Wednesday, January 31, 2018

Infosec quotes - spectre exploit

Jacob Williams says “... I predict that Meltdown is being actively exploited in the wild. It's trivial to leak kernel memory which likely contains sensitive data...”

Tuesday, January 30, 2018

Infosec quotes - patch Cisco vpn

Patch you Cisco VPN

@gossithedog says “... CVSS 10 unauthenticated remote code execution bug if you run VPN interface to internet with Cisco ASA (aka Cisco Anyconnect). It’s one of the bigger bugs...” 

Sunday, January 28, 2018

Infosec quotes - Eric Cole admin rights

Dr Eric Cole said “...users should never login as administrators and never have administrator rights for thier systems...”

Infosec quotes - OneDrive sharing

Allowing Cloud file storage can lead to incidents like this.

“... former employee of Emory Healthcare (EHC) has been found to have obtained the protected health information of 24,000 EHC patients and shared the data to a Microsoft Office 365 OneDrive account, from where it could possibly be downloaded by other people...”

Infosec quotes - Risks five years old

You should go beyond identifying Risks. You should actually outline remediation and mitigation plans for each Risk found and set some goals/target dates for when they’ll be resolved. Some progress is better than no progress.

“... is still vulnerable to hackers — in part because gaps they identified five years ago remain...”

Infosec quotes - ceo to HR

Your HR should be aware of these scams as they are soooo common nowadays.

“... someone pretending to be the CEO sent a staff member for employee W2s. The recipient responded, and gave it away, including employee names, Social Security numbers, where they live and how much they make....”

Saturday, January 27, 2018

Infosec quotes - admin rights or toast

@combat_penguin says “...Defenders, if you're not limiting user rights then you're toast...” 

Infosec quotes - google drive links

Links to Google drive != safe.

“... The link appears to lead to a Google Drive account and even includes HTTPS and the word secure. Once the URL is clicked a malicious file labeled Lebalcopy.exe is downloaded...” 

Infosec quotes - applocker whitelist

Sans advisory board says “... Applocker is a great starting venture into whitelisting. Doubly important is running it in audit mode before going full production with it. You will miss things because two users will have a program you weren’t aware of and they only use it once every two months, and it’ll save your helpdesk a headache later....”

Infosec quotes - admin accounts

Avecto LinkedIn page says “With #cyberattacks now seeking out local administrators to gain access to the operating system, even a small number of admin accounts can open the door to a host of vulnerabilities.“

Friday, January 26, 2018

Infosec quotes - proactive steps should happen

@gossithedog says “... If you take almost any incident which made press, they have themes. Carphone Warehouse - 6 year old unpatched Wordpress with credit cards in database, no PCI etc. TalkTalk - webapp with SQLi vuln older than teenager who did it. Democratic party - phishing... NHS WannaCry - lack of patching, firewalls with any/any rules. Parliament email - single factor auth. Even the people moving laterally inside networks are largely off the shelf tools, e.g. psexec from Microsoft. Breaches, of course, happen. So should proactive steps...” 

Infosec quotes - here is the mop

@swiftonsecurity says “...Focus on patching, administration, and backups instead of Chinese PLA 0days. Your CFO’s executive assistant has Adobe Acrobat 9. Finance is using Firefox 3.6. There are hotel kiosks in Moldova more hardened than your domain controllers. Welcome to being an adult, here’s the mop...” 

Infosec quotes - make them sweat

@x0rz says “... Make sure your adversaries actually *deserve* to get your data - like it costs them to get it, they had to invest into it.
You can’t build a 100% secure corporate environment, at least make them sweat...” 

Infosec quotes - simple security steps

“...Organisations would be better served in spending time and resources in simple security steps such as backing up their data, ensuring appropriate access controls are in place, that systems are patched with the latest updates, and that effective anti-virus software is installed...”

Infosec quotes - YouTube miners

Bitcoin miners are even on YouTube ads now. 

Infosec quotes - $530 million

When security fails, crazy things can happen.

“... According to major Japanese cryptocurrency exchange CoinCheck executives, more than $530 million worth of NEM has been stolen from the trading platform...”

