Defending Against Direct Authentication Attacks in Microsoft Office 365

Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)

Broadband Routers

When it comes to digital technology, we have to consider many things.

Availability, Confidentiality, and Integrity are good building blocks for considerations. We can probably split this into two major views to start with:

What does a typical consumer care about?
What security and privacy considerations could be made?

A typical consumer may be about:

Availability
Cost
WIFI Coverage
Performance
Ease of Use
Ease of Support/Troubleshooting
Style/Looks
What happens if it breaks?
Can I stop my kids messing with it? (Probably not so why bother)

CVE-2022-26809 – Critical Windows RPC Vulnerability

Vulnerability Information

Rating	Critical
CVE	cve-2022-26809
MITRE	CVE – CVE-2022-26809 (mitre.org)
CVSS	CVSS:3.1 9.8
Impact	Remote Code Execution (RCE)
Exploit in the wild	Currently not observed
Difficulty to Exploit (if PoC available)	Very Low
Network Position	TCP/IP Routable or Network Adjacent
Authentication Required to Exploit	No
Affected	Windows Client/Server OS
Typical Service Ports	TCP 135,139,445
Vendor Patch Available	Yes
Exploitable in Default OOB (out of the box) configuration	Unknown
Exploitable Client/Server	Believed to be client and server side exploitable

Rapid Active Directory Hardening Checklist

Ok this is not a small subject areas and it’s not a HOW TO guide but it should at least give you some ideas for tools to deploy and areas to check that are abused by Ransomware gangs and ATPs etc. Thanks to people who contributed!

This is not everything but it’s some common low hanging weaknesses:

Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)

TLDR

Go and run this on the connection servers:

https://github.com/mr-r3b00t/CVE-2021-44228

It’s crude so also look for the modified timestamps, recent unexpected blast service restarts and if you have process logging go and check for suspicious child processes over the period. Once you have checked, run a backup, then if they aren’t patched, patch the servers! (i know patching isn’t as simple as just patch!)

Post Business Email Compromise actions for Office 365 Users

If you have a business email compromise incident and you haven’t deteced it in a timely manner your fist notification might be a bad experiance, the threat actors may have commited fraud, attemped fraud or simply launched a phishing If you have a business email compromise incident and you haven’t detected it in a timely manner your fist notification might be a bad experience, the threat actors may have committed fraud, attempted fraud, or simply launched a phishing campaign from your environment. If you are in this position, there are some steps you can take from a technical point of view to limit impact and reduce risk of a re-occurrence. This blog is a high-level view at some of the tactical and longer-term activities you can conduct.

I’m the CEO why do I care about phishing…

Introduction

This is part of a series I’m writing which is focusing on some of the core fundamentals of why cyber security is a business issue, why business leadership should care and invest in a good security posture and I’m looking at common security threats and ways you can combat these. Read more “I’m the CEO why do I care about phishing threats?” →

I’m the CEO, why should I care about Cyber…

Introduction

First and foremost, I’m going to start by saying if I include any cliché quotes it’s probably in an ironic context or used to show how they aren’t practically useful. Why are we here? Well, based on the title, it’s because you are either a CEO/MD or you are in a leadership position and want to learn a little more about cyber security.

I’m sure you have read the news, I’m sure you have seen vendor adverts explaining something like:

Zero Trust
The Security Skills Gap
How phishing can be solved through security awareness training (pro tip: it can’t)

And I’m sure someone on your LinkedIn feed you have seen people exclaim all kinds of crazy things like:

TLS Weaknesses Lead to Ransomware
Security is Simple (it, I’m afraid, is not)
Managed Security Service Providers ensure security

Phishing your own people – path to eroding trust…

Introduction

“Security education and awareness darling, it’s all the rage! It’s simply to hot right now.” Ok stop, let’s take a minute to get some context. It’s the year 2021, organisations are taking a battering round the globe from cyber criminals who are deploying ransomware, extortion, and fraud via a range of methods but one you can’t not have heard of is phishing.

In this post today, I’m going to look at realities of initial access, phishing and some questions I think people should be asking themselves about the idea of phishing their own userbase. I try and look at this from multiple perspectives because I think it’s a complex subject. Let’s start with initial access methods!

Common Patterns of Access

If we look at the world of technology and cyber security, you will see logs of references to frameworks and language that is enough to send even the committed to sleep! However, let’s abstract from our TTPs, our MITRE ATT&CK frameworks and our “threat actors” and let’s talk in normal English. Read more “Phishing your own people – path to eroding trust or a useful tool?” →

Apache Access Logs Rotation

By default, at least on Ubuntu apache2 is set to rotate logs every 14 days.

It will rotate logs held here: /var/log/apache2/*.log

Using the rotate configuration, you can specify a value: Read more “Apache Access Logs Rotation” →