Ransomware + Mega = Mega Cyber Pain

Did you ever read about ransomware actors? They often use mega upload to exfiltrate data! So I figured, why would we not detect this with MDE?

I mean sure we should probably block this with a custom indicator using Web Content Filtering and sure it would probably get blocked by Protective DNS but let’s say for whatever reason you don’t have those in place, let’s look at a really simple query to find mega connections in MDE:

Defence

Planning to defend and respond to cyber threats

Everyone has a plan until they are cyber punched in the face! Or something like that!

People seem to have this misconception that you need to “do a pentest” or some other project based activity to do “security testing” or response planning.

Let’s be real here, you really don’t. But what you do need is a few things:

Authorisation
Time
Some ideas for cyber incidents to plan for

CTF

Using CTFs for offensive and defensive training – Purple…

Pwning a legacy server on Hack the Box is good for a training exercise however what about if we want to think about how to use resrouces for red and blue. Looking at both sides of the coin when thinking about offense really should help people undesrand how to defend better. In the end of the day outside of a tiny tiny fraction of deployment types, you are going to need to be able to explain how to defend regardless of engagement type (vulnerability assessment, penetration test, purple team, red team etc.)

Getting access

I’m not going to talk through every step but here’s the commands you would need to run:

Education

PWNDEFND: Known Exploitable Vulnerabilities (KEV) – AKA: Offensive KEV

There’s thousand of vulnerabilities, but do you ever struggle work out what ones might actually be useful to you if you are defending or attacking?

Well don’t worry I’ve started to document some things that might help you both attack and defend in CYBERSPACE!

Education

Learn to SOC: Cryptominer Analysis

I’m totally in the middle of doing some work but this alert just came in so I have quickly dumped the data:

This came in via a Confluence exploit (not sure which CVE yet). I’ve not got time to analyse but thought I’d share this as an educational excercise for people! It’s a good excercise to see the apache tomcat logs and then decode, obtain samples and analyse the activity/imapct (as well as yoink IOCs etc.)

Leadership

The problem with gatekeeping in the cyber security industry

Stark Realities

Imagine having an industry where you can’t be in it without already being an expert in all fields, imagine having to be able to command policy and drive strategy but not having anyone having ever helped you learn how to do this, imagine that if you did all the activities involved with secure service and yet people say you aren’t part of the industry because your job title doesn’t have the word “security” in it and imagine if that you are told you aren’t part of the cyber security industry because you also have to worry about budgets, sales, marketing, new business initiatives, IT services and well anything else!

What would happen if we had this as our cyber security industry principles… well that’s simple?

Leadership

There’s never any time – A mRr3b00t Adventure

Introduction

I’ve been working with technology and its security for a while, I have travelled to different parts of the world, I’ve worked with major organisations, and I’ve worked with a whole range of organisations both from strategic advisory and at the coal face perspective. Now over the last twenty years I thought about how much has changed… and honestly, I don’t think much has.

Technology innovation, miniaturisation and adoption rates are through the roof, but I still see massively similar patterns. I’m not going to try and quote statistics, but I think it’s a fair to say the threat landscape has changed somewhat (for the worse!)

Back in the 2000s era we had networks running Windows 2000 and Windows Server 2000/2003, we had clients with open services which could largely be accessed from anywhere on the network. We had host-based firewalls from third party vendors, but these were rarely implemented, MSBlaster and Windows XP changed this dynamic somewhat, to say things haven’t improved on one front would be a lie, however the level of crime and access to technology globally has changed massively. Read more “There’s never any time – A mRr3b00t Adventure” →

Breach

Following a Kill Chain – Defending against Babuk group’s…

Washington Police Department Pwn3d by Ransomware Group Babuk

So it’s all over the news outlets, a police department (Washington DC PD) has been hit by a ransomware syndicate, Babuk. So firstly, let’s be realistic everyone can get pwn3d and at this time our thoughts go out to those affected and to the teams working the response. Being hit by ransomware is NOT fun and not something we would wish upon anyone. That being said this isn’t an ambulance chase, what I want to do hear is look at the TTPs from Babuk in a bit more detail so hopefully we can help inform and educate people so they can strengthen their security postures.

References

https://news.sky.com/story/russian-hackers-target-washington-dc-police-department-in-apparent-ransomware-attack-12288183

https://www.theregister.com/2021/04/27/washington_dc_police_ransomware/ Read more “Following a Kill Chain – Defending against Babuk group’s TTPs” →

Guides

Becoming a Cyber Criminal (Pro) – Basic External Attacks

This is an experiment to combine a near real time thread on twitter and a blog… I have no idea if this will work. The premise is, we are conducting a adversary simulation against a target and want to see how this translates into a ‘plain language’ blog/story about how these things work. (I’ve also not included sales/scoping/documentaiton and clearly not all of this is in real time) but it is real!

The Fundamental Steps

Ok so first thing is first – the criminal part is a joke! We are here to help people. What we are going to do however is consider the general cyber threat landscape, look at the organisation from an ‘external threat actor’ perspective and then see what we can map out from an attack surface point of view.

Defense

Endpoint Security – The Essentials

It’s called essentials it’s not called advanced!

Have you ever wondered what the absolute minimum you should do is to protect against cyber criminals? I’ll be honest I haven’t, that minimalistic approach to be seems kind of risky… BUT the world is not me and if you want to achive greatness you need a good foundation! So the essentials are good to know.