Infosec quotes - hardcoded passwords

Developers. If you see hardcoded password in your code, alert somebody ! Fix it! Put in checks to make sure it never happens again.

“... Among the glaring flaws cited: a hardcoded password. In the fingerprint scanner. To log into the computer...”

Infosec quotes - fake ads

"Crooks Created 28 Fake Ad Agencies to Disguise Massive Malvertising Campaign" 

Infosec quotes - bits parser

BITS is like wget for Windows. Creates remnant queue files. ANSSI researchers created a tool to parse them. The tool is called bits_parser.

Infosec quotes - internet accessible devices

Good example why your team should engage IT when setting up any electronic device. Vendors are many times very happy to make insecure installation decisions for these devices just to get the sale.

“... Part of the issue is that many of these systems are outside of the usual domain of IT departments...”

Thursday, January 25, 2018

Infosec quotes - binary vs code

@cigitalgem says

“... having binary is just as good as having source.  The myth that releasing source is somehow more dangerous is just that...a myth....”

Infosec quotes - data not protected

This why it's important to secure and apply access control even to your internal org file shares and productivity sites like sharepoint.

“...records were found in open view, unsecured and accessible to anyone in the residence, including persons who had no legitimate business reason to access the personal information ...”

Infosec quotes - more insecure buckets

Dejavu - it's easy to misconfigure cloud storage and it won't end pretty.

“... s3 Amazon bucket hosted at a publicly accessible domain was open for anybody to access ... several plain text API keys ... scripts for accessing HBO modules ...” 

Infosec quotes - word docs

Yes opening a Microsoft Word document can lead to this...

“... downloads a Remote Access Trojan (RAT), which can log keystrokes, take screenshots, record audio and video from a webcam or microphone, and install and uninstall programs and manage files...”

Infosec quotes - fonts

If your browser says a font is missing , think twice before clicking. It could be a RAT (Remote Access Trojan).

Infosec quotes - iis http modules

Check your windows web servers under IIS HttpModules , there could be a hidden backdoor installed there.

Infosec quotes - social media

It is a risk to allow users to use social media while on a company asset.

“... Dark Caracal hackers do not rely on any zero-day exploits to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages,..”

Infosec quotes - Wordpress plugin security

The all too real and common Wordpress plug-in Security issue.

“... developers, seeking to please their client, mess with a plugin and then either leave, or don’t want to tell the client it’s going to cost more each time WP and the plugin need updating. The site is now vulnerable...”

Infosec quotes - reinstall entire infrastructure

Could your company recover from this? Lessons learned include: “Take security seriously” and “practice your Incident Response plan”

"...we basically found that we had to reinstall an entire infrastructure ... We had to install 4,000 new servers, 45,000 new PCs, 2,500 applications."

Wednesday, January 24, 2018

Infosec quotes - undermine security

"Obviously, allowing users to run as administrators would undermine any security policy or enforcement you have put in place. So we turn that off. Our users do not have administrator access to their devices." - @ncsc #cybersecurity #AdminRights 

Tuesday, January 23, 2018

Infosec quotes - lose your paycheck over a hack

“...So then they were reporting that there was several hundred thousand dollars potential of theft from the employees and from the company itself, that their bank accounts had been compromised ... Police say the vulnerability was a known issue and the company failed to install a security patch. That patch had been made available in October of 2017...”

Infosec quotes - baked in

“... security needs to be baked into the entire development process from the second you begin creating code, all the way through deployment and beyond...”

Infosec quotes - innovating faster

“... Criminals - increasing organized and offering wide-ranging services on the dark web - are ultimately innovating faster than security defenses can keep up...”

Infosec quotes - cyber crime infancy

“... All indications are that cyber-crime is in its infancy, a phenomenon that will only intensify...”

Monday, January 22, 2018

Infosec quotes - miners

Bitcoin miners are more prevalent than anything else right now per @bad_packets and I agree.

“... JS/Coinminer is listed as @ESET's number one threat. The insanely high prevalence level is due to the ubiquity of #Coinhive and other #cryptojacking malware...”

