CISA re-added CVE-2022-26925 to its list of Known Exploited Vulnerabilities this past Friday after removing it due to authentication failures caused by the May 10, 2022 Microsoft rollup update:

“After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).”

CVE-2022-26925 is a Windows Local Security Authority spoofing zero-day (CWE-290)  that unauthenticated attackers can exploit remotely to escalate privileges and compromise the domain.

“An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM,” writes Microsoft in an advisory from May.

CVE-2022-26925 might cause feelings of déjà vu to anyone that remembers PetitPotam (CVE-2021-36942) from 2021.

According to Raphael John, the attributed discoverer of the new NTLM Relay vulnerability, on Twitter, “The story behind CVE-2022-26925 is no advanced reverse engineering, but a lucky accident 😉 During my pentests in January and March i saw that PetitPotam worked against the DCs.”

While this might not be an entirely new CVE, CISA has ordered it to be patched by July 22, 2022. Regarding the authentication issues related to the patch released by Microsoft, CISA has also released guidance on applying this patch and resolving the PIV/CAC authentication issues. The work around involves manually setting two registry keys that have been provided by Microsoft: the time range that a certificate can predate an account and the enforcement mode.

CISA also notes that the keys have been tested by “multiple agencies.”

#vicarius_blog #cisa_analysis

It’s Monday and time to take a gander at CISA’s Known Exploited Vulnerabilities Catalog.

The only new addition to the list is the Follina Zero-Day Vulnerability, CVE-2022-30190, but it’s a doozy as we are all well-aware.

Follina is a remote code execution vulnerability within the Microsoft Windows Support Diagnostic Tool that can be exploited through a malicious MS Office document. The method of exploitation for this vulnerability involves malicious email attachments and social engineering. A successful exploitation allows an attack to run arbitrary code with the privileges of the calling application – install programs, view, modify and destroy data, etc.

Although Follina has been actively exploited by malicious, state-backed actors like Chinese APT actor TA413, Microsoft has continually downplayed the vulnerability’s severity. Many exploit attempts have been noted to have targeted EU and US government workers.

How Does It Work?

A malicious document attached to some sort of urgent sounding email is opened. This infected file contains a link to an HTML file that uses the ms-msdt MSProtocol URI scheme to execute PowerShell code without directly launching powershell.exe.

Mitigation

A patch for CVE-2022-30190 was released with Microsoft’s June 2022 cumulative Windows Updates. While the update doesn’t prevent msdt.exe from automatically spawning, it does prevent PowerShell injection.

Though Microsoft is downplaying Follina, It’s important to make sure your systems are patched as this vulnerability is being actively exploited in the wild. We would be happy to assist you in deploying the updates in your environment. Click here to get started.

As the old yarn goes, one Francis Galton ran an experiment at the West of England Fat Stock and Poultry Exhibition in Plymouth back in 1906. Around eight hundred people purchased tickets to guess at the weight of an ox. Surprisingly, the median guess of 1,207 pounds was only 9 pounds over the ox’s actual weight of 1,198.¹ This study, told often to American middle schoolers before they guess at the number of jelly beans in a large jar, has plenty of meat to it. It’s also an example of the wisdom that comes from crowdsourcing way before “crowdsourcing” became a common term to pass the lips of many an exec.

So, what does a 1,200-pound ox have to do with crowdsourcing in cybersecurity? Very little except to set the stage for this article and illustrate that crowd wisdom can be effective under certain conditions. What are these conditions? Paraphrasing James Surowiecki in The Wisdom of Crowds, there are three requirements: independence of individuals within the crowd, diversity of experience, and some way for the information and analysis to be effectively organized.²

Given the chaotic nature of the current security environment, it’s nigh impossible for a small cybersecurity team to uncover all of the potential vulnerabilities of constantly evolving software. It’s like trying to play Whac-a-Mole with an infinitely expanding play area with the occasional mole that whacks back. But what if you had access to a thousand players that specialized in specific sections of the play area and specific moles and shared ideas? You’d get a dated metaphor for cybersecurity crowdsourcing.

Crowd Sourcing Solutions

There are a number of issues that crowdsourced cybersecurity seems naturally capable of mitigating³:

Scale: even in small organizations, keeping a close eye on the dynamic attack surface that hundreds of applications create is a daunting task. For a single security task force within a company that utilizes thousands of endpoints, third-party software, proprietary software while trying to follow compliance regs, maintaining a secure security landscape is impossible. It’s common knowledge that even critical vulnerabilities can take months to patch effectively while less severe, yet still potentially disruptive vulnerabilities are left to simmer for longer. Crowdsourcing specific aspects of a sec team’s workload allows for a more methodical and less fraught approach to organizational security.

