Red Team Readiness Assessment

I am seeing lots of “debate” about the value in red teaming, so I thought I would put together my thought process of how I look at as a broad stroke when I consider a generic starting position in an organisation. When I’m defending a business, I tend to ask myself (and the team/customers etc.) these kind of questions (they are not exhaustive):

Do you have a good understanding of your Enterprise Architecture?
Do you understand your service architectures?
Do you understand your security architecture/s?
Have you done an asset discovery exercise?
Have you modelled data flows?
Have you conducted security hardening of the environment/scope?
Have you done vulnerability assessments?
Have you done penetration testing?
Have you done control on/off testing?
Have you got a defensive security capability/team?
Have you reviewed your monitoring capabilities against common and known exploitation paths?
Do you need/want external help to understand your posture, capability strength and detection and response capabilities?

If yes to all the above: Conduct a red team exercise!

If no consider this question:

Do the key stakeholders understand the value of investing in security? If they don’t and you can’t secure resources to do the first tranche of activities, you may want to conduct an offensive security testing exercise to demonstrate the value in having a good security posture. This however may not be the only route, you may simply need to do a contract review and understand the delta between contractual requirements to customers and the current state of an organisation, the revenue/income loss risk (let alone the potential legal costs) may be enough to tip the scales and change mindsets (there is never “just” 1 path that works for every organisation or scenario).

“Understand and review before pew pew!” – mrr3b00t

Almost everything in life “depends”. I would however not want to have my ass kicked by an external team if I didn’t have a handle on the current state, resources to defend and had already invested in creating a strong defence (unless I was struggling to get investment. then f*ck it, pew pew all the way home!)

Leadership

UK laws and cyber security considerations for business

I am not a legal export! Haha get used to saying that a lot if you work in cyber and are not in fact a legal expert! I wanted to put together a list of common laws that people should be aware of when doing business in the UK, it’s just a starter for 10 and there are likely others, but this should get people started for their security awareness and security policy documentation:

Data Protection Act 2018
Freedom of Information Act
Communications Act
Computer Misuse Act 1990
Investigatory Power Act 2016 (IPA)
Theft Act 1990
Terrorism Act 2000
The General Data Protection Regulation (GDPR)
The Privacy and Electronic Communications Regulations 2003 (PECR)
The Regulation of Investigatory privacy Act 2000 (RIPA)
Official Secrets Act 1989 (OSA)
Companies Act 2006
Copyright and Design patents Act 198
Trademarks Act 1994
The Malicious Communication Act 1988
Forgery and Counterfeiting Act 1981
Police and Criminal Evidence Act 1984
Contracts (Rights of Third Parties) Act 1999
Fraud Act 2006
Network and Information Systems Regulations 2018 (NIS)
Telecommunications (Security) Act 2021
The Bribery Act 2010
Freedom of Information Act 2000
Defence of the Realm Act 1914

can you think of any others that I should add?

Thanks Gary and Kevin and the other AVIS I can’t name for inputting!

Education

Information Security Risk Management

I wrote this in 2018 and don’t believe it ever made it to the interwebs, so I’m basically posting as is with an extra section for some useful links! Hopefully it still stands the test of time!

Risk Management doesn’t have to be risky!

Risk assessments are complex, they require cross domain knowledge and generally do not deal in absolutes. Threats, vulnerabilities and asset intelligence is combined, weighed and assessed, leading to the construct of a risk assessment document. It can be easy to overcomplicate this process, which in turn (in my experience) often leads to far wider reaching consequences (the business starts to bypass security management or take short cuts), so I thought I would write a short post to clarify what I’ve seen work out in the field. So, to start with let’s try and align on what exactly a risk is.

Defense

Broadband Routers

When it comes to digital technology, we have to consider many things.

Availability, Confidentiality, and Integrity are good building blocks for considerations. We can probably split this into two major views to start with:

What does a typical consumer care about?
What security and privacy considerations could be made?

A typical consumer may be about:

Availability
Cost
WIFI Coverage
Performance
Ease of Use
Ease of Support/Troubleshooting
Style/Looks
What happens if it breaks?
Can I stop my kids messing with it? (Probably not so why bother)

Leadership

Organisational Approach to Technology and Security

How an organization approaches the challenge of technology and security management, well that’s the difference between leveraging technology to deliver value efficiently and effectively vs technical debt and inefficient deployment of technology which may hinder the organisation in its pursuit of its mission.