Infosec quotes - gaming

Good example of why your org needs a policy against gaming on company assets and it needs to be monitored and enforced.

“... Video games are becoming a serious attack vector. They are 1) widespread 2) prone to bad vulnerabilities 3) bad at incident handling...” 

Themida packing

This sample on Hybrid Analysis

but if you open it in IDA or x32dbg it's very difficult to analyze, it appears packed in some manner.
When viewing the memory strings in Process Hacker while it's running I saw this

It says Themida, which when I googled is
Software protectors where created to keep an attacker from directly inspecting or modifying a compiled application. A software protector is like a shield that keeps an application encrypted and protected against possible attacks

So the attacker is using this legit packing software to hide his code from us malware analysts.

Of course, I'm new at this so if you have any corrections or tips for me, let me know. Thanks!

A Malware analysis wiki

A Malware analysis wiki 

Sunday, January 21, 2018

Infosec quotes - disable it all

NO, business app vendor.  "Disable your firewall and antivirus and UAC" so that your sloppy code will work is NOT a solution!

infosec quotes - the basics

“... It's not about buying the latest cool tech.  Security is about fundamentals, plain and simple...” says CISO of Lyft

Saturday, January 20, 2018

Infosec quotes - script kiddie botnet

Crazy that almost anybody nowadays can do this with very little technical skill requires.

“... Alex Bessell, 21 ... was convicted ... police raided his home and found that Bessell had seized remote control of at least 9,083 computers, without their owner's permission, to create a massive botnet...” 

Infosec quotes - remote portal

Having 2FA is important on remote portals!

“... gained access to hospital systems by logging in with a third-party vendor's credentials into the Hancock Hospital remote access portal...” 

Infosec quotes - let the business manage users

@lorettodave Says “...Today, managers approve access requests, and IT implements them without knowing *why* a user needs access. The approach outlined here would help transfer risk ownership back to data/asset owners (and away from IT/InfoSec)...” 

Infosec quotes - termed employee access

How confident are you that your termed employee’s accounts are actually disabled ?

“... an ex-employee is suspected of viewing data of 52 New York students from Dec. 30 to Jan. 2...” 

Infosec quotes - PoS hunting

Seems like PoS businesses should find ways to be a bit more pro-active hunting and find the intrusions instead of getting told about them.

“... Cybercriminals successfully install RAM-scraping malware onto one or more point-of-sale devices ... The breached business discovers the intrusion only after card issuers spot patterns of payment fraud that traced back to their organization...”

Infosec quotes - hacked by Wordpress

Should the Wordpress admin page have been accessible to the world ? Should there have been 2FA ? Was the password guessable ?

“... Cyberattackers used valid login details to access Carphone Warehouse's system through an out-of-date version of content platform Wordpress...” 

Infosec quotes - dotted IP

“... the PowerShell script connects to a dotless IP address (example: hxxp://3627732942) to download the final payload.
What is Dotless IP Address? referred as 'Decimal Address,' the decimal values of IPv4 addresses... Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address...” 

Infosec quotes - termed

Your termed employee process is very important per @fouroctets

Infosec quotes - oneplus

“... OnePlus determined hackers had broken into its website server and installed malicious JavaScript code that would grab credit card data once it was entered...”

Friday, January 19, 2018

Infosec quotes - PUP

Good example of why you should take alerts for PUP, PUA, and Adware seriously at your org. Whitelist your software.

“... drops 2 password stealer components: WebBrowserPassView and Email Password-Recovery. Both of these components are actually legitimate password finding utilities from Nirsoft. Many Nirsoft products do get detected by antiviruses as potentially malicious or potentially unwanted programs...”

Infosec quotes - dust off IR plan

“... By dusting off that Incident Response plan and evolving to incident readiness and response, there’s a lot that business leaders can do to proactively mitigate cyber risk...”

Infosec quotes - detect and respond

“... cyber-attacks will happen, therefore we can no longer only focus on building walls but also become able to detect and responds breaches quickly..”

