Ransomware Realities

Everything is much worse now, or is it?

”The world is burning, the world is burning but then if you look around, it always has been…”

Computer systems and security go together much like chalk and cheese! Probably sounds a bit odd but miniaturization, consumerization and mobility have put more technology out in the world than we can really comprehend, yet technology security is still dramatically overlooked by most organizations.

The insane pace of change, the drive for faster, better, cheaper and the reality that it probably isn’t a stretch to say most people (and organizations) do not really understand what ‘secure’ or ‘hardened’ looks like.

Defense

Confessions of a white hat hacker

We move around in many places, we sit in plain sight, you might know we are there, or you might not. We work in the shadows, yet we shine a light. You see we’ve been inside your networks; we’ve sat in your cabs, we’ve worked with your teams. We have read you annual reports and we’ve mapped your company; we do this in a way that often you can’t even see.

Defense

Ransomware Defence Checklist – Part 1 : Initial Access

Defending the Realm

We keep seeing organization get hit, in some kind of a sick way I think me and some of my friends in the industry are bored with the over dramatic responses of “sophisticated” “advanced” and “unpreventable” because most times the kill chains simply are not like this. But still the onslaught keeps coming. Well I know this much, whilst I would love to deploy with the team and harden everyone’s networks that simply isn’t possible. So what we thought we would do is write something to try and spread the knowledge a bit further and hopefully have some positive impact.

Ransomware 101

It’s not just that your data will be encrypted, it will likely be exfiltrated and sold. You will likely have access sold, data sold and be extorted. The Ransomware business model is adapting to defender responses. Even if you can restore from backup they will likely try and attempt to extort. This brings a key point in this equation, the best position is to NOT get pwn3d to start with. Ok that might sound silly to say but when we look at these kill chains you might start to see the world from my perspective a little. Read more “Ransomware Defence Checklist – Part 1 : Initial Access” →

Breach

Following a Kill Chain – Defending against Babuk group’s…

Washington Police Department Pwn3d by Ransomware Group Babuk

So it’s all over the news outlets, a police department (Washington DC PD) has been hit by a ransomware syndicate, Babuk. So firstly, let’s be realistic everyone can get pwn3d and at this time our thoughts go out to those affected and to the teams working the response. Being hit by ransomware is NOT fun and not something we would wish upon anyone. That being said this isn’t an ambulance chase, what I want to do hear is look at the TTPs from Babuk in a bit more detail so hopefully we can help inform and educate people so they can strengthen their security postures.

References

https://news.sky.com/story/russian-hackers-target-washington-dc-police-department-in-apparent-ransomware-attack-12288183

https://www.theregister.com/2021/04/27/washington_dc_police_ransomware/ Read more “Following a Kill Chain – Defending against Babuk group’s TTPs” →

CTF

Server Message Block (SMB) Enumeration, Attack and Defence

Introduction

If you see a service with TCP port 445 open, then it is probably running SMB. SMB is used for file sharing services. You will also see it related to other protocols in its operation:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/06451bf2-578a-4b9d-94c0-8ce531bf14c4

Checklist

Here is a check list of common things to check:

Can you enumerate the server version?
Can you enumerate shares?
What versions of the protocol are enabled?
Can you connect using anon bind?
Are there any known vulnerabilities?
Can you enumerate usernames?
Is SMB signing enabled?
Are there other hosts in the subnet that can be used?

Defense

Business Email Compromise in Office 365

BEC

Business email compromise can be a prelude to a range of attacks but commonly it’s either Ransomware of Scammers. In this post we are focsing on scammer activity which uses a ‘man in the mailbox’ attack to get in between two parties in an email converstation with the aim of attempting theft by fradulently altering a wire transfer so that the third party sends funds to the scammers not to the victim. There are cleary other avenues that can be leveraged (the compromised mailbox may be used to phish or email malware to another victim).

Initial Access

To gain access to the mailbox a range of techniques can be employed which includes:

Credential stuffing
Phishing and credential harvesting
Malware

Once they have your logon credentials, they now will attempt to access your mailbox.

Avoiding Geo Location Alerts

A scammer may use a public VPN service (such as services from AVAST etc.) to move their internet connection the target mailbox region. They can usually locate a person through some OSINT.

By moving to the normal area of the user they are less likely to trip geo location alerts. Read more “Business Email Compromise in Office 365” →

Defense

Hardening Office 365 PowerShell Access

Only admins can use PowerShell, right? Wrong! In Office 365 and Azure AD standard users can connect using PowerShell.

In this quick post we are going to look at how to disable users from being able to read other users data using the MSOL cmdlets. (this also appears to limit AzureAD cmdlets access as well)

Disable MSOL Read Access

Run the following command as a global admin: Read more “Hardening Office 365 PowerShell Access” →

Guides

Becoming a Cyber Criminal (Pro) – Basic External Attacks

This is an experiment to combine a near real time thread on twitter and a blog… I have no idea if this will work. The premise is, we are conducting a adversary simulation against a target and want to see how this translates into a ‘plain language’ blog/story about how these things work. (I’ve also not included sales/scoping/documentaiton and clearly not all of this is in real time) but it is real!

The Fundamental Steps

Ok so first thing is first – the criminal part is a joke! We are here to help people. What we are going to do however is consider the general cyber threat landscape, look at the organisation from an ‘external threat actor’ perspective and then see what we can map out from an attack surface point of view.

CTF

Installing Subfinder on Windows

Subdomain Enumeration is a key part to security testing from an internet facing perspective. Today we are going to install Subfinder on a Windows Server.