toolset and stealthy operations underscore the evolving and sophisticated nature of cyber threats. Organizations and cybersecurity practitioners must remain vigilant and adopt advanced cybersecurity practices to defend against the sophisticated tools and tactics employed by threat actors like ToddyCat.
Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.
Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.
COBALT STRIKE 4.9 FEATURES
The latest release, version 4.9, introduces several significant features and improvements:
User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver.
Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
WinHTTP Support: The update adds support for the WinHTTP library to the Beacon’s HTTP(S) listener.
Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.
CRACKED VERSIONS IN THE WILD
Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the tool’s popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.
THE CRACKDOWN
Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.
WHY COBALT STRIKE?
Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.
THE USERS
Cobalt Strike’s cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.
REMEDIATION EFFORTS
To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).
The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.
Chalk is a free, open-source tool that helps improve software security. You add a single line to your build script, and it will automatically collect and inject metadata into every build artifact: source code, binaries, and containers.
Gaining visibility
Chalk enables complete visibility across the development process, from the first time a developer creates the code to the entire lifetime a container hosting is running.
Chalk is a convenient tool for compliance by producing SBOMs, embedding code provenance details, and digitally signing them. You can then send these to your preferred location as a report. Additionally, without added effort, you can achieve SLSA level 2 compliance even before SLSA level 1 becomes a mandated standard.
Usage scenarios
“Interestingly, early design partners are constantly developing new use cases, but the classic ones are still unique because nothing else solves those today. The canonical one is knowing what code is in production and what is not. “Prod or not”. That basic use case means most users can shut off code scanning on the majority of their code repos, shutting down the noise and the busy work people have to do looking at it, but also saving massive amounts of money on wasted tools licenses,” Mark Curphey, Co-Founder of Crash Override, told Help Net Security.
“A great and topical one is automatically generating software security supply chain reports. Chalk will generate an SBOM, add build provenance data about where the code came from and who built it, something required by the US gov directives and where no other automated solution exists, and then to top it all, digitally signs it all in a report and sends it to a central report registry. That use case is huge, just huge,” he concluded.
Nagios XI is a prominent and frequently used commercial monitoring system for IT infrastructure and network monitoring.
Vulnerability Research Engineer Astrid Tedenbrant found four distinct vulnerabilities in Nagios XI (version 5.11.1 and below) while conducting routine research.
By making use of three of these flaws classified as (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934), users with various levels of access rights can get access to the database field via SQL injection.
Additionally, the vulnerability (CVE-2023-40932) permits Cross-Site Scripting through the Custom Logo component, rendering on all pages, including the login page.
Details of the Vulnerabilities
SQL Injection in Banner acknowledging endpoint (CVE-2023-40931)
“Announcement Banners” are a feature of Nagios XI that users may choose to recognize. This feature’s endpoint is susceptible to a SQL Injection attack.
When a user acknowledges a banner, a POST request is made to ‘/nagiosxi/admin/banner_message-ajaxhelper.php’ with the POST data ‘action=acknowledge banner message&id=3’.
“The ID parameter is assumed to be trusted but comes directly from the client without sanitization”, the researcher explains.
“This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data, such as from the `xi_session` and `xi_users` table containing data such as emails, usernames, hashed passwords, API tokens, and backend tickets”.
SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)
An authorized user with access to control host escalations can run any database query using Nagios XI’s Core Configuration Manager.
The same database access is possible through this vulnerability as through previous SQL Injection vulnerabilities, although it necessitates more privileges than CVE-2023-40931.
SQL Injection in Announcement Banner Settings (CVE-2023-40933)
In this case, while performing the `update_banner_message_settings` action on the affected endpoint, the `id` parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query, the researcher said.
Compared to CVE-2023-40931, successful exploitation of this vulnerability needs more privileges but provides the same database access as the other two SQL Injection Vulnerabilities.
Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)
Reports say Nagios XI may be modified to include a unique corporate logo, which will be visible across the entire product. Included in this are the login page, various administration pages, and the landing page.
A cross-site scripting flaw in this functionality allows an attacker to inject arbitrary JavaScript, which any user’s browser will be able to execute.
“This can be used to read and modify page data, as well as perform actions on behalf of the affected user. Plain-text credentials can be stolen from users’ browsers as they enter them.,” reports said.
Fix Available
All of these vulnerabilities have been fixed, and users are encouraged to update to 5.11.2 or later.
The commercial version of the open-source Nagios Core monitoring platform, Nagios XI, offers more functionality that makes managing complicated IT settings easier.