When we consider how technology is managed, we need to look at it from multiple viewpoints with different views:

Read more Organisational Approach to Technology and Security” →

Vulnerabilities

Exchange Emergency Mitigation (EM) service

Yesterday I created a honeypot running Exchange 2019 in the lab. I configured very little and setup a test rule as per the MS blog to stop the SSRF from the “Autodiscover” endpoint to the Powershell function call. I put a custom response with some humour (coz why not!) but I disabled the rule:

This rule was placed in the Autodiscover virtual directory which in Exchange by default is here:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config

My custom rule:

<rules>

</conditions>

</rule>

</rules>

</rewrite>

This morning I checked the Honeypot, and I found the following:

Graphical user interface, text, application, email

Description automatically generated

This rule is hosted in:

C:\inetpub\wwwroot\web.config

<rules>

</conditions>

</rule>

</rules>

</rewrite>

As you can see this was modified at 03:21 01/10/2022

Graphical user interface, text, application

Description automatically generated

This comes from:

Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn

“Exchange Emergency Mitigation (EM) service”

Text

Description automatically generated

You can check if this is enabled by running the following PowerShell:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; 

Get-OrganizationConfig | Select-Object MitigationsEnabled

So here we can see that with this enabled, the Exchange server will download and deploy the HTTP re-write rules automatically (if the server has the required version/config etc.)

You can enable or disable it with the following:

Set-OrganizationConfig -MitigationsEnabled $true
Set-OrganizationConfig -MitigationsEnabled $false

You can check this feature works using the following (modify path as required for relevent exchange version)

. "C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Test-MitigationServiceConnectivity.ps1"

Check the MS docs and check your Exchange Server version to see if you have this feature etc.

GCM exsetup |%{$_.Fileversioninfo}

You learn something new everyday!

Vulnerabilities

Exploitation of Microsoft Exchange Servers seen in the wild

LATEST UPDATE (04/10/2022)

The latest guidance from Microsoft (released on the 02/10/2022) says to disable administrators from being able to execute remote PowerShell via the exchange PowerShell web endpoint /PowerShell

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center

October 2, 2022 updates:

Added to the Mitigations section: we strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is here.
Updated Detection section to refer to Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082.

Additional mitigations

Remove exchange web services from the internet (there are reasons to do and not do this)
Restrict hybrid servers to allow OWA to O365 only
Leverage dynamic blocking
Greynoise has a list of IPs known here: https://api.greynoise.io/v3/tags/8bf9b766-bf0f-452f-80bf-1d0903847793/ips?format=txt&token=rYZCpLOTf6UnUbBoUpF3Q

Obviously bear in mind this needs auth! but also auth isn’t always that hard..

Microsoft Research have just released (0825 30/09/2022) this: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center

Microsoft have released a Exchange Server Emergency Mitigation (EMS) which includes URL re-write rules to HELP mitigate this (but likely don’t eliminate all risks due to potential bypasses)

New security feature in September 2021 Cumulative Update for Exchange Server – Microsoft Tech Community

Current Scenario (Updated 11:27 30/09/2022)

Likely “Zero day” exploit in the wild being used to attack exchange servers via a simmilar endpoint to ProxyShell. A mitigation is to apply URL rewrite rules, or to disconect the service internet from untrsuted networks until a patch is available. The Exploit is reported to required AUTHENTICATION, which may significantly limit the volume of exploitation (however credentials are only a phish away). It’s also reported the exploitation in the wild used /Powershell after exploiting the autodiscover endpoint.

Overview (orginal post area)

Yesterday it was reported there was a “new” zero day vulnerability being exploited in the wild. But there appears to be some confusion and a lack of speciifc evidence to showcase the vulnerability being “new” or simply being a differnt exploit path/approach for an existing CVE (e.g. ProxyShell).

The situation from my pov (at time of writing) is still unclear. It would be odd to not advise people ensure they are running the latest supported Exchange CU and Security update release (check both!) – if the exploits are 0-day (which it looks like they are) you will need to also patch when MS release a patch!

