Tuesday, February 27, 2018

Infosec quotes - font not found

Don't click “font not found” pop ups or an attacker will gain Remote control of your pc.

“... #EITest campaign #HoeflerText popups sending #NetSupportManagerRAT - ...”


https://twitter.com/malware_traffic/status/967183321146019840

Infosec quotes - malware evolves

Malware is constantly evolving.

“... Over the past two years, the Hancitor malware family has been a fairly regular nuisance that defenders ... have to deal with on an almost weekly basis. The malware itself has gone through more than 80 variations during this time...”


https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/ 

Infosec quotes - rat using mcafee

“... #PlugX #RAT using McAfee VirusScan ActiveShield for DLL-sideloading...”


https://twitter.com/_ddoxer/status/968527948004413446 

Infosec quotes - fake updates lead to RaT

It's scarey when users are comfortable installing software without IT’s help.

“... #FakeFlash #FakeChrome update leads to NetSupport Manger #RAT ...”


https://twitter.com/broadanalysis/status/968509178070396928 

Infosec quotes - misconfigured apps

pancak3lullz says “...Threat Hunting in a nutshell: ‘WOW I THINK I FOUND SOMETHING FINALLY! ... wait jk, it's a misconfigured app’ 🙁”


https://twitter.com/pancak3lullz/status/968175337610858499 

Monday, February 26, 2018

Infosec quotes - Burger King S3 bucket

More open S3 buckets

Elliot Anderson says “...  Hi @BurgerKing, Your S3 bucket is open. You are leaking more than 1000 resumes...”


https://twitter.com/fs0c131y/status/967838198872371200 

Friday, February 23, 2018

Infosec quotes - no malware phishing

“... spoofed known contacts ... mimicked previous conversations ... created mail filters to ensure that communications were conducted only between the attacker and victim ... spoofed supervisor emails to get required approvals ... Without the use of any malware ...”

Thursday, February 22, 2018

Infosec quotes - la times world writable s3 bucket

“... LA Times is serving cryptomining, their S3 bucket with their JavaScript code was world writable...” said @gossithedog


https://twitter.com/gossithedog/status/966748041897299968 

Infosec quotes - Powershell risk

“...PowerShell, you can't live without it but its becoming increasingly common as an exploit entry point. 

Better controls are needed, being able to control the circumstances in which such tools can launch, from which applications, is a key defense...”

Said Ian Pitfield

Infosec quotes - RTF doc

“... Were all the systems in your network patched for CVE-2017-11882, CVE-2017-8759 and CVE-2017-0199? If the answer is NO, you are prone to be compromised with this Malicious RTF document...”


https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-document/ 

Infosec quotes - dns rebinding

“... DNS rebinding attack is when an adversary abuses DNS to trick a browser into not-enforcing a browser’s Same Origin Policy security...”


https://threatpost.com/utorrent-users-warned-of-remote-code-execution-vulnerability/130030/ 

Infosec quotes - wiper malware

This kinda malware could be devastating for a company.

“... responsible for destroying (wiping out) files on network shares, making infected machines irrecoverable, and propagating itself with the newly harvested credentials across compromised networks...”


https://www.lastline.com/labsblog/olympic-destroyer-south-korea/ 

Tuesday, February 20, 2018

Infosec quotes - av net benefit

“... AV is an imperfect solution in an imperfect world, but for almost all users, it provides a net benefit...”


https://twitter.com/martijn_grooten/status/965980776255885312 

Infosec quotes - normal usage admin accounts

"Accounts with full privilege across an enterprise (such as a domain admin, global admin, or cloud admin account) should not normally be used." 

Sunday, February 18, 2018

Infosec quotes - office as admin

You're flirting with disaster if you allow your users to check email and open office attachments with a local admin account.

“... Unfortunately a very high proportion of users do run office as an admin user...”


https://twitter.com/dvk01uk/status/965441413814145029 

Infosec quotes - ir playbook

“... Your IR playbook needs to be more than rebuilding machines ...”


https://twitter.com/vysecurity/status/965376791249604608 

Infosec quotes - re-image doesn’t solve

Re-image doesn't always solve your problems.