Infosec quotes - endpoint logging

“.. roadblock lies in the fact that many organizations are diligent about recording the Windows Domain Controller logs, however, they do not store the logs coming from desktops and laptops ... to detect the lateral movement, a stitching is necessary between the Domain Controller logs and the endpoint logs...”

Infosec quotes - remove safety logic

“... Trisis was likely removing safety logic from the controller instead of simply crashing the system...”

Infosec quotes - Cnc whitelisting

“... the CnC server has implemented a domain whitelist and it allows to download the malware only by the IPs it sent the phishing campaign. If someone tries to get the zip file connecting from other IPs, the site would return a xml empty page...”

Infosec quotes - pose as a utility

“... pose as utility (flashlight, QR code scanner, compass) and device performance-boosting apps (file transfer, cleaner), and more notably, social media video downloaders...”

Infosec quotes - chrome extensions

“... malicious extensions also impacted employees of major organizations, potentially allowing attackers to gain access to corporate networks...”

Infosec quotes - security focus

“...Until we collectively shift our focus to the information assets at risk and away from the noisiest vulnerabilities, we will continue to expose the most valuable data...”

Infosec quotes - threat Intel value

“...Threat intelligence should be looking at the thousands of threats and telling their employers which ones are most likely to be used against them. Instead, they usually act as megaphones replaying the global hype...”

Infosec quotes - mobile

"...Dark Caracal is part of a trend we've seen mounting over the past year whereby traditional advanced persistent threat actors are moving toward using mobile as a primary target platform...”

Infosec quotes - supply chain attacks

“... While internal IT and security departments might have strong security practices ... third-party collaborators might not adhere to the same culture. Consequently, programs for vetting vendors need to be in place before fully integrating them into internal infrastructures...”

Infosec quotes - malware scanning

“... The malware is capable of scanning and mapping an industrial network to provide reconnaissance and can also give hackers remote control over those systems, the advisory says...”

Infosec quotes - prioritize projects

Harry Poster says “When prioritizing security projects, have you considered that if your end users still have admin rights, controls you may choose to put in place first could be shut off? ”

Infosec quotes - mcafee creds

@malwrhunterteam Says “It's still absolutely normal to find McAfee credentials in logs of skids' company victims...(In this case CVE-2017-11882 exploit was used to download Agent Tesla...)”

Infosec quotes - Oracle patching

@MalwareJake says “Quarterly patches is why I don't usually recommend VirtualBox for malware analysis. Oracle sucks at patching.”

Infosec quotes - report a phish

@nyxgeek says “If you fall for a phish, don’t lie about it. Everybody makes mistakes. Own it, report it.”

Infosec quotes - more Oracle

Oracle Database, eBusiness Suite, and more among the 237 security patches from Oracle

Infosec quotes - avecto

What's kept your organization from fully removing Local Admin Privileges? Cultural kickback? Legacy apps? Large Dev/Engineering teams? Here's an easy way to shatter those roadblocks:

Infosec quotes - win at security

Dr. Eric Cole says “If you want to win at security, always ask the following questions:
1)    What is your critical data?
2)    Where is it located?
3)    Who has access to the information?

4)    Who should have access to the information?”

Infosec quotes - culture culture culture

@gossithedog says “...  The full report is here, they got fined £400k ($540k) for having web shells on a 6 year old webapp built on 5 year old WordPress install hosting customer payment info in plain text ... It's critically important that if you're running InfoSec or IT in a company and you know if staff are seeing stuff like that you know SOMEBODY in the department will speak up ... Culture culture culture + everything else. ...”

Infosec quotes - fake form overlays

“... Once the DLL is properly injected to svchost.exe it starts to monitor the user's activity to see if they try to access Brazilian banks. Once a user visits the online banking sites, it will overlay the screen with a fake form that enable the attackers to retrieve the user's PIN codes...”

Infosec quotes - benign emails

“... they test the waters by sending out a benign email to someone at your organization who then clicks on the link inside of that email, this tells them that this is a good target who is asleep at the switch.... hackers set up a dummy site which they are absolutely monitoring to see who is clicking on it...”