Subject Matter: it might be possible to repeat the phrase that “cybersecurity is a complex and diverse field” too many times in a twelve-hundred-some word article, but it’s the crux of the matter when it comes to crowdsourcing. Any given application is a web (perhaps a cobweb) of different components. Each component along with their myriad interconnections is prone to vulnerabilities. The manager that’s been working IT for 20+ years might specialize in one aspect of this web, but there is zero chance that they’re an expert in each piece of tech. Open up this application to a crowd of white hats within a controlled operation, and you’d be wise to bet that each aspect of your application has at least one expert poking around.

Time: there’s never enough of it. A security team working with time constraints will only be able to cover a portion of an application and not with any major depth. Crowdsourcing this engagement can allow more ground to be covered with a much finer comb within the same timeframe. Also, crowdsourced bug searches generally don’t have time requirements and can be ongoing through the implementation of bug-bounty programs that incentivize deep-dives into the nuances of a given application.

Cybersecurity Crowdsourcing Has a History

Per an article by TechRepublic back in 2019, a little over half of 200 surveyed cybersec decision makers have instituted some form of crowdsourcing. The CISO’s that did use crowdsourced cybersecurity programs have noticed benefits like “paying for valid results rather than effort or time, the varied expertise of hackers, and continuous coverage of applications.” ⁴ You can also add high scalability to the list. These crowdsource programs can range from bug bounties to responsible disclosures to hiring a company that sources its own ethical hackers to assist the in-house team’s own vulnerability assessment. It’s also no secret that massive companies like Johnson & Johnson, Apple, Microsoft, Facebook, Mozilla have been using crowdsourcing programs to bolster the security of their digital landscape for years.⁵

Another powerful attribute of crowdsourced security is the sharing of relevant intelligence. We see the benefits of this in organizations like First, which began in 1990 and created the Common Vulnerability Scoring System in a highly successful attempt to systematize and standardize vulnerability reporting and risk. There’s also the CVE program and MITRE ATT&CK. None of these cornerstones would be able to exist without the time and effort from thousands of cybersecurity professionals and their diverse areas of expertise. You could think of intelligence sharing as a kind of herd immunity. As information spreads between organizations and professionals, the overall, massively interconnected sphere of tech inoculates itself against known vulnerabilities and 0-day threats.

Conclusion

Crowdsourced security testing, information gathering, and cybersecurity awareness are all extremely effective tools used by small to large organizations, governments, and other institutions. SaaS cybersecurity organizations, like Vicarius, offer vulnerability management solutions that curate a number of crowdsourced resources alongside the top-notch expertise of their teams. To maintain a secure digital landscape, it takes a multitude of independent and collaborative experts to ensure that even the smallest hole is detected and filled. Unless you’re keen on bailing water instead of fixing the leak.

Sauce:

¹ Bernstein, W. J. (2021). Prelude. In The delusion of crowds: Why people go mad in groups (p. 11). essay, Grove Press.

² Surowiecki, J. (2005). In The Wisdom of Crowds. essay, Anchor Books.

³ Stephens, L. (2021, November 4). Crowdsourced security is now a need, not a nice to have. Detectify Blog. Retrieved June 3, 2022, from https://blog.detectify.com/2021/11/04/crowdsourced-security-is-now-a-need-not-a-nice-to-have/

⁴ Rayome, A. D. N. (2019, March 28). Is crowdsourcing cybersecurity the answer to Cisos’ problems? TechRepublic. Retrieved June 3, 2022, from https://www.techrepublic.com/article/is-crowdsourcing-cybersecurity-the-answer-to-cisos-problems/

⁵ Dimov, D. (2015, September 22). Crowdsourcing cybersecurity: How to raise security awareness through crowdsourcing. Infosec Resources. Retrieved June 3, 2022, from https://resources.infosecinstitute.com/topic/crowdsourcing-cybersecurity-how-to-raise-security-awareness-through-crowdsourcing/

image by Camylla Battani from unsplash

The team at Google Project Zero deserves a lot more recognition than they receive. Since 2014, they have been systematically studying 0-days (e.g. previously unknown vulnerabilities) to understand this unique cyber threat in depth. They research where 0-days are being found, how hackers are exploiting them, and what trends are developing. And, on an annual basis, they compile their findings into a comprehensive and prescriptive report. The latest report is out, covering attacks throughout 2021, and it has information everyone should be aware of – both good news and bad news.

