Security healthiness as a risk metric of IT assets
Simple math for lots of tricky vulnerabilities. Measure the risk of IT assets in an agile way and take quick actions
Hardware hacking: chip-off for beginners
Introduction to hardware hacking Before getting our hands dirty with hardware hacking, let’s start with a brief introduction to flash memories, a component that we will find very often in the PCBs we will analyze. Flash memories are read-mostly memory, designed as an improvement of the more traditional EEPROM memories. Flash memories can be found in a variety of electronic devices, including personal computers, appliances and pendrives. One of their most common applications is to serve as firmware storage, and therefore knowing how to dump its contents and analyze the resulting file is a desirable skill to the hardware hacker. There are multiple ways to dump the contents of a flash memory. If we are lucky enough, the PCB under ...
From N-day exploit to Kerberos EoP in Linux environments
Introduction In one of its operations, the Red Teaming achieved command execution in a perimeter web page as a non-privileged user. This article describes the analysis and exploiting of a vulnerability (CVE-2018-1685) that could allow an attacker to read arbitrary files, but of which no public details are known. Finally, we'll present a method to turn this type of vulnerability (arbitrary file read) into a full system compromise (command execution), when playing around with Active Directory joined Linux machines (via Kerberos<a/a>). Privilege escalation eop vulnerability The compromised machine is a recently updated Red Hat server, thus privilege escalation via kernel exploit is discarded. After the typical routine checks, some root-owned executables with the SUID bit set are detected: /home/db2test/sqllib/adm: total ...
Hindering Threat Hunting, a tale of evasion in a restricted environment
It is both common and important for the development of a Red Teaming service to obtain information about the technologies and restrictions of the environment where our TTPs are going to be executed. This information mainly implies substantial changes in our modus operandi. Generally, one of these changes is to put aside known/public offensive tools and develop our own custom implants ad-hoc for the customer's ecosystem, at the initial stages of infection where the chances of detection are high. The following case that we would like to share is a clear example of this type of exercise. In one of our clients, we did obtain information about the EDR (Endpoint Detection & Response) technology deployed and the network restrictions for ...
Attackers Abuse MobileIron’s RCE to deliver Kaiten
In September this year the security researcher Orange Tsai published various vulnerabilities and P0Cs related to the MobileIron's mobile Device Management (MDM) solution. The Tarlogic Blue Team has identified the use of CVE-2020-15505 by a certain group of attackers to download and run Kaiten Kaiten (aka Tsunami) Through the JNDI injection related to said CVE, the attackers are downloading the well-known Kaiten. This family of malware has been used by multiple actors for more than 15 years (its beginnings date back to 2002) mainly as an offensive tool to generate DoS attacks and, currently, for the mining of cryptocurrencies. There are dozens of variants associated with this malicious code; possibly as a result of the publication of its source code. ...
CDS. Corporate Digital Surveillance. Advanced Business Protection
Many professionals assume that a permanent state of ‘total cyber security’, with a continuous 100% protection guarantee, is impossible. Therefore, the effort must be directed towards designing digital security schemes that are as efficient as possible. This in turn, minimises problems and incidents, making it extremely difficult for hostile actors to cause such problems and occurrences. Constant digital surveillance defence systems, assembled on the basis of the services provided by a Security Operations Centre (SOC), have been consolidated over time as effective tools for guaranteeing certain acceptable minimum levels of security. Through use of these systems, continuous protection of an organisation against catalogued and known threats is maintained over time, alerting the organisation to the threat as soon as possible. ...
Teleworking and Insider Threat. New opportunities for an old acquaintance
Julian works in the sales department of an automotive components company and has good business relationships with distributors and suppliers in the sector. In the past, he has on occasion given in to proposals from one of these suppliers to adjust prices and orders in exchange for monetary compensation, from which he has personally benefited. This wasn’t particularly risky and could be concealed quite easily through his department’s usual processes and operations. In this way, Julián obtained an extra income to which he has already become accustomed. The coronavirus health crisis surfaced and he started teleworking. His company communicated that this situation would be prolonged, both intermittently and in the long run, according to periods and circumstances. Although for now ...
Data Collection Plan: A Key Component of the Intelligence Cycle
Data collection is a major step in the intelligence cycle, as it involves gathering the information to be used in other stages of the process and delivering the intelligence product to the relevant decision makers. Reliable and trustworthy data can be obtained from a wide variety of sources: OSINT (open-source intelligence), WEBINT (Web intelligence), IMINT (imagery intelligence), HUMINT (human intelligence), VIRTUAL HUMINT (virtual intelligence), and SOCMINT (social media intelligence), among other sources. One of the main problems faced by intelligence professionals when collecting data is related to the vast amount of information that can be found, which can lead to chaos and disorganization. That is why professionals need to set certain limits to collection activities in order to render these ...
Executives’s exposure to threats. The value of Cyber Intelligence
My name is Juan and I work as a CSO in a Spanish infrastructure company with a strong international presence. My old friend Jaime, who is responsible for a geographic business unit based in our head office in São Paulo, has just contacted me and made me aware of the following situation. He had been approached by some people allegedly wanting to talk business, though he believed they worked for a rival company. In fact, they were interested in discussing information on the proposal our organization was presenting in a bid to tender a federal interurban highway. However, at the end of the call, they gave him greetings for a Brazilian girl Jaime had been going out with for a ...
Economic Intelligence Units in Companies
An employee stealing critical company information in a data exfiltration event—as a result of manipulative or cooperative approaches with external hostile actors—, causing high business impact and significant long-term losses. A former employee deliberately disseminating false, misleading, inaccurate or biased information about the company using a fake identity in social networks and social communication media, leading to costly damage to the organization’s reputation. Business units requiring assessment to measure provider and partner trustworthiness, as well as prospect creditworthiness before engaging in tenders and international competitions. The above are just a few of the scenarios where economic intelligence units within organizations can help to address and solve the problems that may arise. However, outsourcing may still be preferred in certain cases ...