The backdoor may enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. Interesting and scary.
Most of my Linux boxes run an older version.
The next interesting question related to this CVE – who implemented the backdoor?
If we are looking into the effort and strategy – we have to admire the effort on the cleverness of this exploit engineering. This exploit did not directly exploiting SSH or OpenSSL, it is started from the library dependency.
I wrote this script last year while was doing threat hunting and since my team keep asking it, therefore I hope this is also beneficial to everyone that looking for this answer.
What it does basically to find a specific or any file that created on certain date.
Get-ChildItem D:\Name of the folder\ -recurse -include @("*.*") |
Where-Object { $_.CreationTime -ge "06/18/2022 -and $_.CreationTime -ke "06/22/2022" }
Sunday a fun day with my new vertical screen for threat hunting on the blind spot in your digital infrastructure.
Sennsor is created for cyber threat visibility on your unreachable parameter. It is important to help your threat hunting team to find any possible vulnerability proactively in real-time.
With the combination of open source and ELK – now able to detect and analyze all your traffic passing through the network. It is running on the FreeBSD v12.
Blind spots by definition:
A blind spot is any device on the network that monitoring tools cannot detect, or segments that data can travel across without being analyzed. Blind spots often go undetected, but in some cases they become apparent as the network expands.
10 types of potential blind spots that can create vulnerabilities:
1. Non-traditional assets 2. Unptached critical systems 3. Phishing attacks 4. New branch office or new infrastructure 5. Poor identify and access control 6. Misconfiguration 7. Limited access to the data source 8. Lack of network segmentation 9. Insider threat 10. Limitation on tools such as password policy management
For us in RPMY, cyber security is about working together with THE RIGHT people on the same mission & vision. With countless hours of Advanced Persistent threat hunting, delivering training, and capacity building in Next Gen SOC, we are ready to bring our cybersecurity training toward Industry Revolution 4.0.
Focusing on the cyber threats of Robotics and IoT has always been on our roadmap for the last few years.
Like DMZ and C2, OODA LOOP was created by Jong Boy from the US Air Force’s strategic division.
OBSERVE
Security team monitors a computing environment to identify suspicious activities.
The goal – to gather rich information about attacks or potential adversaries.
Key decision-makers (example: CISO) will use it to make informed decision.
When incident is happening, we need a speedy recovery.
Sometimes cybersecurity tools provide a lot of false positives and false negative data – this is bad.
Observe is a learning process on which is the right data to collect and follow for the next stage of the loop.
Example of Observe tools: Vulnerability scanner tools, log analysis, SIEM, IDS/IPS and etc
Observe – Method and Tools for Incident Response ProcessesorsPerformance Analysis Monitoring for tools and method in Observe of OODA LOOP
2. ORIENT
The internal computer environment and threat landscape before establishing connections to reduce an occurrence
Critical step for the IR process’s success.
Orientation is based on the history, customs, and culture of the organisation.
The IR team should implement threat mitigation procedures that are appropriate for the organization’s situation.
The OODA loop is a quick process, and perfection is elusive.
The security team should make an effort to get understanding of how to proceed based on observation of the attacker and mitigation of it.
Procedures that are appropriate for the organization’s context.
Situational Awareness in OODA LOOP
2.1 Network Awareness – Information of assets. patch management, incident awareness, current visible threat in the infrastructure. Aware that threat actors always working in discovering new methodologies.
2.2 Threat Awareness – Knowledge on the discovered attacks from external parties
2.3 Mission Awareness – Mission and scope of work of the security operation including IR team.
The Orient phase helps to determine stages and threat priority level
3. DECIDE
DECIDE – Key element in OODA LOOP
A large group of people must collaborate during this stage.
The IR team must make crucial business judgments regarding how to properly handle an incident.
3.1 Documentation – When handling incidents, it is important to make informed decision, therefore to have documentations at the right place from the vendors are very important.
3.2 Cyber Security Policy – Its a must to have in every organization and IR team must follow the policy
4. ACT
ACT in OODA LOOP
• Once decision has been made, IR team need to move fast to take actions before adversary can compromise more digital assets.
• Quick action makes sure that active attacks are stopped, that the harmed systems are recovered, and that subsequent attacks are avoided.
• Important assault evidence must be gathered for future defenses and legal purposes.
• The IR team can engage the adversary or begin the recovery process once the impacted systems have been isolated or quarantined.