Bad News – Attacks Have Increased Significantly

There were 58 0-days detected and disclosed in the wild in 2021, the most the Google team has ever recorded. This number is more than double the previous high of 28. Even more alarming, it’s a substantial increase over the 2020 total of 25 0-days. These numbers leave little doubt that 0-days remain a serious threat that could be getting (much) worse than ever before. The 2022 totals seem certain to set new records.

Good News – Detection and Disclosure are Getting Better

The alarming uptick in 0-days could actually be a positive sign according to the Google researchers. They attribute the 2021 totals to improvements in detection – we are catching more 0-days than we could before. They also credit a culture shift around disclosing 0-days. Instead of hiding these flaws away, as was often the case in the past, companies are being upfront about them, pushing the overall total upwards. This would suggest the 0-day problem is not necessarily getting worse but rather we are starting to see its true scope and scale. That’s progress.

Good News – 0-Days are in a Rut

Last year’s 0-days all share a notable feature: they leverage the same attack surfaces, bug patterns, and exploit techniques that we have seen in the past. Given the large annual total, we would expect to see a number of innovative, unique, and unknown tactics in play. That wasn’t the case – only two 0-days in 2021 were considered novel by the Google team. By and large, recent 0-days look a lot like the ones that came before them, which could suggest that hackers lack either the means or skills to push them in new directions.

Bad News – Old Exploits Remain Potent

Another, arguably more valid way to interpret the lack of innovation in 0-days is that it’s unnecessary. Existing methods still work, so hackers have little incentive to devise new ones. It has been the goal of developers and cyber defenders to “make 0-days harder” for years now, but that effort seems to have accomplished relatively little, allowing hackers to return to the same well instead of making them return to the drawing board. The huge number of familiar 0-days in 2021 suggests that while detection and disclosure are improving, actual defenses are not, which raises troubling (but important) questions about how we approach this issue.

Preparing for the Future of 0-Days

The Google report makes clear that we have made some progress on 0-days but still have much left to do. The question is how we get from record high 0-days to record lows?

Above all, it will take cooperation, communication, and collaboration among stakeholders inside and outside cybersecurity. 0-days are a complicated beast, both to prevent and remediate, that exceeds what any team, department, or company can address on its own. A culture of mutual defense and shared responsibility has an obvious advantage: it gives the defenders vastly more resources than the attackers could ever muster.

But it all depends on bringing together different ideas, experiences, and perspectives, which is where the vsociety comes in. This social community provides a space for voices from across cybersecurity and the larger tech landscape to unite around issues like 0-days and so much more. The conversation starts here.

Photo by Adi Goldstein

Intro

Now that we’ve laid some theoretical foundation as to what OSINT consists of, let’s check out some tools and see how they can benefit us, as well as what are some of the most common uses. Before going any further, we would just like to quickly go over what types of information gathering there are, as well as some distinctions when it comes to these tools.

Active vs. Passive Recon

Within the context of an investigation, be it a penetration test or due diligence, we will use OSINT to gather some information.

The main distinction to be made here is active versus passive reconnaissance. Active reconnaissance means we are making some sort of a contact with a system we’re investigating. We interact with said systems. Some can be almost harmless, like ping, but some are much more intrusive, and can even mean brute forcing, and other such probing – which might be seen as hacking regardless of the fact that the resources are indeed in the open.

In general, in such a way we also might leave traces in the form of logs – which can further show the length of the connection, our IP address, etc.

When we are doing passive reconnaissance, we are not interacting with the systems. We might look up our target on Shodan, which would be considered passive, since we’re just using data that’s already out there, and are in no way interacting with any of the systems of interest.

There are merits to both sides, however, it’s crucial that we are aware of the distinction, so as to not hinder our investigation – we need to know what to use, and when.

Types of OSINT Tools

Based on what the tool does, we can say there are three main categories:

• Aggregation Tools
• Discovery Tools
• Scraping Tools

Discovery Tools – tools that enable us to query and search the data that is already out there. The best example is Google search engine. Seemingly simple, but Google has a lot of websites indexed and crawled, which in turn gives us enormous potential when it comes to discovering new information. Another example would be Shodan.

Aggregation Tools – these tools help us connect the dots, so to speak, once we have gathered all of our relevant data and are in need of further relating it, and compiling it into a functional, easily digestible, format.

Scraping Tools – when we have successfully discovered the information we need, we would like to extract it in an easy and safe way. With these tools, we can avoid extracting anything that is of no use to us, as well as saving our precious resources e.g. time and bandwidth.

With all of that being said, there are a plethora of tools out there, but we have decided to give a brief overview of a few that we felt are the most essential ones. It’s up to you to establish your own methodology, and do research accordingly, as there is no exact path one would follow when conducting OSINT investigations.

