Threat Modelling 101

What is a threat?

https://csrc.nist.gov/glossary/term/threat

According to those clever people at NIST it is:

“Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.” Read more “Threat Modelling 101”

Combating Cyber Crime: Should we really be charging to…

Sensational Press or Cyber War Mongering?

I do not know Mr Martin, but I would assume that his role at NCSC and GCHQ would have given him a good insight into the realities of cybercrime, cyber terrorism, nation state affairs and how to effectively defend against cyber criminals (and other threat actors) so please read this blog as it is intended, it’s an analysis on the quoted statements and reporting style and general view of mine about current cyber war rhetoric, not an analysis of the person. Why am I writing this? Well, I am seeing an increased level of FUD, snake oil and cyber war rhetoric and I wanted to share some of my thoughts, opinions, and ideas in this space. For it is far too easy to call for war and in cyberspace do we even know what that means? Read more “Combating Cyber Crime: Should we really be charging to cyber war?”

Extortion and Ransomware – A lethal Combination

A Brief History of Ransomware

Ransomware is not that new, I remember back during the msblaster incident I said to a friend, it is a good job whoever wrote this worm was not evil because they would have simply encrypted or deleted all the data post infection. Hell, I can barely remember when that was, I think it was late 2003. Ransomware has been around since the 1980s but not quite in its modern form (it started with the AIDS malware scam). Fast forward to the mid 2000’s and criminals were using encryption but that wasn’t a norm and things only really started to take a bad turn around 2012/2013 with Cryptolocker. The next major global events were WannaCry, NotPetya and Badrabbit. Read more “Extortion and Ransomware – A lethal Combination”

17 Remote Code Execution Vulnerabilities in this month’s patch…

Windows DNS Server

This is really a major issues for Active Directory Domain Controllers.
CVE-2020-1350 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

We can see there are 2,133 servers on Shodan that are exposed however this exploit doesn’t rely on exposure, a client request from inside the network to a malicious DNS server could be used to exploit the domain controller. Read more “17 Remote Code Execution Vulnerabilities in this month’s patch Tuesday release!”

Perimeter Security Vendor Hell – Unauthenticated RCE’s and other…

Disclaimer

If your can’t take an honest view on real challegnes we face you probably want to click the back button now!
The three laws of IT apply:

  • Software has bugs
  • Hardware breaks
  • Humans Make Mistakes

It doens’t mean however we shoulnd’t strive to do better! so now that’s out of the way here’s a fast blog on shit you should care about and patch (if you haven’t already!)

Also please note these are not ALL the vulnerabilities you should care about, just some choice ones that are enough to make you cry!

Introduction

“Don’t worry, we’ve got that behind a firewall or VPN!” is something I’ve heard a lot over the years, which to be honest is starting to look more and more worrying. Think that’s just me giving my opinion? Well think again, here we have collated SOME of the vulnerabilities in security products which if unpatched/mitigated really leave you. well quite insecure!

Read more “Perimeter Security Vendor Hell – Unauthenticated RCE’s and other crazy you didn’t want in your security devices!”

Configuring SYSLOG integration with F5 BIG-IP

CVE-2020-5902 Defensive Guidance (FAST publish)

This week’s been a whirlwind, once again teams of people scrambled to help defend networks from criminals trying to abuse CVE-2020-5902.

If you want to see this in action check out my video on youtube!

The main issue (other than the vulnerability itself (path traversal and unauthenticated remote code execution) is exposing management interfaces to the internet (or other insecure/untrusted networks). Yesterday we looked at IOCs in the “/var/log/audit” file.

Now a sensible attacker who has ROOT level access would have likely cleared their tracks! However, a good sysadmin would have the logs shipped off the device!

Read more “Configuring SYSLOG integration with F5 BIG-IP”

Hunting a breach… CVE-2020-5902

I’ve spent the last 24 hours (including a sleeps) gathering intel, testing in the lab and looking at what the path traversal and RCE for the F5 BIG-IP as outlined in CVE-2020-5902 looks like.
Well I’ll be honest.. the whole scenario is a bit of a bloody mess! We’ve got people leaving management interfaces exposed to the internet, we’ve got a vulnerability that’s incredibly old in a security appliance (it’s not exactly uber 1337 either) and we’ve had the release scenario that’s probably ruined peoples weekends and weeks (I’m not going into an Offensive Securitry Tools debate/argument, if you want that go talk to a brick wall or someone else!)

Read more “Hunting a breach… CVE-2020-5902”

KB4551762 (CVE-2020-0796)

A recent information disclosure by Microsoft revealed there is a remote code execution vulneability in the SMB3 services (client and server). This vulnerability could be leveraged in a simmilar manner to MSBLASTER/NACHI/WannaCry etc.

This is a CRITICAL vulnerability, yet currently there are no reports of this being exploite in the wild (epect that the change in the near future)

Read more “KB4551762 (CVE-2020-0796)”

Ransomware from an RDP Vector

Internet facing exposed RDP services with a weak securiy configuraiton are never a good idea. In our latest video Matthew Haynes and Daniel Card take a look at the RDP threat lanscape and then following up with a lab demo of a simple RDP brute force attack.

You can see the video here on our youtube channel! Remember to like and subscribe! Stay safe!

RDP Threat Intel Video


CVE-2019-0708 – BlueKeep

‘Wormable’

When a post starts like this:

“On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. In our previous blog post on this topic we warned that the vulnerability is ‘wormable’, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” – https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/

“Microsoft is confident that an exploit exists for this vulnerability” Read more “CVE-2019-0708 – BlueKeep”

Copyright (c) Xservus Limited