Category: Threat Intel

Threat Intel

OPSEC is Hard: Are you even trying?

OPSEC is hard! Doing things that are covert is expensive and time consuming. Being invisible in today’s digital age is very hard. Operating covertly in plain sight it also hard.

Everything about this “stuff” is hard, except sometimes maybe it’s just viewed as “it’s hard and expensive” so why even bother, or conversely… maybe the objective can be “we want people to know it was us.”

Either way there’s some interesting reading if we look at “cyber” and “opsec”. For the minute I’ve just started to collect a list of links to articles which show some of the ways opsec failures have occurred in the past in relation to the GRU.

Read more “OPSEC is Hard: Are you even trying?”
Defense

CVE-2022-26809 – Critical Windows RPC Vulnerability

Vulnerability Information

RatingCritical
CVEcve-2022-26809
MITRECVE – CVE-2022-26809 (mitre.org)
CVSSCVSS:3.1 9.8
ImpactRemote Code Execution (RCE)
Exploit in the wildCurrently not observed
Difficulty to Exploit (if PoC available)Very Low
Network PositionTCP/IP Routable or Network Adjacent
Authentication Required to ExploitNo
AffectedWindows Client/Server OS
Typical Service PortsTCP 135,139,445
Vendor Patch AvailableYes
Exploitable in Default OOB (out of the box) configurationUnknown
Exploitable Client/ServerBelieved to be client and server side exploitable
Read more “CVE-2022-26809 – Critical Windows RPC Vulnerability”
Log4Shell Defense

Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)

TLDR

Go and run this on the connection servers:

https://github.com/mr-r3b00t/CVE-2021-44228

It’s crude so also look for the modified timestamps, recent unexpected blast service restarts and if you have process logging go and check for suspicious child processes over the period. Once you have checked, run a backup, then if they aren’t patched, patch the servers! (i know patching isn’t as simple as just patch!)

Read more “Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)”
Defense

Creating a honeypot for CVE-2021-41773 (Path Traversal and RCE)

A path traversal vulnerability and exploit just dropped in the wild for a specific version of Apache (Apache/2.4.49). This vulnerability allows an unauthenticated attacker to execute a path traversal attack (and now shown RCE if MOD_CGI is enabled) to read files outside of the virtual directory path bounds. This only affects a single version of Apache, there’s a fair few of these online, however it’s very unlikely all are vulnerable. The vulnerability requires specific permissions to be configured.

A screenshot of a video game

Description automatically generated with medium confidence

Read more “Creating a honeypot for CVE-2021-41773 (Path Traversal and RCE)”

Defense

Can Cyber Deception be used as a force for…

Scams, Disinformation & Supply Chain Compromise

Now this might come to a shock to some of you but I’m not actually (as my LinkedIn profile currently says) Tony Stark! I know, shocking but it’s true. Why I’m experimenting with this will hopefully be apparent after reading this post (although this isn’t an explanation specifically). What I’m looking at is how deception is used from a range of perspectives from marketing, cybercrime and how we can use deception in a positive way, to actively defend ourselves from the cyber criminals! Read more “Can Cyber Deception be used as a force for good?”

Defense

CVE-2021-22005 – vCenter RCE

Introduction

Protecting admin interfaces is a really good idea, network segmentation however is one thing that many organisations struggle with. Most networks are what we call flat. They may be carved up into VLANs but generally speaking, in a lot of networks if you are “inside” then you have full access across the TCP/IP space.

Now here we are talking about the internal attack surface, so a threat actor would need network routable access which should not be the case for things like vcenter interfaces from the internet, however it appears that’s not really exactly how the world works.

Let’s look in Shodan! Read more “CVE-2021-22005 – vCenter RCE”

A screenshot of a computer Description automatically generated with medium confidence Threat Intel

CVE-2021-38647 – Open Management Infrastructure (OMI) RCE – Linux…

Situation

Ok so the situation is as per usual a bit fluid, when this first dropped I was looking at this with a “azure” lense, however as time goes on it appears this likely also covers any Linux distro with the Azure/SCOM/OMS agents installed. This may change the profile of risk considerable, not only from a public facing attack surafce but highly likely from a lateral movement persspective. I’m going to keep updating this as more intel comes in. (sorry I’d be clearer if I had a clearer picture myself)

This week 4 vulnerabilities were disclosed which affect Azure virtual machines running the Open Management Infrastructure (OMI) agent (think PowerShell remoting). As above the scope seems to be slightly wider with regard to SCOM/AZURE and OMS/Sentinel etc. agents for Linux (I want to confirm all of this but for now it seems this is the position)

Essentially these vulnerabilities allow for both network-based remove code execution (RCE) and local privilege escalation (LPE).

  • There is evidence of exploitation in honeypots.
  • There is a public proof of concept available for the RCE.
  • The internet facing attack surface from a global perspective seems low based on the data in Shodan and Censys however I’m not convinced this is currently giving a clear picture.
    • So, check your azure networks, Vms and firewalls would be a sensible idea

Read more “CVE-2021-38647 – Open Management Infrastructure (OMI) RCE – Linux hosts”

Defense

Why are ransomware attacks so devastating? – Part 1

Introduction

“Ransomware is a major issue!”

Hang on maybe we need to re-phrase that:

“Weak security postures are a major issue!”

or perhaps.. why not both!

I’ve been working with digital technology management for over 20 years, I started out when I was a kid (literally) fixing people’s PCs in their offices, removing malware, improving configurations, writing batch file menus, and playing games. As time has gone on technology has shrunk and continually become more and more of our everyday lives.

Back in 2003 I responded internally to MSBlaster, an SMB worm that had a devastating effect for the time, by today’s standards it was child play, however I remember saying “it’s a good job it didn’t delete everything whilst it was here.” (Or something very similar. Post NACHI/Blaster my friends and I were talking about how worse it could get. Fast forward in time and it’s much worse. Yet when I look at networks, they don’t look very different to how they did back in the 2000s.

Despite a multi-billion-dollar cyber security industry, it seems daily that organisations are succumbing to “cyber-attacks” which commonly include ransomware. Why are they successful and why are they so impactful? Well, let’s take a look! Read more “Why are ransomware attacks so devastating? – Part 1”

Defense

Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)

I kid you not, I forget the commands, so I thought, hey let’s write a small blog post on credential dumping and pass the hash.

To achieve this we need: Debug privileges on a single machine or we need access to a disk that does not have full disk encryption. We also need the password to be re-used.

Mimikatz

Ok for this demo I’m going to run with the out of the box release for Mimikatz on a domain joined windows PC with Defender disabled.

To gain system we launch mimikatz from an admin shell and run:

privilege::debug

token::elevate

Now we are SYSTEM we access a range of high privilege level areas. Read more “Dumping Credentails with MIMIKATZ and Passing the Hash (PTH)”

Defense

Ransomware Realities

Everything is much worse now, or is it? 

”The world is burning, the world is burning but then if you look around, it always has been…” 

Computer systems and security go together much like chalk and cheese! Probably sounds a bit odd but miniaturization, consumerization and mobility have put more technology out in the world than we can really comprehend, yet technology security is still dramatically overlooked by most organizations. 

The insane pace of change, the drive for faster, better, cheaper and the reality that it probably isn’t a stretch to say most people (and organizations) do not really understand what ‘secure’ or ‘hardened’ looks like.

Read more “Ransomware Realities”