Incident responder: "The machine was infected with crimeware. We just had IT rebuild the system. End of story." Nation-state attacker: "We got our foothold and only lost a single host in the process."


https://twitter.com/mattifestation/status/965248744810676224 

Infosec quotes - HTA files are a risk

“... HTA's continue to be a vector for entry. 
Consider these mitigations.
1. Blocking application/hta at Proxy
2. Default file handler for .hta == notepad.exe 
...”


https://twitter.com/subtee/status/963529741834727424 

Saturday, February 17, 2018

Infosec quotes - antivirus alerts do not mean problem solved

Realize Antivirus alerts don't mean the problem solved. The Antivirus usually just detects a single remnant linked to a bigger problem.

@jepayneMSFT says “... WMI persistence often needs a post detection remediation step ... like rebuilding the WMI database. For attackers this is a great advantage, especially in less informed IT organizations who might think an AV pop up means 'problem solved.'..”


https://twitter.com/jepaynemsft/status/964572908973572096 

Infosec quotes - SAN traffic

“... Run iSCSI on an entirely segregated network ... This is best practice for any form of SAN traffic .... Segregate management and non-essentials services from end-user desktop networks ...”


https://www.pentestpartners.com/security-blog/an-interesting-route-to-domain-admin-iscsi/ 

Infosec quotes - container credentials

“... The private data was stored in containers provided by cloud provider Rackspace. The hacker found the key and credentials to those containers inside the Android app ... stored in plaintext, meaning the hacker could take them and gain access to the server...”

Friday, February 16, 2018

Infosec quotes - more amazon buckets

Deja Deja Dejavu

“... FedEx has exposed private information belonging to thousands of its customers. The data was hosted on a password-less Amazon S3 storage server....”


http://www.zdnet.com/article/unsecured-server-exposes-fedex-customer-records/

Thursday, February 15, 2018

Infosec quotes - proactive steps

“...If you rely on detection and response, you'll never be able to keep up. That is why proactive measures like removing admin rights, whitelisting, and isolating web content are essential to building a successful security posture...”


https://lnkd.in/dKhqDQV?

Infosec quotes - remove it admin

“...We often see companies embark on Least Privilege or Whitelisting projects but leave more complex users (IT, C-levels, mobile workers, developers) out of the project scope because it's too 'hard'... Remove admin rights, remove threats...” 

https://lnkd.in/dqXCqxG

Infosec quotes - admin lateral

This applies to more than just Petya!


“... if the user does not have admin rights, infection will not spread beyond the infected device. ... if has admin rights, it will spread laterally ...”

- Greg Kilcommons

Infosec quotes - SIEM rules

Just because you have 200 use cases turned on in your SIEM solution, does not mean they are actually configured to detect useful and actionable events.

Just because you have metrics of the number of use case events per day, doesn't mean those metrics are additionally useful.


If you don't have quality data and a quality plan, you don't have quality security.  #focusonthefundamentals

- Brandon Rizzo

Infosec quotes - remove admin rights

Overall, we learned the number of reported Microsoft vulnerabilities increased by 111% between 2013 and 2017. The biggest takeaway, these can all be mitigated with the removal of administrative rights. 

Infosec quotes - windows administrators

“... Granularly control which commands and tasks each IT administrator is permitted to execute based on role, to effectively segregate duties and reduce the risk....”



https://lp.cyberark.com/rs/cyberarksoftware/images/ca-endpoint-privilege-manager-ebook-21-10-16-final-en.pdf 

Infosec quotes - local admin Whitelist

“... it is recommended that organizations remove local administrative rights and control applications on Windows endpoints with whitelisting...”


https://www.cyberark.com/solutions/security-risk-management/windows-security/ 

Infosec quotes - audit firewall rules

Do you audit firewall rules?