Because of the access that Nagios XI requires, it is frequently used in highly privileged instances, making it an attractive target for attackers.
Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
MVT supports using public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. MVT is not intended for end-user self-assessment.
It was developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project, along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.
Mobile Verification Toolkit key features
MVT’s capabilities are continuously evolving, but some of its key features include:
Decrypt encrypted iOS backups.
Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
Extract installed applications from Android devices.
Extract diagnostic information from Android devices through the adb protocol.
Compare extracted records to a provided list of malicious indicators in STIX2 format.
Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.
Mobile Verification Toolkit is available for download on GitHub. The developers do not want MVT to enable privacy violations of non-consenting individuals. To achieve this, MVT is released under its license.
Retool, the company behind the popular development platform for building internal business software, has suffered a breach that allowed attackers to access and take over accounts of 27 cloud customers, all in the crypto industry.
According to a CoinDesk report, one the known victims is Fortress Trust, i.e., four of its customers who accessed their crypto funds via a portal built by Retool.
It all started with an SMS
The attack started with spear phishing text messages delivered to a number of Retool employees. According to the company, only one fell for the scheme.
The phishing text message. (Source: Retool)
Spoofed to look like it was coming from the company’s IT department, the goal was to make the targets log in to a fake Retool identity portal, at which point they would receive a phone call by the attacker.
“The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code,” Snir Kodesh, Retool’s head of engineering, shared on Wednesday.
“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite [i.e., Google Workspace] session on that device.”
And because the employee’s MFA codes were synched with their Google account, the attacker now had access to all MFA tokens held within that account.
“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry),” Kodesh noted, and added that the attacker also poked around some of the Retool apps – but didn’t specify which ones.
“We have an internal Retool instance used to provide customer support; this is how the account takeovers were executed. The authentication for this instance happens through a VPN, SSO, and a final MFA system. A valid GSuite session alone would have been insufficient.”
Who’s to blame?
“Social engineering can affect anyone,” Kodesh noted, and “even with perfect training and awareness of these attacks, mistakes will happen.” He also put some on the blame for the hack on Google.
“Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this ‘feature’. If you want to disable it, there isn’t a clear way to ‘disable syncing to the cloud’, instead there is just a “unlink Google account” option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync ‘feature’,” he explained.
“Through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.”
Of course, Google cannot be blamed for this breach entirely – Retool should have regularly reviewed the protections they’ve put in place and evaluated whether they are still adequate. After all, attackers have been finding ways around multi-factor authentication for a while now, and the threat landscape is changing quickly.
If the company had used a FIDO2-compliant hardware security key instead of one-time passwords delivered via an authenticator app, this particular social engineering attack would have failed – as a similar attack against Cloudflare employees did a year ago.
The investigation is ongoing
Retool is working with law enforcement and a third party forensics firm to investigate the breach in depth.
So far, they found that 27 cloud customers have been affected (and they notified them all), but that on-premise Retool customers remain secure.
“Retool on-prem operates in a ‘zero trust’ environment, and doesn’t trust Retool cloud. It is fully self contained, and loads nothing from the cloud environment. This meant that although an attacker had access to Retool cloud, there was nothing they could do to affect on-premise customers,” Kodesh noted.
Fortress’ customers, on the other hand, apparently lost nearly $15 million.
UPDATE (September 15, 2023, 04:35 a.m. ET):
“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies,” Google stated.
“Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”
IS27002 Control:-Vulnerability Management Why penetration test is important for an organization. Ensuring the protection of user data in real-time, effectively prioritizing risk, fostering security awareness, devising strategies to identify vulnerabilities, and implementing an incident response protocol aligned with vulnerability management. Following compliance protocols becomes crucial in order to abide by and fulfil regulatory standards. #informationsecurity#cyberdefense#cybersecurity Cheat sheet for pentester Image credit:-https://lnkd.in/eb2HRA3n
MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new open source tool that simulates cyber-attacks on operational technology (OT). The product was published recently.
The MITRE Calder for OT is now accessible to the general public as an addition to the open-source Caldera platform that may be found on GitHub. This would make it possible for cybersecurity specialists who deal with industrial control systems (ICS) to carry out automated adversary simulation exercises. These exercises will have the goal of testing and improving their cyber defenses on a constant basis. In addition to this, this includes security inspections as well as exercises involving red, blue, and purple teams.