Infosec quotes - impersonating

“... Process Doppelgänging  ... Impersonating legitimate process .... technique bypasses most popular Antivirus, NGFW and EDR solutions present in the market”

Infosec quotes - unprotected systems

“... Among the victims ... were many systems that were completely unprotected ... just because no one thought they had to be ... But in those cases, the attackers did not choose their targets; they infected everything they could. The damage was significant. Reinstalling operating systems on those noncritical machines was and continues to be a costly time-sink... Lesson 2: Protect all elements of your information infrastructure...”

Infosec quotes - dwell time

“... The latest research indicates that controlling the dwell time of malware and APTs is the key to dramatically reducing business impact. By accepting you will be breached and putting proactive hunt solutions in place you will be able to detect and neutralize threats before they can cause damage...”

Infosec quotes - fileless malware

“... Of those successful attacks, 77 percent involved fileless techniques  designed to evade detection by abusing legitimate system tools or launching malicious code from memory...”

Infosec quotes - anti ad blockers

“... retaliate against adblockers by employing anti-adblockers which can detect and stop adblock users...”

Infosec quotes - support scam

“... rather than cold calling potential victims, most scammers use exploit kits and malvertising to give the victim the impression that there is a serious problem with their computer, after which they may call the phone number that is, conveniently, displayed on the screen...”

Infosec quotes - WiFi bitcoin miner

“... man-in-the-middle attack that involved redirecting all customers through his proxy by performing an ARP-spoofing attack, then injecting a single line of code into visited HTML pages that calls the cryptocurrency miner in the victim’s browser...”

Infosec quotes - User should not install

If you train your users that they should not install their own software but instead ask their IT support for it, then this type of attack is less likely to succeed.

“... The victims are made to believe that the only thing that they are downloading is authentic software from adobe .com. Unfortunately, nothing could be further from the truth...”

Infosec quotes - bitcoin miner threat

“... For end users, the threat of a coin miner infection may seem less impactful than, say, a banking Trojan, but perhaps that is only true in the short term. Not only can existing malware download additional payloads over the course of time, but the illicit gains from cryptomining contribute to financing the criminal ecosystem, costing billions of dollars in losses...”

Infosec quotes - Ask IT

One way to reduce risk at your company is to teach IT support that if a user asks to install or update software, the correct answer is to help them perform that action ... the answer is NOT to help the user submit a request for Admin rights.

Infosec quotes - back to security basics

“... Spending more time on maturing and measuring fundamental security controls might have helped prevent many of the breaches ... Equifax was compromised by a Web application vulnerability that had an available patch, which the company failed to employ. Too often companies underestimate basic security measures...”

Infosec quotes - Oracle bitcoin miner

Bitcoin mining attackers are even going after your Oracle Servers. Patching is important!

“... Enterprises that failed to install Oracle's critical WebLogic patch last October could find their PeopleSoft and cloud-based servers churning out cryptocurrency, a new discovery shows...”

Infosec quotes - Cisco ios

PoC for CVE-2017-6736 snmp Cisco IOS remote code execution. Patching is a good idea.



Infosec quotes - windows updates register

Per @gossithedog “... Microsoft have added the following text to their KB article to clarify that unless the AV compatibility registry key is set, Windows Update will not delivery January's *or all future* security updates...”

Infosec quotes - phish alert

“... Install a ... Phish Alert button in Outlook, so users can simply click on that, delete the email and forward it to your Incident Response team...”

Infosec quotes - word persistence

“... executes at the next start of the Word application which provides a great method of persistence...”


Infosec quotes - ROR

“... new metric: reduction of risk (ROR). This addresses the true function of incident response and security tools...”

Infosec quotes - lock down Powershell

Good reason your IT Team should lock down and harden Powershell such as enabling logging, restricting it’s internet access, preventing who can use it, etc.  

“...A user receives a typical spam email ... clicks the link ... website then loads Flash which opens Windows PowerShell in memory ... PowerShell downloads and executes a script ... PowerShell locates and sends the user’s data to the attacker...”

Infosec quotes - encrypt thumb drive

Good example of why you should encrypt laptop hard drives and thumb drives, no exceptions!