“... login credentials for a massive national insurance claims database–was exposed due to an an open port on a NAS server....”


https://threatpost.com/insurance-customers-personal-data-exposed-due-to-misconfigured-nas-server/129834/ 

Infosec quotes - kitten pictures

“... Messaging apps are not only a useful tool for keeping in touch, but also an open window through which intruders are able to climb into our lives...”

Or into your company’s internal network if these types of apps are allowed.

“... Kitten picture turns into a miner or backdoor...”


https://www.kaspersky.com/blog/telegram-rlo-vulnerability/21164/ 

Infosec quotes - malicious apps

Orgs should be whitelisting and vetting apps on employees work phones.

“... malicious app is capable of remote command execution, can steal personal information...”


https://blog.malwarebytes.com/cybercrime/mobile/2018/02/mobile-menace-monday-first-kotlin-developed-malicious-app/ 

Infosec quotes - access control testing

Software development teams should include security and access control testing before every deployment.

“... agency made a technical change aimed at allowing tax agents to better help businesses ... made a mistake somewhere ... any one of their clients could have looked at data from any other of their clients...”


https://www.bostonglobe.com/business/2018/02/13/yikes-data-breach-mass-tax-agency-allowed-companies-peek-competitors-data/2yMkzh5EO1Pvv3h4Cn7OYK/story.html 

Wednesday, February 14, 2018

Infosec quotes - chat apps

Companies need to vet and inventory applications and shouldn't let users install at will.


“... websites offering Windows and Android chat applications ... have real chat features ... have backdoor routines and file-stealing behaviors ...”

Infosec quotes - remove admin rights

88% of all Critical vulnerabilities reported by Microsoft over the last five years would have been mitigated by removing admin rights.

Infosec quotes - 2FA everything

Yes you should be using 2FA inside your network also.

@thegrugq says “...Use 2FA inside yournetworks, it was one of the lessons learned for RSA after they got hit years ago for their seeds db...”




https://twitter.com/thegrugq/status/963559519560155136 

Infosec quotes - lotus notes vuln

1. Compile the following code (change the hardcoded stuff, like "limiteduser", paths etc.)

2. Place a malicious dll as c:\\a\\aaa.dll.

3. Execute the compiled executable. The dll is loaded in the SYSTEM process.


https://improsec.com/blog/ibm-advisory-4-6 

Infosec quotes - lateral movement

“... OlympicDestroyer uses its password stealer to dynamically update its list of credentials for lateral movement ... the new binary is then used to infect new targets...”



https://twitter.com/dangoodin001/status/963455454184595456 

Infosec quotes - Stages of an APT

Stages of an APT


https://azeria-labs.com/advanced-persistent-threat/ 


Tuesday, February 13, 2018

Monday, February 12, 2018

Infosec quotes - 100% Remote IR

@malwarejake said “... talked to someone who manages an almost 100% remote IR team for a fortune 100 incident response team. Said they moved to remote because they had to in order to fill positions...”


https://twitter.com/malwarejake/status/962876837381668870 

Infosec quotes. SCaDA

“... had some indirect connectivity to the Internet ... was wrongly used for browsing to a site with the malware ... spread to the internal network ... to several other servers...” 

Infosec quotes - SIM jacking

@josephfcox says “... SIM jacking—where someone redirects your calls/texts to another device—is a real problem that everyday users need to know about ... This is a norm now...”


https://motherboard.vice.com/en_us/article/j5bpg7/sim-hijacking-t-mobile-stories

Infosec quotes - vpn

“... every single IR I've worked on this year (2014), attackers maintained remote access to victim via VPN, not backdoors...”

Old but interesting comment by @ ryankaz42


https://twitter.com/ryankaz42/status/481898028299993088

Sunday, February 11, 2018

Infosec quotes - grammarly

Chrome extensions can be dangerous to a company.