This Caldera extension for OT was created via a collaborative effort between CISA and the Homeland Security Systems Engineering and Development Institute (HSSEDI). HSSEDI is a research and development institution that is financed by the federal government and is maintained and run by MITRE on behalf of the Department of Homeland Security (DHS).
The program contributes to the goal of the federal government to strengthen the security of vital infrastructure that is dependent on OT. Some examples of such infrastructure are water and electricity. This objective was elaborated upon in the United States’ National Cybersecurity Strategy, which was published in March 2023, and in the Executive Order on Improving the Nation’s Cybersecurity, which was issued by President Biden in May 2021. Work done by CISA and HSSEDI to automate opponent emulation simulations in CISA’s Control Environment Laboratory Resource (CELR) served as the foundation for the OT extension, which was developed upon that work. This made it possible to identify hostile strategies that may be implemented in Caldera.
The defensive mechanisms and testing capabilities of critical infrastructure systems are slated to get a boost from the use of these plugins.
These plugins, which are stored in the “caldera-ot” repository, are essential instruments for the protection of operational technology (OT) settings.
They are made available as Git submodules, which enables researchers and experts in the security industry to quickly and readily access them.
The purpose of these plugins is to facilitate enemy simulation inside the OT environment. This was the driving force behind their development.
Because of this, companies are given the ability to strengthen their security defenses and better prepare for possible attacks.
In addition to this, it is compatible with classic use cases for Caldera, such as rigorous testing of security mechanisms and operator training.
The move that has been taken by MITRE marks a major step forward in the continuing endeavor to secure critical infrastructure systems and to strengthen security within the OT sector.
A presentation titled “Emulating Adversary Actions in the Operational Environment with Caldera (TM) for OT” has also been made available by MITRE for individuals who are looking for further information of a more in-depth kind.
Users may apply the following command in order to install the whole collection of Caldera for OT plugins:
Individuals also have the option of configuring certain plugins on their own, which allows them to personalize their approach to OT security to meet their unique requirements.
At the moment, the following three important plugins are available:
BACnet Catering to Building Automation and Control Networks (BACnet) protocol.
DNP Addressing the Distributed Network Protocol 3 (DNP3).
Modbus Supporting the Modbus protocol.
Open-Source OT Protocol Libraries That Are Unified And Exposed To Users. Caldera for OT plugins is a service provided by MITRE that aims to standardize and expose open-source OT protocol libraries, making them available for use as protocol-specific plugins. Each plugin comes with its own extensive documentation.
Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It has been downloaded over 2 million times and is being used by security teams worldwide. Security Onion 2.4 comes with many updates, and the hotfix 2.4.10 release is available on GitHub.
For network visibility, they offer signature-based detection via Suricata, rich protocol metadata and file extraction using Zeek or Suricata, full packet capture via Stenographer, and file analysis via Strelka.
For host visibility, Security Onion offers the Elastic Agent, which provides data collection, live queries via osquery, and centralized management using Elastic Fleet. Intrusion detection honeypots based on OpenCanary can be added to your deployment for even more enterprise visibility. All these logs flow into Elasticsearch, and they’ve built their own UIs for alerts, dashboards, threat hunting, case management, and grid management.
New features in Security Onion 2.4
Over the past year of developing Security Onion 2.4, the developers added new features to give you a better experience and make you more efficient:
Security Onion Console (SOC) has many new features to make you more efficient as a defender:
SOC now allows you to add a value directly from a record in Hunt, Dashboards, or Alerts as an observable to an existing or new case
SOC includes a new DNS lookup capability
SOC includes pivots for relational operators on numbers
SOC Cases support dynamic observable extraction
SOC can import PCAP and EVTX files
SOC has many new administration features, so you can spend less time managing your deployment and more time hunting adversaries.
You can manage users via SOC’s Administration section
SOC’s Administration section also includes a new Grid Members Interface to manage adding and removing nodes
You can configure most aspects of your deployment via the Configuration interface
SOC’s Grid interface has been improved to show more status information about your nodes
The installer has been simplified and configuring new members of the grid will take place in the Grid Members interface
SOC authentication has been upgraded to include additional authentication protections, such as rate-limiting login requests. It also supports passwordless login via Webauthn
Endpoint telemetry is more powerful and easier to manage.
The primary endpoint agent is now Elastic Agent and it provides data collection and live queries via embedded osquery. It replaces the previous osquery, Beats, and Wazuh
Elastic Agent is managed in Elastic Fleet
Elastic Agent and Elastic Fleet support Elastic Integrations
Grafana has been removed and all health metrics can be found in InfluxDB
The Security Onion ISO image has upgraded from CentOS 7 to Oracle Linux 9
In the past, Citrix was found to have a Zero-Day vulnerability in its Citrix NetScaler Application Delivery Controller (ADC), which made it possible for malicious actors to carry out remote code execution.
