Exchange Emergency Mitigation Service with new CU Update

This is a big thing in the Exchange world from my POV! I believe this is dropping sometime today (28th September!)

History

Exchange OWA, ECP etc. are exposed online not only for mailbox access, calendar sharing but also are a requirement for hybrid mode sync capabilities.

Vulnerabilities in Exchange this year (ProxyLogon/ProxyShell) have shown how problematic an attack surface this is. The good news is, Microsoft have created a feature for Exchange to help mitigate these attacks in the future via the EM Service!

Read more “Exchange Emergency Mitigation Service with new CU Update”

Cyber Security Tips – Keeping your digital self, safe!

Not even most of my digital life is in the enterprise security space, whilst this is great if you have access to technology budgets, security specialists and modern business class solutions, this doesn’t really fit into the general populations landscape of technology. I thought I’d take a high-level exploration of what digital security looks for people who aren’t security nerds! This is a bit of an experiment for me as it’s a journey into a world where although some things apply to me (obviously I’m human), some of this from a thinking/blogging point of view aren’t my comfort space. So, let’s see what a world outside of being a nerd look like!

Commons Risks

I’m thinking the risk landscape is still broad however when we think about risks, I reckon a general view model may look at some of the following scenarios:

  • Fraud/Scams
  • Sextortion
  • Phishing
  • Social Media Account Takeover
  • Device Theft
  • Device Loss
  • Equipment Failure/Data Loss
  • Threat from known individuals with physical access
  • Human Error

Read more “Cyber Security Tips – Keeping your digital self, safe!”

Risk management is easy! Isn’t it?

Information security theory and practises use a commonly understood and simple range of tools, methods, and practises to help organisations understand their risk portfolio and to enable them to make both strategic and tactical investment decisions….

Ok someone pinch me. this simply isn’t the reality I see on the ground. The theory is vast, complex and there are a multitude of good/best/insert phrase frameworks and tools that you can leverage to map, model, and communicate risks, vulnerabilities, controls, threats etc.

I’m not going to do a detailed analysis and comparison of different models here, but I am going to at least give people a view of some of the tools and frameworks that you can and may likely experience in the cyber security world. Read more “Risk management is easy! Isn’t it?”

Exposed VMWARE vCenter Servers around the world (CVE-2021-22005)

There’s a new CVE in town but don’t think it’s the only problem you get when you expose administrative interfaces to the wild west of the internet (yeeha or something). Let’s go on a quick exploration of what the world looks like with the help of our friends at Shodan and then let’s see the ramblings of Dan when looking at how benign enumeration and exploration of services can work. Let’s get started looking at the world, a quick face analysis on Shodan with vmware as a product shows a hit or two, what we are going to focus on is vCenter but you know.. you might want to review your attack surfaces so any exposed services (damn people expose some risky stuff!) Read more “Exposed VMWARE vCenter Servers around the world (CVE-2021-22005)”

CAF Workbook

Undertsanding the current state of cyber capability maturity across an organisation is no simple feat. The team at NCSC have created a really good set of guidance with CAF. With all things there’s different ways on consuming, understanding and leveraging good practises.

I often find have XLS workbooks incredibly valuable when looking at indicators of good practise inside organisations. With this in mind, I started to put the GAF indicators into a workbook. This isn’t complete yet. It needs refactoring so it can be pivoted etc. It also needs some parts added for metadata capture and analysis.

I’m publishing this because sitting collecting virtual dust is probably the least valuable thing that can occur.

Hopefully this is helpful to people, even in it’s current half baked state. I’ll and complete this at some point!

Read more “CAF Workbook”

Post Compromise Active Directory Checklist

Nuke it from orbit, it’s the only way to be sure!

Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)

Read more “Post Compromise Active Directory Checklist”

Vulnerability Management – Actually doing it!

Vulnerability Management, Assessments and Vulnerability scanning is sometimes treated a with distain in the Offensive security community, I personally don’t understand that. Vulnerability management is key to inputting into security strategy, architecture, and operations. It’s coupled heavily to many other processes such as:

  • Asset Management
  • Risk Management
  • Patch Management
  • Change & Release Management
  • Security Testing
  • Security Monitoring

Before we start deploying let’s think about some areas for consideration when performing vulnerability scans:

  • Scope
    • Asset/Hosts
      • IP Ranges
      • Hostnames
    • Connectivity
      • VPNs
      • LAN/WAN
    • Device Types and Configuration
      • Domain
      • Workgroup
      • Appliance
      • ICS
      • Printers
      • Network Equipment
    • Unauthenticated View
    • Authenticated View
      • Auth Types
      • Protocols
    • Scheduling
    • Authority to execute
  • Impact
    • Performance
    • Availability
    • Confidentiality
  • Objectives and Outcomes
  • Reporting
    • Information Flow
    • Report Storage and Confidentiality

Read more “Vulnerability Management – Actually doing it!”

How to Identify Hashes

Some hashes are obvious but even then, it’s a good job to check. There are a few ways to check a hash outside of manual validation.

Using the Hashcat example list:

https://hashcat.net/wiki/doku.php?id=example_hashes

Graphical user interface, text, application, email Description automatically generated

Using hash-identifier:

https://github.com/blackploit/hash-identifier

Using cyberchef Analyse hash:

https://gchq.github.io/CyberChef/#recipe=Analyse_hash()

Background pattern Description automatically generated with low confidence

Using hash-id:

https://github.com/psypanda/hashID

Using HashTag:

https://github.com/SmeegeSec/HashTag

As you can see there are range of tools available to you, and remember if you want to keep the hashes to yourself you can download Cyberchef and run it locally!

Would you know if these remote access tools were…

Introduction

Remote management and monitoring (RMM) and other remote access solutions are fantastic for enabling remote support of environments. Like most things in life though the intent of the user changes the tool from a force for good to a weapon of evil (I hate the use of the word weapon with software but it’s a blog so I’ll self-cringe).

Kill Chain Summary

The kill chain in the attack outlind by sophos isn’t one that you will be suprised at:

  • Initial access was via a known software vulnerability (unpatched Exchange server)
  • The attackers dropped a web shell
  • The attackers had SYSTEM level access
  • The attackers dumped memory to obtain hashes
  • The hashes were cracked (they escalated to domain admin)
  • 7 (yes seven!) backdoors were implaneted into the target network (hence this blog post)
  • Lateral movement was made to domain controllers
  • Large volumes of data were exfiltrated
  • The rest of the environment was then pwn3d

What might shock you more is the speed at which this was conducted. It’s not months or weeks, it’s hours and days (see the Sophos blog for more details!)

Conti Actors Remote Access Toolkits

Remote access tools being abused isn’t a new thing but following a great writeup (https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/?cmp=30728) of a Conti kill chain from Sophos Labs I figured I’d try and raise more awareness of some of the threats that organisations face, and the reality that defending against all threats is actually quite difficult for a lot of organisations (hell it’s technically not simply for anyone!) Read more “Would you know if these remote access tools were being used in your network environment?”

Copyright (c) Xservus Limited