• The “cyber infection” is stopped by the IR team during the containment process. Example: Stop C2 communication to stop malware from receiving instructions or updates from external sources.
In all, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies during the takedown:
Email credentials stored by Emotet for sending spam via victims’ mail providers
Web credentials harvested from browsers that stored them to expedite subsequent logins
Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the world’s most dangerous malware: Emotet. This strain of malware dates back as far as 2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to credential stealers to ransomware. Emotet was extremely destructive and wreaked havoc across the globe before eventually being brought to a halt in February.
Following the takedown, the FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet. This isn’t the first time HIBP has been used by law enforcement in the wake of criminal activity with the Estonian Central Police using it for similar purposes a few years earlier.
The investigation phase takes the following steps.
Reffering to my previous post – phishing attack is expensive to handle, today I am sharing my investigation phase for phishing as presented in my recent workshop. I hope it will benefit for IR team.
Log retrieval and review
IR team received logs from security tools or the blue team from in the SOC operation team
System logs help in providing important information such as IP addresses and ports from the source and destination assets
It is important to identify the assets and the owner.
Identification of the tools that detect the attack
Get familiar with your environment and available tools to help in the investigation
OODA Loop should be playing a bigger role here – from the Observation and Orient
Tools should facilitated the detection of the attack
Identification of the affected systems and networks
Phishing involved social engineer whereby this is hard to detect because not everyone will work together in reporting such attack if they got infected by this type of attack
Its hard to identify the compromised assets and its can quickly escalate
To identify the affected systems and network are very crucial
Move faster and efficient should be the right key in here
Identification of users affected attack
Please refer the organisation cybersecurity policy related to respond time in identifying the affected user
Should identify what type of malware been using during this phishing attacks
Create an investigation canvas if requires
This activity and information should be shared with the communication team in IR
Identication of systems at risk
After identifying what type of attack and severity of the attack, IR team should know identify other systems that at risk
Does the attacker managed to perform lateral movement?
Do they have the same login and password for other machine?
IR team should send notification telling to the affected users to changes new password
Identification of the business processes affected by the attack
After identifying the systems risk, IR team should use the information to identify which part of the incident affected the business process
Example: the phishing attack managed to have access in web server for the employees to submit documents, therefore the IR team should identify business process that affected.
Evidence collection
IR teams needs to collect all such evidence to help with the analysis of the attack
Prepare long term and short term recommendation if available.
Threat actors have their own distinctive methods for sending such unique and undetected phishing attacks, it is difficult to spot or hunt down spear phishing. It is about modest amounts of contacts that give a high conversion rate, as opposed to phishing and spear phishing. Good news: a variety of tools are available for use with both open-source and for-profit solutions. Tools can range in price from being free to costing millions of ringgit.
Tools alone, however, are insufficient to aid the blue team in understanding or researching spear phishing. Why? Social engineering plays a major role in both of these phishing tactics’ efficacy, therefore Social engineering is the psychological manipulation of individuals to obtain data or committing inappropriate behaviour. Most of the time, the targeted are unaware that they were complicit in a wrong and harmful act. As we’ve seen, threat actors employ a variety of strategies to deceive gullible people into taking actions that could compromise systems or give them further access to the target IT environment.
As a result, identifying and looking into the attack chains will need time, effort, and data from user and technical pattern behaviour (UEBA).Numerous SIEM suppliers have UEBA solutions available, however they are not inexpensive. Some vendors charge for UEBA solutions according to user licences.
What about the company’s IT security policy and DMARC? DMARC can undoubtedly aid businesses in identifying spoof email addresses; while this is excellent for safeguarding brand recognition, social engineering is not covered.
A company’s cyber security policy may aid in protecting its IT infrastructure, but putting one in place necessitates numerous procedures and team members to develop, manage, and enforce the policy.
After all, despite the most sophisticated methodologies and technologies, threat actors have always used social engineering as a component of their overall strategy. Finding the user’s behavioural patterns is crucial, therefore doing so calls for a lot of data and knowledgeable team members.
When we talk about spear phishing solutions, it comes with very expensive price.
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go network intrusion detection system engine with capabilities of learning without any human intervention, DNS domain classification, Spam detection, network collector, network forensics and many others.
AIEngine also helps network/security professionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on.
Advanced Cyber Threat and Orchestration 