It was discovered that the zero-day vulnerability was being used in the wild, hence it was assigned the CVE ID 2023-3519 and the severity rating of 9.8 (Critical). Citrix did provide fixes to address the vulnerability, but there was no way to determine whether or not a particular Citrix appliance had been compromised.
A new report states that it has been discovered that more than 1900 NetScalers are still infected with a backdoor. This information was obtained during a recent investigation.
Mandiant has launched a tool to assist business defenders in determining whether Citrix networking devices have been hacked in light of the fact that thousands of Citrix networking products are still susceptible to a major vulnerability that has not been patched and are accessible on the internet.
Citrix ADC and Citrix Gateway version 13.1, Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and Citrix Gateway version 12.1, Citrix ADC, and Citrix Gateway version 12.0 are all compatible versions with which the IoC Scanner may be utilized.
On July 18, Citrix released a patch for the zero-day critical vulnerability (CVE-2023-3519) in its NetScaler application delivery controller and gateway products. The company also recommended that businesses that use the vulnerable products immediately deploy the fix. The vulnerability might be exploited to allow for the execution of unauthenticated remote code. The vulnerability is already being aggressively exploited by a number of threat organizations, who are doing so by establishing web shells within corporate networks and carrying out hundreds of attacks.
According to the findings of the researchers, there are still close to 7,000 examples available on the web. Around 460 of them had Web shells installed, most likely as a result of being compromised.
This application, which may be found on GitHub, was developed by Mandiant and has the ability to determine the file system paths of known malware, post-exploitation activities in shell history etc. The independent Bash script may be executed directly on a Citrix ADC device to search for known indications in files, processes, and ports. (The utility must be executed on the appliance in live mode while logged in as root.) According to Mandiant, it can also examine a forensic image that has been mounted for use in an investigation.
This application has a wide variety of functionality, such as scanning,
File system path that could be a malware Shell history for suspicious commands NetScaler directories and files that match with IOCs Suspicious file permissions or ownership Instances of Crontab Malicious processes running on the system
This solution, which was created in partnership with Citrix and Mandiant, has the only purpose of assisting enterprises in preventing compromised systems and scanning for evidence of their presence.
According to Mandiant, the IoC Scanner will do a “best-effort job” of detecting compromised items; nevertheless, it is possible that it may not be able to locate all infected devices or determine whether or not the device is susceptible to being exploited. According to the company, “This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE 2023-3519,” which is a vulnerability.
SpecterOps released version 5.0 of BloodHound Community Edition (CE), a free and open-source penetration testing solution that maps attack paths in Microsoft Active Directory (AD) and Azure (including Azure AD/Entra ID) environments. It is available for free on GitHub.
Identifying simple Attack Paths between two objects is a straightforward “search and click” exercise
This update brings many enterprise-grade usability features to BloodHound CE, like containerized deployment, REST APIs, user management, and access control. It also significantly improves performance while streamlining development allowing for faster development and incorporation of community contributions.
“The way that BloodHound Community Edition maps out Attack Paths in AD and Azure is unique – there isn’t another tool (or feature within either of those) that can find hidden and unintentional relationships to identify complex Attack Paths that attackers can exploit. After this update, the tool will offer a user experience closer to an enterprise-grade product than an open-source tool,” Andy Robbins, co-creator of BloodHound and a Principal Product Architect at SpecterOps, told Help Net Security.
The entire UI is driven via RESTful APIs and includes a full Swagger spec within the application
New features
Support for REST APIs – BloodHound CE is a three-tier application with a database, an API layer, and a web-based user interface. Users can now use REST APIs to interact with data rather than needing to write queries directly to the database.
Containerized deployment – The tool will deploy as a containerized product. This much simpler process will reduce deployment time by 80%. This also makes it easier for users with different sized environments to manipulate the resources assigned to BloodHound.
Enterprise-grade user management – This update adds built-in full multi-user support with RBAC, the ability to create and assign user roles, and support for two-factor authentication and SAML to BloodHound CE.
Protected Cypher searches – Cypher queries will include available guardrails to automatically cancel queries that will cause performance or security issues.
Reliability and performance upgrade – Routine maintenance updates will make the tool faster, more resilient, and more reliable.
