It's 3 Billion! Yes, Every Single Yahoo Account Was Hacked In 2013 Data Breach A little-known technique used by hackers which is not widely known by the general public. It’s easy to go and buy users information from breaches. Why is this useful you might ask? Because it is highly likely that having access to one or more password samples and a user's secret questions & answers can lead to gaining access to other accounts used by that user. Studies have shown that most users use a common password and secret question(s) across their private and corporate accounts. Further vendor identity and access management software normally compound the issue by not allowing users to choose different secret questions to that of other online services. This all puts your corporate accounts at risk. Try it and you will be surprised at what you will find. Corporate Threat Intelligence/ Hunt teams should be analyzing breach data to see if any corporate personal have been breached on private accounts. LINK: It's 3 Billion! Yes, Every Single Yahoo Account Was Hacked In 2013 Data Breach
Another major worldwide event (The Olympics) sabotaged by Cyber Security Threats Are the hackers solely responsible or can some blame be laid at the so-called IT experts who are responsible for the Olympics infrastructure? The blog below shows yet again the simplicity of the Tools Techniques and Procedures (TTP) used by hackers. We use the word simple as information available in the public forum shows the hacking and malware techniques used are commonly available in many “teach yourself hacking” books found on Amazon. https://thehackernews.com/2018/02/pyeongchang-2018-winter-olympics.html Counterveil`s Security Monitoring (Managed Detection & Response) have capabilities to detect and remediate the security Tools Techniques and Procedures (TTP’s ), which caught the Olympics infrastructure of guard. Our Blue Team training is also available to teach our customers and freelance trainee analysts on how to detect these types of TTP`s using Enterprise Grade Common Security Monitoring Tools, such as ArcSight, Qrader, and Splunk. Here is a break down of some indicators and how Counterveil could have detected and remediated these attacks before systems outages occurred: • Initial Malware infection, dropper, or final stage malware execution. We would detect unknown Process detection and triage, making use of orchestration processes to interrogate the binary process further. Counterveil’s use of automation could have been used to perform malware analysis and automated remediation could have been used for the containment of the rogue processes. • The persistence techniques used by the hackers and their malware tools are easily detected and remediated making use of our orchestration triage processes to interrogate changes to the file system, registry and memory address space. • The hackers use of keylogging software would have been detected by our orchestration processes interrogating the use of drivers or other process or DLL injection into either userland processes or the kernel. • The hackers use of Windows VSS to delete shadow files and change policy and configuration settings is a clear sign of intrusion easily detected in Windows event logs which are corrilated with all the other information in Counterveil’s MDR suite. • The hackers use of lateral movement TTP`s using PSEXEC or WMI is easily detected in Windows 4688 and invoke command auditing event logs. Counterveil’s baseline trend analysis of account usage would have also detect the duplicate, and unusual use of user accounts (hijacked credentials) by the PSEXEC process, the WMI command or the Net.exe (netuse) commands. A lot of these techniques can be found by very simple triage analysis without the need for statically machine learning, or making use of orchestration tools to perform follow-up triage data analysis. These indicators are plain to see in Windows event logs assuming the correct auditing policy is in place. A decent correlation or alerting tool can be used to join these disjoined indicator events together to highlight the issue to security analysts so action could be taken. Counterveil’s detection, orchestrated triage and automation (MDR) tool suite would have found the hack with no human interaction and stopped it. Counterveil offers penetration testing specifically designed to test your security through simulated attacks on your organization. We provide substantial evidence of vulnerabilities and recommendations for effective countermeasures. Give Counterveil a try!
Meltdown and Spectre FUD Watch We were asked today from a number of colleagues if there any indicators a SIEM or a custom IPS or HIPS that may be able to detect the vulnerabilities. Our advice was two-fold. 1- At this point, it is not weaponized as a known exploit in the wild, there is a proof of concept used by the original finders of the vulnerability. 2- If it was exploitable it would be a local exploit meaning someone will not be able to run code remotely. The caveat here is that exploit code could be executed locally meaning phishing, drive-by web downloads and insider threats are applicable. Mozilla has already stated in their blog that a browser was vulnerable and could have been used to execute code to give information disclosure; that was before they patched it. How to reduce the fear uncertainty and doubt (FUD)… Firstly, this problem to us is in the same category as heart-bleed, but without the remote access ramifications. That just means that it’s a media hype and yes it’s a real problem, but there are lots of low hanging fruit that are just easier to exploit than this. Meltdown is a kernel memory from user space vulnerability problem, which means code from unprivileged users could be used. So all the normal tools techniques and procedures (TTP`s) for detection apply: unknown process event ID 4688/sysmon 1, a handle to an object was requested 4656, an attempt was made to access an object 4663/sysmon 8. All GUID`s belonging to the SYSTEM and Service accounts can be dismissed as the exploit code would be running as the user ID GUID. Spectre is a memory contents issue, where a user would need to read the memory space of the running program they wish to target. Same indicators as meltdown with the exception if you know the SYSTEM or Service Account GUID running your applications. You can identify the issue if another unknown process in event ID 4663 with a GUID belonging to anything (but your Service Account or SYSTEM) tries to access a handle object name belonging to Cisco VPN Client or Windows LSASS. Also note, normal issues such as the installation of device drivers or DLL hijacking, could be used to exploit these vulnerabilities as an indirect method or executing code. The risks are a lot wider than Windows as the exploits affect multiple processes and have little to do with operating systems or application software. From a network or security device perspective, executing the code in user mode or kernel mode will be difficult as they don’t have browsers or email clients; your main risks for malicious intent are interactive devices. Let’s not forget these are information disclosure vulnerabilities, so if a user is none privileged, you look at the risk of the disclosure for things like: credentials, certificates, VPN tokens, etc. Servers don’t browse the internet or open emails. This is by no means meant to be a full analysis of the issue, we just wanted to give some sensible defusing guidance on the issue instead of doom and gloom media attention, our aim is to reduce the FUD.