Threat Intel

An evolution of threat actor

Motivation and a diverse network of people and capabilities can go a long way, then add in digital skills and winning steak… and you have: scattered spider!

There’s a big difference between zero day spraying the internet and planting webshells or copying someone’s open S3 bucket and say…. doxing staff, their families and attacking them and their assets in the real and digital worlds.

I think people won’t broadly grasp the effects that can be achieved (harm) when the adversary is motivated, dedicated, capable, resourced and has very little moral qualms.

There is no magic bullet to defend against an adversary like this, you need a whole of organisation defence (and to pursue even more than that!).

Read more “An evolution of threat actor”
Threat Intel

Defending Against Scattered Spider

Defending against different skilled threat classes is an important thing to consider when you are planning, designing and operating a business. I’ve used GROK (AI) to create an html page which has both information on the kill chains, but also looks at countermeasures. I’m experimenting lots with VIBE coding and LLM assisted content generation so hopefully this proves useful. I do feel it needs a more human touch added as well… but let’s see! life without experimentation would be dull would it not!

Read more “Defending Against Scattered Spider”
Education

Unravel the Mystery of Cyber Noir Detective: A Thrilling…

[This is why we need humans and not AI to write things!]

This is what an LLM said about my Cyber Noir game…. I think this is going to need me to write something! But that will come another day, today you can enjoy how humans are, not entirely replaced yet!

Enjoy! (perhaps just play the game!)

https://mr-r3b00t.github.io/cyber-detective

In the neon-drenched streets of Neon City, where high-tech crime and shadowy conspiracies collide, a new kind of detective story awaits. Cyber Noir Detective, an innovative choose-your-own-adventure game, invites players to step into the shoes of Riley Voss, a seasoned investigator tasked with thwarting a catastrophic cyber breach at NexCorp. This browser-based experience, crafted by cybersecurity experts at PwnDefend, blends immersive storytelling with subtle educational insights, making it a must-play for fans of interactive fiction, cyberpunk aesthetics, and digital security.

Read more “Unravel the Mystery of Cyber Noir Detective: A Thrilling Interactive Adventure”
Defence

Hunting for common Active Directory Domain Services Exploitations

Ok this morning I woke up really really early! I then went on a bit of a KQL thread on twitter, and then IRL work destroyed my plans to play in the lab. However I’m publishing this in its current state [use at own risk etc.] because I think it might help people! So let’s get to it:

These queries can help you identify 3 common active directory attack techniques from logs on a domain controller (this does not rely on ADCS logs etc.)

Read more “Hunting for common Active Directory Domain Services Exploitations”
Leadership

OMG The Cyber SKY is falling down!

Ok a bit dramatic, but that’s often what you might feel if you spend lots of time in the vulnerability space (which if you work in cyber security.. you probably do!). We often hear about the NEXT: STUXNET, HEARTBLEED, WANNACRY/ETERNAL BLUE, LOG4J etc. but actually when it comes to it… the number of times we have word endangering unauthenticated remote code execution that is a danger to global society is far less than when we have other vulnerabilities. It’s the exception not the rule.

Read more “OMG The Cyber SKY is falling down!”
Defence

A threat actor is inside your perimeter… what routes…

Ok that subject is massive…so this is a bit more of a targeted thought process to consider.

Each network is unique and technology deployments vary. One time I was in a network that was almost entirely Apple MacBooks and a door control panel…. which was ‘fun’.

So this is a general list of some things to consider if you have tech deployed such as:

  • Active Directory
  • Printers
  • SCCM
  • MSSQL
Read more “A threat actor is inside your perimeter… what routes are there for attacks?”
Defence

What are the top Active Directory Security vulnerabilities I…

Ok so here’s the thing, I do NOT like getting pwn3d! I think you probably would rather your organisation does not too!

What I really don’t want to occur is a ransomware event! They suck, they are like a digital bomb going off.

So I’ve knocked up a quick list to get people thinking (these are NOT all the vulnerabilities I networks you should care about.. but they are some that could lead to a ransomware event!)

Read more “What are the top Active Directory Security vulnerabilities I care about?”
CTI Investigation Demo Threat Intel

Threat Analysis Tools

I’ve not blogged in a while, but I wanted to put down a note of some useful tools people can use to help them combat cyber crime.

This isn’t going to be an in depth look at each tool, however I do want to, in the near future, try and do some demos/videos etc. of how to investigate potential/suspected or identified threats. I’ll drop a list of some of the useful tools below and also do a quick demo of investigating an event (from this blog)

Read more “Threat Analysis Tools”
Education

Cyber Tips for Normies (without the FUD)

The Cyber Threat landscape in 2023

The digital world is complex and cyber threats appear to be around every corner. What we need to do however is look at how we can enable people and keep them safe from common (realistic) threats that they will almost certainly face (rather than saying everything is a risk!), The intent of this post is to tackle key common threats, risks and vulnerabilities (and countermeasures). It is high level, it is a generic and general, it is not a bespoke tailored guide for each person. It does not cover every single risk scenario someone may face, it simply looks at what I think people may want to focus on (given what I see). (I’m having to caveat this loads to try and stop the tin foil hat loonies making a scene about edge cases I haven’t covered)

Read more “Cyber Tips for Normies (without the FUD)”
Threat Intel

Cisco IOS XE Incident Update

Update 30-10-2023 (fast publish)

This is a fast publish. Based on honeypot data from @SI_FalconTeam we can make some analysis:

  1. The webshell has an authorisation header is 40 characters long. (it is unknown how this was generated)
  2. The user agent in the sample: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
  3. The source IP: 192.3.101.11
  4. The stages:
    1. Check for webshell
    • If not in place:
      1. Bypass Authentication (CVE-2023-20198
      )
      1. Create a local LEVEL 15 User AccountSet IP HTTP/HTTPS SERVER and Enable Local Authentication (AAA)Use this account to conduct a device inventory.
    • Inventory the System
    • Kill the created Level 15 account

In the lab we have attacked HTTP and HTTPS and have been able to get AUTH bypass. (thanks @leak_ix)

Read more “Cisco IOS XE Incident Update”
Copyright (c) Xservus Limited