“... A non-encrypted Penn Medicine laptop with personal information of about 1,000 patients was stolen on Nov. 30...”

Infosec quotes - network segmentation

Companies that don’t have the basics in place like network segmentation and patching should make those their top priority.

“... Kitchen said a problem for many companies is that their internal networks are not properly segmented, and lack firewalls, software updates and other precautions to safeguard computers ...”

Infosec quotes - cloud storage

Cloud file storage puts companies at risk.

“... former EHC physician ... uploaded PHI to a University of Arizona College of Medicine Microsoft Office 365 OneDrive account...”

Infosec quotes - Powershell meltdown

Microsoft released a PowerShell Script to verify if systems are protected from Spectre/Meltdown.

Infosec quotes - nutanix cve

@ secguru_otx says “... Nutanix has also released update packages to address CVE-2017-5715, 5753 and 5754. My advice is to update your Hypervisors and your Nutanix appliances as soon as possible...”

Infosec quotes - rename Powershell

“... PowerShell ... version 6.0 ... executable is changing names from powershell.exe to pwsh.exe...”

Infosec quotes - insider risk AV

Could an insider risk use your AV to collect all sensitive documents ? Apparently so.

Infosec quotes - meltdown register

Note from @gossithedog “...with Microsoft Meltdown patches - Customers will not receive these security updates and will not be protected from security vulnerabilities unless their anti-virus software vendor sets the following registry key...because certain AV hook the kernel in a bad way...”

Infosec quotes - chrome meltdown

The new CPU attacks (spectrum and meltdown) also impact Chrome. Watch for the patch to come.

“... Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, which will be released on or around January 23rd 2018...”

Infosec quotes - Firefox meltdown

The new CPU attacks (spectrum and meltdown) you read about in the  news apparently can be launched from browsers. Patch for Firefox.

Infosec quotes - Powershell Security

Simple initial steps to Securing Powershell 

Tip 1 
setup host based firewall to prevent powershell from accessing the internet / proxy, will prevent a lot of common 2nd stage droppers or persistence

Tip 2
Use applocker to prevent your general users from running powershel.exe. You can create a very permissive ruleset which allows admins, service accounts etc to run powershell but your general user population from using it. 

Credit the SANS advisory board

Infosec quotes - security first

“... Businesses need to think security first...Whether that’s in designing new products and services, signing partnership agreements, in hiring new employees, or anything else...”

Infosec quotes - RODCs

“... Don’t add ‘Authenticated Users’ or ‘Domain Users’ to have their passwords cached on RODCs. If this is truly required, these RODCs should be viewed and protected in a similar manner to writable Domain Controllers...”

Infosec quotes - army philosophy

“... This philosophy will allow the Army to do iterative development within the technology space ... where solutions and capabilities are continuously changing...”

Infosec quotes - fake software updates

Let your IT staff install & update your software. If you get a popup or website that tells you to perform an update, don’t do it without first contacting your IT support. You may install malware instead.

“... fake update screens that appear  during the infection chain, inviting the user to open the downloaded file...”

Infosec quotes - web dev OWASP

If you are working with a web developer on a project and they are not familiar with the OWASP Top 10 and how to prevent them, then you should consider pausing your project and not coding any more until proper security training has been completed.

Infosec quotes - weakest link

Remember your network is only as secure as your weakest link. For example don’t ignore the security hardening of printers or it could end up costing you. 

“... printer was configured to scan and save documents to the single WORKGROUP computer on the network... captured a hash from the printer for my target host... able to crack it and access the machine...”

Infosec quotes - Russia phishing

Like it or not attackers still choose the sending emails as the way to hack into your company. Think before you click.

“... techniques have remained largely unchanged ... still relies heavily on the use of ... phishing emails to try and get targets to click on links that lead to malicious domains or to download malware...”

Infosec quotes - Oracle web logic

If you support Oracle Weblogic you should’ve already patched this one in October.

@hkashfi says “... Oracle WebLogic ... CVE-2017-10271 & CVE-2017-3506…It's already being exploited in the wild....”