“... Grammarly has fixed a security bug in its Chrome extension that inadvertently allowed access to a user's account -- including their private documents and data...”


http://www.zdnet.com/article/grammarly-flawed-chrome-extension-exposed-private-documents/

Friday, February 9, 2018

Infosec quotes - more w2 scams

Dejavu again. Keep your eyes open at all times.

“... someone impersonating a county official requested confidential employee information including W-2 forms compromising employee payroll information, social security numbers and filing addresses ... the information was sent ...”


https://www.scmagazine.com/waldo-county-maine-employee-data-breached-after-phishing-attack/article/743142/ 

Infosec quotes - HP iLO RCE

Patch your HP iLOs! A remote code execution exploit exists!

@pmnelson says “... Basically a master key for lateral movement across data centers. Time to patch those HP ProLiants...”


https://github.com/skelsec/CVE-2017-12542/blob/master/exploit_1.py 

Infosec quotes - http not secure

Upgrade all your sites to HTTPS or be prepared to field questions from your customers about why your site isn't secure.

@googlechrome says “... A secure web is here to stay! Chrome will mark all HTTP sites as Not secure in July 2018...”


https://twitter.com/googlechrome/status/961732373451653120 

Infosec quotes - remove java

If a user doesn’t need Java, remove it!

@jepayneMSFT said “... Java is a weak spot for many AVs and criminals don't have an issue using non-l33t languages if it gets the job done...”


https://twitter.com/jepaynemsft/status/962057519664254978 

Infosec quotes - log source monitoring

Good example of why it's smart to have a process in place to check your SIEM for critical log sources that have stopped sending logs. If your main firewall stops sending logs, somebody should notice.


“... a firewall did not come back online after the third-party server provider run a routine maintenance operation...The Bee’s database was exposed to the public internet for about two weeks...”

Infosec quotes - their breach is your breach

Vet your partners, because their breach can become your breach.


“... a sales partner's own system was compromised -- and this may have given an attacker these credentials...”

Thursday, February 8, 2018

Infosec quotes - cmdb counts

@jimiDFIR said

“...
CISO: How many windows hosts do we have?
AV Guy: 7864
Desktop Management: 6321
EDR Team: 6722
CMDB Team: 4848
SIEM Team: 9342
...”

@http_error_418said

“...
CISO: How many of them are Windows 2003?
AV: None
Desktop Management: None
EDR Team: None
CMDB Team: None
SIEM Team: Errrr, guys...
...”


https://twitter.com/jimidfir/status/961599326358253568 

Infosec quotes - admin rights dirty internet

“... 5 Things a System Administrator Should Never Do... # 5 Checking your email or surfing the web using your admin account...”

Note: This applies not only to say admins but also to any standard user that was granted local admin rights. If you ‘need’ those admin rights you need to stay away from the dirty internet.


https://www.titanhq.com/blog/5-things-a-system-administrator-should-never-do 

Infosec quotes - admin internet

@innismir said “... Browsing the Internet as a local admin? I also like to live life dangerously...”

Infosec quotes - sccm domain controller

@pyrotek3 says 

“... This is exactly why you don't manage Domain Controllers, Servers, and Workstations with the same SCCM service account. Escalate from workstation to DC and own the domain...”


https://twitter.com/pyrotek3/status/961423564565032962 

Wednesday, February 7, 2018

Infosec quotes - SCCm admin

@enigma0x3 says 

“... you can cause SCCM to send you the NTLMv2 hash of the domain service account used to install the SCCM agent. SCCM requires that this account have local admin on all endpoints it manages...”


https://twitter.com/enigma0x3/status/961394841581178881 

Infosec quotes - Russia defense

“... The Russian operation was part of a cyberespionage campaign to steal secrets from across the U.S. defense industry...”



https://apnews.com/cc616fa229da4d59b230d88cd52dda51 

Tuesday, February 6, 2018

Infosec quotes - rackspace phishing

Watch for phishing emails spoofing Rackspace 


https://twitter.com/malware_traffic/status/961047680876273669 

Infosec quotes - Microsoft compliance manager

@curi0usjack says  “... One of my favorite tools of all time: Microsoft Security Compliance Manager. MS's hardened security GPOs by OS/role. Need a secure GPO fast? This is the tool you need. Also free...”