Google Search Engine – Google Dorking

Beside your everyday uses of Google’s search engine, there’s a lot of options for you to refine your queries.

A simplest example is adding quotation marks to your search. By doing so, Google will interpret whatever we’ve put inside the quotation marks as an exact phrase, and will give us only the results where that exact phrase comes up.

Another common example is adding the term site to our search. If we wanted to search for let’s say imdb new movies we would get something like this… notice the number of results.

On the other hand, if we were to add site: to our search, we would get a result similar to this…

As we can see, there’s a drastic difference in the number of results obtained, just by leveraging one of the many Google dorks.

We can even look for specific filetypes, with the filetype keyword.

If we want to look for publicly available .pdf’s for example, we can add the keyword like this:

We can also say intitle – and Google will return results if the exact phrase appears in the title of the page; there’s cache too – which will give us Google’s cached version of the URL that we’ve specified.

There are many more dorks available, and this is a big topic which we will look to cover in an article dedicated just to Google dorking.

But for now, we’d like to mention that this is completely legal as we are querying against legal, publicly available information. Of course, be mindful that what you do with the information might not be legal.

Shodan.io

With Internet connected devices number being higher than ever, a search engine dedicated to IoT – Internet of Things – Shodan is an irreplaceable tool to have in your arsenal.

If, for example, publicly accessible CCTV cameras are something that you might be looking into, Shodan’s got you covered.

Heck, if you want to check if your smart fridge is publicly accessible, Shodan can help you!

To use Shodan fully, you’ll need a paid subscription, however you might start with the free tier – but you’ll only get a limited amount of searches.

Best free(mium) alternative to Shodan is Censys which also tries to discover, analyze, and monitor Internet accessible devices.

OSINT Framework

The OSINT Framework is one of the most popular OSINT tools out there, and rightly so. Structured like a web directory of tools, it has almost everything you might need for your investigation, which makes it an extremely attractive option for information gathering.

Also, most of the tools in this web directory are directly usable and accessible through a browser, which is a great thing to have, since almost all of the best OSINT tools are created for Linux. Thus, the OSINT Framework provides us with a very useful and accessible bundle of tools, regardless of the platform – which is extremely valuable.

It is worth noting that most of the tools found within are free, with only a minority being premium, subscription based tools.

Maltego

Maltego is a wonderful aggregator of interfaces to various OSINT databases – from the official Maltego website – https://www.maltego.com/.

With Maltego, we can investigate and find information on organizations, individuals, as well as investigate cryptocurrencies, and much, much, more.

Once registered (which can be done for free – as a part of community license) you are brought to a GUI from which you can start your investigation. Results of your queries (Maltego calls them transforms) are displayed in a beautiful bubble graph, which maps the relations between your nodes.

 

Maltego starting screen

In our example search, where we’ve chosen Domain as Maltego entity, for youtube.com, we’ve obtained the following:

As we can see from the image, on the bottom are the transforms that were run, and on our graph we see color-coded results of our query. We’ve got 148 entities, and some of those include MX and NS records, email addresses, people, phone numbers, emails, etc.

We just ran the all transforms search, of course, in reality we would maybe use only transforms that we need, or we would install specific modules (from Maltego starting page), so that we can query for information that’s relevant for our investigation. Some of the modules that we can install are paid, but there are also some good free ones.

Maltego definitely warrants an article of its own, but we wanted to briefly show what this awesome tool is all about. Oh, and one more thing – Maltego runs on Linux, Windows, and MacOS.

Recon-ng

Another great tool is Recon-ng. This is a completely free, open source, CLI tool made for web-based open source reconnaissance.

It is completely modular, it has its own default modules that are also open source, while also having a marketplace from which we can further enrich it with whatever we might need.

The information we collect with it is stored in a database, which means we can use it to generate custom reports, if that’s something we need.

Being an open source tool, it grows through its developer community, which is quite engaged.

It might be a bit daunting at first, due to it being a CLI-based tool, but it is actually extremely fun to navigate around, and once you’ve gotten the hang of it you will surely love it!

Conclusion

These are some our favorite tools, and we’ve given you a brief introduction on them; in the future, we hope to expand on them (ideally all the tools mentioned here, and more!) – if that doesn’t prove to be possible for us, we hope that we’ve at least managed to provide a ‘teaser’ of sorts, and that we’ve managed to pique your interest.

Lastly, honorable mentions go to TinEye – a reverse image search tool, and Phoneinfoga – Python-based phone number scanning tool.