••• All important news related to new attacks and see the solutions we can offer you •••
6 Questions Attackers Ask Before Choosing an Asset to ExploitRead the original article here
Original Article from ThreatPost.com
In the past decade or so, we’ve seen a massive shift toward the cloud. The COVID-19 pandemic and associated pivot to remote work has only accelerated this cloud trend, forcing blue-teamers to be more agile to protect their attack surfaces. While defenders are adapting to support cloud-based environments, attacks against cloud systems have increased by 250 percent in the last year.
More assets in the cloud creates challenges for defenders, but it’s wrong to assume that this makes things easier for an adversary. Attackers don’t have time to look at every asset in depth — the number of which can run in the tens of thousands for a large enterprise. Just as there are demands on security teams, adversaries have constraints. Their time has a cost, they must operate within limited budgets and their technical capabilities have an upper boundary.
As a person who’s been hired by hundreds of CISOs to test their defenses with a red-team engagement, I’m well aware that defenders are buried in security alerts, struggling to find the right signals among the noise. These teams have dozens of security applications, checklists and a pile of processes to execute defensive strategies. Yet, a massive gap between how a blue-teamer defends and how an attacker attacks exists. Understanding the opponent — the hacker’s logic — is a solid first step to decoding the signals that matter and closing that gap. The attacker’s perspective on how an attacker evaluates assets to go after and exploit on an attack surface begins by answering six questions. And, if this logic is applied in the enterprise, its security strategy will shift, leading to more efficiencies and lower risk.
- What useful information can I see about a target from the outside? (Enumerability)
Every target in an attack surface has a story to tell, some in more detail than others. Ultimately, the more information an attacker can gather about a piece of technology used (or about a person in an organization), the more confidently they can plan a next phase of attack, so they can more confidently invade a network. The unraveling of details about a target describes enumerability — how finely an attacker can detail a target from the outside. For example, depending on the service and its deployment, a web-server target could report anything from no server identifier to the specific server name — “Apache” or “Apache 2.4.33.” If attackers can see the exact version of a service in use and its configuration, they can run precise exploits and attacks, maximizing chances of success and minimizing odds of detection.
- How valuable is this asset to the adversary? (Criticality)
Every step a hacker takes is effort, time, money and risk. It’s better to knock on doors that lead somewhere than to fumble at targets randomly. Some targets are just more likely to lead somewhere than others because their very purpose makes them a juicy target. Attackers assess criticality before acting, in order to focus their efforts on targets that are likely to lead them closer to their objectives. Security appliances like VPNs and firewalls, or remote-support solutions on the perimeter, are proverbial keys to the kingdom — compromising one can open a path to the network, and to credentials that would allow for greater network access. Likewise, credential stores and authentication systems can give the attacker more credentials if compromised. Attackers seek tools that provide the best positioning and access. Exposed assets that don’t protect, and won’t lead to, critical data or access are just less valuable to hackers.
- Is the asset known to be exploitable? (Weakness)
Contrary to popular belief, having a high severity CVSS ranking on the CVE list doesn’t automatically mean a target is of great interest to an attacker. There have been many “critical, wormable, world-ending, fire-and-brimstone” vulnerabilities that weren’t actually exploitable. Even more bugs are exploitable, but only in really specific circumstances. Some may be perfectly exploitable in theory, but nobody has actually done the work to do it. Attackers must consider the cost and likelihood of actually pwning an asset. If a useful proof-of-concept (POC) exists, that is a good indicator. If there’s lots of research and analysis about a specific vulnerability, exploitation might not be a question, it might just be work. Time is money, and exploits take time, so a hacker has to consider the tools available in public, the tools they can afford to build or tools they could buy (think Canvas or Zerodium). For a specific asset, in certain cases, adversaries buy previously-built exploits. This happens a lot more than many realize.
- How hospitable will this asset be if I pwn it? (Post-exploitation potential)
An attackers’ definition of a “hospitable environment” is one that makes it possible to live in and travel through, undetected. This is an asset where malware and pivoting tools work and where few defenses exist. This target is one that blue teams just cannot install any defenses on, so the attacker knows they can operate with little worry of being detected. Any technology that is sufficiently protected and monitored — like endpoints — are not hospitable. Desktop phones and VPN appliances, and other unprotected hardware devices that are physically plugged into the network and have familiar execution environments, make a great host. Many appliances are built with Linux and come with a complete userspace and familiar tools pre-installed, making them a target that has high post-exploitation potential.
- How long will it take to develop an exploit? (Research potential)
Knowing you’d like to attack a particular target, and actually having some exploit or technique to do so, aren’t the same thing. When looking at a particular target, a hacker has to assess how likely they are to succeed in developing a new exploit, and at what cost. Vulnerability research (VR) isn’t just for finding stuff to patch. Hackers do VR on targets because they want to exploit. The cost of that research, along with the cost of testing and polishing any resulting tools, is a part of assessing if a target is worth attacking. Well-documented, well researched or open-source tools that can easily be obtained and tested are easier targets. Expensive and esoteric platforms (usually hardware like VoIP systems or those absurdly expensive security appliances) call for special skills and resources to attack (even though they’re attractive because of value of data stored and level of access granted). Any barriers to entry limit adversaries’ incentives to target specific platforms, tools or services.