You may also wish to: use a WAF/Web Platform (IIS or reverse proxy) to restrict access to potentially vulnreable strings/endpoints.
You should probably review vendor guidance (Microsoft)
You may want to review your exchange servers for indicators of compromise (IOCs)
Check log files for activity, Check for dropped webshells, Check process logs (if you have them!)
Microsoft Recomends using the URL re-write module see (Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center

New Microsoft Exchange zero-days actively exploited in attacks (bleepingcomputer.com)

Upcoming | Zero Day Initiative

Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server | Blog | GTSC – Cung cấp các dịch vụ bảo mật toàn diện (gteltsc.vn)

https://www.shodan.io/search/report?query=http.title%3Aoutlook+exchange

There are 201,995 Exchange Servers with Outlook Web Access Exposed (According to Shodan)

cve-2021-31206 (19,311)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206

9.5% of the worlds Exchange attack surface is vulnerable to CVE-2021-31206

PROXYSHELL

https://www.cisa.gov/uscert/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell

CVE-2021-34473 (4388)
CVE-2021-34523 (4388)
CVE-2021-31207 (4388)

2.1% of the worlds Exchange attack surface is vulnerable to ProxyShell CVEs (above) (based on the shodan data)

https://learn.microsoft.com/en-us/exchange/new-features/updates?view=exchserver-2019

Exchange CU Versions

IMPORTANT: Your NEED the LATEST Cummualative Update (CU) and the LATEST Security Updates (SU) for Exchange (and given this is a likely zero day scenario you will need to patch again when the latest patches are released from MS)

https://learn.microsoft.com/en-us/exchange/new-features/updates?view=exchserver-2019

Exchange 2019 CU12 Aug22SU

https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-august-9-2022-kb5015322-86c06afb-97df-4d8f-af88-818419db8481

Exchange 2016 CU 23 Aug22SU

https://learn.microsoft.com/en-gb/Exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-august-9-2022-kb5015322-86c06afb-97df-4d8f-af88-818419db8481

Exchange Server 2013 CU23 Aug22SU

https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-server-2013-august-9-2022-kb5015321-96a47598-09b7-43eb-98bb-76fdf906f265

https://www.microsoft.com/en-us/download/confirmation.aspx?id=58392

Summary

The situation appears to be evolving, as always security vulnerabilities and in the wild exploitations can be a fast moving landscape, internet facing systems need suitable and adequate protections, that doesn’t include just exposing IIS on TCP 443 and walking away. It requires capabilities such as:

WAF/CDN
DoS/DDoS Defence Considerations
Logging and Alerting
Staff to monitor and respond
Secure Configurations
Antirivurs/Antimalware
Segemntation
Endpoint Detection and Response Capabilities (EDR)
Incident Response Planning
Threat Intelligence

and many more things!

This post is a fast publish and may contain errors and/or the situation may change. I’ll try and keep it updated.

Guides

What to do when you think you are being…

Planning is key but you can also respond

Recently I was helping a friend out when they were being targeted by a criminal online. I thought I’d put some notes down to try and help people. This isn’t a “how to” it’s more like thoughts and ideas. It’s UK centric, but probably works in lots of places.

One thing to note, preparation is greater than response, the more prepared you are, the less vulnerable you may be, the more prepared the smaller the attack surface.

You may for a variety of reasons become under heightened threat from an internet perspective. The information on here is not a catch all, a detailed guide to personal (PERSEC) and operational security (OPSEC). Read more “What to do when you think you are being targeted in cyberspace” →

Threat Intel

CLOP Ransomware Group Breaches Water Company and then misattributes…

We’ve all been there haven’t we! We’ve pwn3d a network, pivoted and moved around for months and then accidentally got the wrong company name… oh wait.

Well, this story isn’t fiction, CLOP ransomware group have breached a water company and then written it up as the wrong organisation. Read more “CLOP Ransomware Group Breaches Water Company and then misattributes to THAMES WATER” →

Leadership

mRr3b00t’s little blog about the Cyberz and getting into…

Where to start!

Everyone loves talking about how to get into Cyber! It’s like the cliché thing to talk about! Hell, there’s people who have been in jobs for minutes writing guides, It’s odd… my advice, gardening! Seriously you will see the outside, will learn skills that are useful and keep physically fit! Wait you still want to cyber? You sure? Ok there’s some super awesome fun parts of cyber, not going to lie, it sounds super cool! What do you do? I’m a CYBER! See cool AF!

Risk Management doesn’t have to be risky!

When it comes to digital technology, we have to consider many things.

LATEST UPDATE (04/10/2022)

Additional mitigations

Current Scenario (Updated 11:27 30/09/2022)

Overview (orginal post area)

Global Attack Surface

PROXYSHELL

Exchange CU Versions

IMPORTANT: Your NEED the LATEST Cummualative Update (CU) and the LATEST Security Updates (SU) for Exchange (and given this is a likely zero day scenario you will need to patch again when the latest patches are released from MS)

Exchange 2019 CU12 Aug22SU

Exchange 2016 CU 23 Aug22SU

Exchange Server 2013 CU23 Aug22SU

Summary

Planning is key but you can also respond

Where to start!