https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Infosec quotes - video credit card skimmer install

Video of attacker installing Credit card slimmer at Aldi grocery store 


https://krebsonsecurity.com/2018/02/would-you-have-spotted-this-skimmer/ 

Infosec quotes - w2 phishing scams

Don't fall for this

“... email scheme pretends to be from company executives and requests personal information about employees, and uses the cover of tax season and W-2 filings to deceive people into sharing personal data...”


https://www.databreaches.net/pittsburgh-employees-notified-after-their-w-2-data-stolen-in-phishing-scheme/

Infosec quotes - amazon s3 bucket exposed

Dejavu 

- unsecured S3 bucket 
- password hashes
- critical internal files 
- production database backup
- poor Incident response


https://threatpost.com/leaky-amazon-s3-bucket-exposes-personal-data-of-12000-social-media-influencers/129810/ 

Infosec quotes - password managers

@mattblaze says “... Remember: even the worst password manager will make you more secure in practice than using the same password on multiple sites...”


https://twitter.com/mattblaze/status/960640467611324417 

Infosec quotes - System.Management.Automation.dll

Amanda R says “...To use PowerShell, a user can either use the command line interface provided by PowerShell.exe or reference the cached global assembly in C# source code. The GAC assembly name used in both cases is called System.Management.Automation.dll...”


https://arxiv.org/pdf/1709.07508.pdf 

Saturday, February 3, 2018

Infosec quotes - uninstall flash

@fouroctets says he found the patch to the latest flash 0day

Just uninstall it!!!


https://twitter.com/fouroctets/status/959787059325034496

Infosec quotes - adobe creative cloud miner

@noarfromspace says “... MacUpdate trojan/miner is downloading a miner from Adobe Creative Cloud servers...”


https://twitter.com/noarfromspace/status/959392650083254272 

Infosec quotes - flash 0day

Nick Carr says “Details on the latest Flash zero-day”

"Due to the publication of the vulnerability prior to patch availability, it is likely that additional criminal and nation state groups will attempt to exploit the vulnerability"


https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html 

Friday, February 2, 2018

Infosec quotes - as block gpo

@swiftonsecurity says “... you can enable adblocking for IE, Firefox, and Chrome with simple Group Policy...”




https://decentsecurity.com/enterprise/ 

Infosec quotes - Linux bitcoin miner

Linux bitcoin miner injection script (see here)

https://urlscan.io/result/94fab9ed-0ad3-4265-88de-b86ae5d6fe45/content/

hxxp://f4e8j36h8572a[.]com/robots.txt
md5 af8338f5e737d40139eece286cde9a76

https://www.virustotal.com/#/file/0de9cc886692cd7c7029de5334ae0bef1f0f32b141668eab0eb5db0a446d36a1/details


-kills other miners
-wget/curls files
-creates cron job
-enables hugepages

probably linked to weblogic vuln

Infosec quotes - chrome extension logging

Browser extensions are scarey because they can control any website you visit.

“... Chrome extensions have started embedding Yandex Metrica, which records user actions on all the sites they surf ... the script can log various details such as names, credit card numbers, CVV numbers, email addresses, and phone numbers...”


https://www.bleepingcomputer.com/news/security/first-malicious-chrome-extensions-detected-using-session-replay-scripts/

Thursday, February 1, 2018

Infosec quotes - microsegmentation is good

With breaches becoming commonplace Microsegmentation is one of the best ways to reduce risk by making it harder for attackers to move laterally.


“... Microsegmentation gives companies greater control over the growing amount of east-west or lateral communication that occurs between servers, bypassing perimeter-focused security tools. If breaches occur, microsegmentation limits potential lateral exploration of networks by hackers...”

Infosec quotes - firefox add-ons

Good reason to lock down firefox add-one at your company just like you whitelist your Desktop software.