More frequent updates and community contributions – These changes will allow SpecterOps to increase the rate of updates and new features added to BloodHound CE going forward and will increase the number of pull requests from the community that can be implemented.
Better community support – More similarities between BloodHound CE and BloodHound Enterprise under the hood means users will have better access to support and documentation for both.
BloodHound was created in 2016 by Rohan Vazarkar, Will Schroeder, and Andy Robbins. It has been downloaded nearly 500,000 times and has over 12,000 users in the BloodHound Community Slack. The tool has been recommended by CISA and Microsoft to help secure Microsoft Active Directory and Azure AD.
CISA released a fact-sheet, listing some of the great tools that CISA offers for orgs to transition and secure their cloud environments?
Five tools are described in the fact-sheet, along with other guidance to “…provide network defenders and incident response/analysts open-source tools, methods, and guidance for identifying, detecting, and mitigating cyber threats, known vulnerabilities, and anomalies while operating a cloud or hybrid environment.”
1- The Cyber Security Evaluation Tool – CISA developed the Cyber Security Evaluation Tool (CSET) using industry-recognized standards, frameworks, and recommendations to assist organizations in evaluating their enterprise and asset cybersecurity posture.
2- Secure Cloud Business Applications (SCuBA) project – which provides guidance for FCEB agencies securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments.
3- Untitled Goose Tool – CISA, together with Sandia National Laboratories, developed the Untitled Goose Tool to assist network defenders with hunt and incident response activities in Microsoft Azure, AAD, and M365 environments.
4- Decider – assists incident responders and analysts in mapping observed activity to the MITRE ATT&CK framework.
5- Memory Forensic on Cloud – Memory Forensic on Cloud, developed by JPCERT/CC, is a tool for building a memory forensic environment on Amazon Web Services.
The Cybersecurity and Infrastructure Security Agency (CISA) has come up with a list of free tools that businesses may use to protect themselves in cloud-based settings. According to the article published by CISA, these tools will assist incident response analysts and network defenders in mitigating, identifying, and detecting threats, known vulnerabilities, and abnormalities that occur in settings that are cloud-based or hybrid.During an attack, threat actors have generally focused their attention on servers located on the premises. However, several threat actors have been drawn in by the fast expansion of cloud migration in order to target cloud systems due to the vast number of attack vectors that are available when it comes to the cloud.
Organizations who do not have the essential capabilities to protect themselves against cloud-based attacks may benefit from the tools that are supplied by CISA. These technologies may assist users in securing their cloud resources from data theft, information exposure, and information theft respectively. The Cloud Industry Security Alliance (CISA) stated that companies should use the security features supplied by Cloud Service Providers and combine them with the free tools that were recommended by the CISA in order to defend themselves from these attacks. The following is a list of the tools that the CISA provides:
Cybersecurity Evaluation Tool (CSET).
The SCuBAGear tool.
The Untitled Goose Tool
Decider Tool
Memory Forensic on Cloud (JPCERT/CC) is an offering of Japan CERT.
THE CYBERSECURITY EVALUATION TOOL, ALSO KNOWN AS THE CSET.
For the purpose of assisting enterprises in the assessment of their cybersecurity posture, the CISA created this tool, which makes use of standards, guidelines, and recommendations that are widely accepted in the industry. Multiple questions about operational rules and procedures, as well as queries on the design of the system, are asked by the tool.This information is then utilized to develop a report that gives a comprehensive insight into the strengths and shortcomings of the businesses, along with suggestions to remedy them. The Cross-Sector Cyber Performance Goals (CPG) are included in the CSET version 11.5. These goals were established by the National Institute of Standards and Technology (NIST) in collaboration with the Computer Security Industry Association (CISA).
SCuBAGear is a tool that was developed as a part of the SCuBA (Secure Cloud Business Applications) project. This project was started as a direct reaction to the Supply Chain hack that occurred with SolarWinds Orion Software. SCuBA is a piece of automated software that does comparisons between the Federal Civilian Executive Branch (FECB) and the M365 Secure configurations of the CISA. CISA, in conjunction with SCuBAGear, has produced a number of materials that may serve as a guide for cloud security and are of use to all types of enterprises. This tool resulted in the creation of three different documents:
SCuBA Technical Reference Architecture (TRA) — Offers fundamental building blocks for bolstering the safety of cloud storage environments. Cloud-based business apps (for SaaS models) and the security services that are used to safeguard and monitor them are both included in the purview of TRA. The Hybrid Identity Solutions Architecture provides the best possible methods for tackling identity management in an environment that is hosted on the cloud. M365 security configuration baseline (SCB) — offers fundamental security settings for Microsoft Defender 365, OneDrive, Azure Active Directory, Exchange Online, and other services.This application generates an HTML report that details policy deviations outlined in the M365 SCB guidelines and presents them.