- Is there repeatable ROI developing an exploit? (Applicability)
One of the biggest shifts from defender mindset to hacker logic is understanding attackers’ business models. Attackers invest time, research and human capital creating exploits and building tools. They want the highest possible ROI. Your organization is most likely one of many a hacker is interested in, because your adversary wants to spread their costs over many victims at once. Attackers assess applicability to understand the potential to create and use an exploit beyond a single instance. With limited resources, attackers create exploits for widely-used technologies that create high earning potential across multiple targets. Remember when Macs were seen as unhackable? At the time, Microsoft had more market share, so exploiting Windows was more profitable. As Windows becomes a harder target, and Macs proliferate in the enterprise, that changes. Likewise, iOS vulnerabilities were far more expensive than Android bugs. But market forces are driving iOS vulnerabilities to be more common and less expensive (relatively).
Attackers don’t look at the severity of a bug and decide what to attack. There are many more components in planning an individual action, nevermind the long strings of actions that are part of an attack. Attackers have to manage resources while trying to achieve their objective, or indeed operate, their business. This idea that adversaries make tradeoffs too is one defenders should take to heart. In defending a business, it’s not possible to protect everything, everywhere, from all adversaries, all the time. Compromise is inevitable. The name of the game in risk management is placing defensive bets in the best ways possible to optimize a business outcome. Thinking more like an attacker can shape prioritization, and highlight the assets that are both valuable and tempting to adversaries, making it possible for businesses to decide, sometimes, that the cost of truly hardening a target just isn’t worth the benefit.
Cert2connect has various solutions to help you to look at your organization the way a hacker does.
Corporate Credentials for Sale on the Dark Web: How to Protect Employees and DataRead the original article here
It's past time to retire passwords in favor of other methods for authenticating users and securing systems.
Despite how valuable corporate employees' passwords are and the best efforts of companies to protect their systems, user credentials keep ending up for sale on Dark Web forums. Even with the ever-advancing capabilities of the cybersecurity industry, corporate credentials from all industries appear in these notorious virtual auction halls to be used in a wide range of attacks, from simple phishing to complicated brute-force attacks.
Even cybersecurity companies are not fully immune to such threats. According to ImmuniWeb research, a staggering 97% of cybersecurity companies have data leaks and other security incidents exposed on the Dark Web.
Moreover, the research revealed that 29% of these stolen passwords are weak, with less than eight characters or without uppercase letters, numbers, or other special characters. About 40% of employees from the 162 companies surveyed reused identical passwords from accounts that had been breached. Note that we are talking about cybersecurity industry employees — so awareness is not the issue here.
When cybersecurity companies that should be well prepared to protect their employee data fail to do so, it seems that the problem is not the lack of protections around the passwords but rather passwords themselves. The time has come to question the use of passwords as a suitable authentication method.
High-Severity Account Takeover Exposures on the Rise
Leveraging stolen credentials is the No. 1 tactic used by hackers in recent years due to its relative ease and effectiveness. And since March 2020, the number of high-severity account takeover exposures where corporate credentials with plaintext passwords were exposed has increased by 429%, according to Arctic Wolf.
The prevalence of credential leaks highlights the impossible task enterprise security teams face. Password reuse on third-party sites beyond the borders of a company's perimeter is the main culprit behind most breaches. Unfortunately, we can't simply wish this problem away. Even though 91% of people know password reuse is insecure, 75% do it anyway, according to LastPass. Apart from nicely asking employees not to have such risky password hygiene, there are limited options for what company security teams can do.
LastPass also reports that an average employee keeps track of 191 passwords. The reality is that we cannot change human behavior. Humans will always opt for the path of least resistance, and in this case, that means convenience over security. Workers shouldn't be expected to come up with 191 unique login/password combinations that are complex enough to pass the requirements. But that is exactly what many organizations are asking for.
PyMICROPSIA: New Information Stealing Trojan from AridViper
Unit 42 researchers have been tracking the threat group AridViper, which has been targeting the Middle Eastern region. As part of this research, a new information-stealing Trojan with relations to the MICROPSIA malware family has been identified, showing that the actor maintains a very active development profile, creating new implants that seek to bypass the defenses of their targets.
PyMICROPSIA has a rich set of information-stealing and control capabilities, including:
- File uploading.
- Payload downloading and execution.
- Browser credential stealing. Clearing browsing history and profiles.
- Taking screenshots.
- Compressing RAR files for stolen information.
- Collecting process information and killing processes.
- Collecting file listing information.
- Deleting files.
- Rebooting machine.
- Collecting Outlook .ost file. Killing and disabling Outlook process.
- Deleting, creating, compressing and exfiltrating files and folders.
- Collecting information from USB drives, including file exfiltration.
- Audio recording.
- Executing commands.