“... A family of malicious Firefox addons have been discovered being pushed by sites pretending to be a manual update for Firefox...”


https://www.bleepingcomputer.com/news/security/psa-beware-of-sites-pretending-to-be-manual-firefox-updates/

Infosec quotes - no downtime no patch

A sad but common reality. Eventually orgs will have to adapt and find ways to lower risks while still becoming quicker and more agile.

“... Oracle issued updates for this issue earlier this month, but it will take months until the patch lands on affected POS systems. The reason is that POS systems are business critical systems, and sysadmins rarely schedule maintenance and update operations, fearing that an unstable patch might cause further downtime and financial losses to their companies...”

Infosec quotes - Siemens vulns

Does your company have a process in place to watch for and apply regular patches from vendors of non traditional systems like these ?


“... Vulnerability could be exploited by an attacker to bypass the authentication mechanism ... Vulnerability could be exploited by an authenticated attacker with a low-privileged account to escalate privileges and perform administrative operations ... Vulnerability could be exploited by an attacker to cause a DoS ...”

Infosec quotes - dns hijacking

“...There's a simple way to mitigate the threat of DNS hijacking attacks: don't allow arbitrary internal IP addresses on your enterprise network to send DNS queries to arbitrary IP addresses on the Internet...only a subset of your DNS servers actually query DNS servers on the Internet...”

Infosec quotes - keygen RAT

A good example of why keygens and license crackers aren't just an ethical dilemma for a company , they are straight up a Security risk. 

“...Hacker RAT Malware found in key generator for Burpsuite ...”

Infosec quotes - Wordpress plug-ins

If you don't include Wordpress plugins in your patching cycle it will eventually lead to your site getting hacked.


“... Breaking into an unpatched WordPress installation in under two minutes...”

Infosec quotes - internal password re-use

I think password re-use risks also apply to internal devices at companies too. If you set multiple servers, databases, devices , service accounts, etc to different accounts but the same password then you're simplifying the attackers life by making it trivial for them to laterally move across your network. Take that extra step and create unique passwords.

“... once fraudsters have managed to guess one password, they’ll have access to your entire online life...”


https://www.thinkmoney.co.uk/news-advice/using-the-same-password-for-multiple-accounts-could-cost-you-0-5849-0.htm

Infosec quotes - upgrade Powershell

Why upgrade Powershell? If nothing else just so your security team can see attacks happening !

“... PowerShell 2.0 ... provides very little evidence of attacker activity ... Microsoft has been taking steps to improve the security transparency of PowerShell in recent versions. The most significant improvements, such as enhanced logging, were released in PowerShell version 5.0 ...”


https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html 

Infosec quotes - Powershell unrestricted

“... The lowest Execution Policy is Unrestricted, which permits all scripts to run ... If you do choose the Unrestricted setting, and a script comes along and clobbers you ... be prepared to own up to your decision when you're explaining how a virus wiped out your environment...”


https://technet.microsoft.com/en-us/library/2008.01.powershell.aspx 

Infosec quotes - password vs encryption

Hard drive encryption is important. Don't  disable it. A password does not protect a hard drive that an attacker has physically stole. If he physically holds an unencrypted hard drive he can access its contents.

@gattaca said ““All the stolen $company laptops were password-protected, although not all were encrypted.” < *facepalm*”


https://twitter.com/gattaca/status/958853959099322369 

Infosec quotes - flash with active exploits

Patch your Flash player. Even if you don't normally rush to patch, this is a good example where you would want to rush and patch. Critical vuln being actively exploited.

“... allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild ... attacks leverage Office documents with embedded malicious Flash content distributed via email...”


https://helpx.adobe.com/security/products/flash-player/apsa18-01.html 

Infosec quotes - adaptive phishing

#phishing pages that change the look & feel based on your email address!

“... It grabs the favicon from the email address domain and re-uses it on the fake webpage. This is a simple but cool way to make the webpage more attractive....”


https://isc.sans.edu/forums/diary/23299/