UNTITLED GOOSE TOOL
The tool, which was created in collaboration with Sandia National Laboratories, is designed to assist network defenders in locating harmful behaviors in Microsoft Azure, Active Directory, and Microsoft 365. Additionally, it enables the querying, exporting, and investigating of audit logs.Organizations who do not import these sorts of logs into their Security Incident and Event Management (SIEM) platform will find this application to be quite helpful. It was designed as an alternative to the PowerShell tools that were available at the time since those tools lacked the capability to gather data for Azure, AAD, and M365.
This is a tool that Network Defenders may use to,
Extraction of cloud artifacts from Active Directory, Microsoft Azure, and Microsoft 365 The Unified Audit Logs (UAL) should have time bounding performed on them. Collect data making use of the time-bounding feature of the MDE (Microsoft Defender Endpoint) data Decider Tool. Incident response analysts may find it useful to map malicious actions using this tool in conjunction with the MITRE ATT&CK methodology. In addition to this, it makes their methods more accessible and offers direction for laying out their actions in the appropriate manner.
DECIDER TOOL
This tool, much like the CSET, asks a number of questions in order to give relevant user inquiries for the purpose of selecting the most effective identification technique. Users now have the ability to, given all of this information:
Export heatmaps from the ATT&CK Navigator. Publish reports on the threat intelligence you have collected. Determine and put into effect the appropriate preventative measures. Prevent Exploitation In addition, the CISA has given a link that describes how to use the Decider tool.
MEMORY FORENSIC ON CLOUD (JPCERT/CC)
It was built for constructing and analyzing the Windows Memory Image on AWS using Volatility 3, which was the reason why it was developed. In addition, Memory Forensics is necessary when it comes to the recently popular LOTL (Living-Off-the-Land) attacks, which are also known as fileless malware. Memory image analysis may be helpful during incident response engagements, which often call for the use of high-specification equipment, a significant amount of time, and other resources in order to adequately prepare the environment.
Red Siege has developed and made available many open-source tools to help with your penetration testing work.
The company plans to continue to support the tools listed below, whether in the form of bug fixes or new features. Give them a try, they’re all available on GitHub for free.
“I find joy in writing code, turning it into a logic puzzle to create powerful software tools. The satisfaction of seeing my creations in action, like EyeWitness, brings a sense of pride and saves valuable time. Motivated by the possibility of filling a software gap, I open source my creations, hoping they’ll benefit others as they did for me,” Chris Truncer, Senior Security Consultant & Director of Training, Red Siege, told Help Net Security.
AutoFunkt
AutoFunkt is a Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles.
C2concealer
C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
DigDug
Dig Dug works by appending words from a dictionary to an executable. This dictionary is appended repeatedly until the final desired size of the executable is reached. Some AV & EDR engines may measure entropy to determine if an executable is trustworthy for execution. Other vendors inspect executables for signs of null byte padding.
dumpCake
dumpCake will dump password authentication attempts to the SSH daemon. Every SSHD child process will get attached to and at the completetion of the process, the attempted passwords and connection logs will be dumped to the script.
EyeWitness
EyeWitness takes screenshots of websites, collects server header info, and identifies default credentials if possible. Saves a lot of time triaging web sites on large tests. This tool is very commonly used by penetration testers looking to sift through a long list of websites.
EDD – Enumerate Domain Data
Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
GPPDeception
This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers. Blue teams can use this file as a honeyfile. By monitoring for access to the file, Blue Teams can detect pen testers or malicious actors scanning for GPP files containing usernames and cpasswords for lateral movment.
Just-Metadata
Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset. It is used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen.
ProxmarkWrapper
ProxmarkWrapper is a wrapper around the Proxmark3 client that will send a text alert (and/or email if warranted) if a RFID card is captured.
Wappybird
Wappybird is a ultithreaded Wappalyzer CLI tool to find web technologies, with optional CSV output. You can also provide a directory and all scraped data will be saved with a subfolder per host.
WMImplant
WMImplant is a PowerShell based tool that leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results. WMImplant requires local administrator permissions on the targeted machine.
WMIOps
WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It’s designed primarily for use on penetration tests or red team engagements.
