And that’s a wrap for another week in cybersec! Phew! How did we make it through this one….first the Uber hack, then the Rockstar Games hack and now two vulns added to the ‘log amidst all the Mudge/Musk drama at Twitter! Another popcorn here! 🍿

Zoho RCE

First up is a remote code execution vulnerability in ManageEnginePAM360, Password Manager Pro, and Access Manager Plus. An attacker can obtain system level privileges with a successful exploit. You know what that means? Dun, dun, dunnnnnn 💀

As we know from last week’s additions, this vulnerability poses a significant amount of risk, given the nature of the resources available to system users. The vulnerability is currently being exploited in the wild and there is PoC publicly available. Zoho is one of the largest technology companies in the world with over 80 million users, so security engineers should not throw caution to the wind if they have products with the affected versions. The fix was released back in June, so it’s likely this has already been exploited. As is typical, the recommended action forward is to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus stat.

Sophos code injection

The other vuln is a code injection vulnerability in the User Portal and Webadmin of Sophos Firewall. Although this is basic perimeter defense, the fact that remote code execution is possible means you can Frankenstein the situation from afar. Who wouldn’t want to execute random scripts from the comfort of their basement? Hotfixes have been published for version v19.0 MR1 and older. If you’re not rocking those, make sure you are not exposed to the WAN and get that VPN up and running before sunset.

#cisa #cisanalysis #zoho #sophos #rce #vulnerabilities

Summary 

• The report offers a comprehensive view of Meta’s risks across multiple policy violations like Coordinated Inauthentic Behavior (CIB), inauthentic behavior, cyber espionage, and other emerging threats, like mass reporting.

• The report discusses various actions Meta’s security team took against two ongoing cyber espionage operations in South Asia.

• As part of its campaign against new and emerging threats, the report discusses how Meta removed a mass reporting network in Indonesia, a brigading network in India, and coordinated violating networks (CVNs) in Greece, India, and South Africa.

• Under its Inauthentic Behavior policy targeting artificially inflating distribution, the report says Meta took down numerous accounts, Pages, and Groups worldwide.

• The report also discusses how Meta removed three networks engaged in CIB operations in Israel, Malaysia, and Russia.

Introduction

All of us are active Social Media users, which is exerting a greater influence on our lives in today’s technological age. But as the number of active users increases, so does the sophistication of threat actors, who continue to devise newer ways to compromise accounts, steal credentials, dictate their agenda, etc. For example, there are groups of people trying to flood comment streams and attack the post owner and other users to push forward their agenda and intimidate users with dissenting views. The evolving threat landscape compels social media giants like Meta to define robust security policies and take proactive steps to protect their communities. The Quarterly Adversarial Threat Report Q2 dives deeper into Meta’s actions against malicious activities.

Cyber Espionage Networks

Cyber espionage actors target internet users to collect intelligence, manipulate them to reveal sensitive information and compromise their accounts and devices. Some of them deploy advanced malware that incorporates exploits, while others use basic low-cost tools that require lesser technical expertise to deploy. Thus Meta believes, as per the report, it democratizes access to surveillance and hacking capabilities since the barrier to threat actors’ entry becomes lower. Furthermore, it allows the threat groups to gain plausible deniability and hide in the “noise” when security researchers scrutinize them.

Steps Meta Took:

Meta took down accounts, notified users targeted by malicious groups, and blocked the groups’ domain infrastructure from getting shared on Meta’s services. Furthermore, they shared findings with security researchers and industry peers to help them stay vigilant about the activity. 

Bitter APT (Advanced Persistent Threat) Group

Meta took action against a hacker group called Bitter APT, which operated from South Asia and targeted users in New Zealand, the United Kingdom, India, and Pakistan. While the group’s activity was low in operational security and sophistication, it was well-resourced and persistent. Bitter deployed various malicious tactics to target users with social engineering and injected malware into their devices. They used a mix of malicious domains, link-shortening services, third-party hosting providers, and compromised websites to distribute their malware. Security researchers at Meta discovered that their platform was used as an element of a wider cross-platform cyber espionage campaign. They found the following noteworthy TTPs (tactics, techniques, and procedures) used by the threat actors:

1. Social engineering: Bitter threat actors created fictitious personas and posed as young women, activists, or journalists across the internet. They tried to build trust with users to trick them into visiting malicious links or downloading malware.

1. iOS application: Meta’s recent investigation discovered Bitter deploying an iOS chat application for users, who could download it through Apple’s Testflight service for developers, ensuring that it will help beta-test their new applications.

1. Android malware: The researchers discovered Bitter using a custom Android malware family they named Dracarys. It used accessibility services, the Android operating system feature, to assist users with disabilities, allowing them to automatically click and grant the application certain permissions.

1. Adversarial adaptation: This Bitter group aggressively responded to Meta’s detection and blocking of its domain infrastructure and activity.

APT36

Meta discovered another threat group whose activity was low in sophistication, but it persistently targeted many services over the internet – from social media and email providers to file-hosting services. APT36 deployed various malicious tactics to target users with social engineering and injected malware into their devices. They used malicious and camouflaged links and fake Android and Windows-run apps to distribute their malware. Meta’s security team took action against the APT36 threat actors active in Afghanistan, Pakistan, UAE, India, and Saudi Arabia. They targeted government officials, military personnel, students, and employees of non-profit and human rights organizations. Furthermore, the report suggests that Meta’s investigation linked the activity to state-linked actors in Pakistan. They discovered the following noteworthy TTPs used by the threat actors:

1. Social engineering: APT36 threat actors created fictitious personas and posed as recruiters for fake and legitimate organizations, military personnel, or women looking for romantic connections. 

2. Real and spoofed websites: The report suggests that the APT36 threat actors used various tactics, including using custom infrastructure to inject their malware. Some domains masqueraded as generic app stores or photo-sharing websites, while others were spoofed domains of applications like Microsoft’s OneDrive, Google Play Store, and Google Drive.

3. Camouflaged links: The group utilized link-shortening services and disguised malicious URLs. Furthermore, they used preview sites and social cards (the online marketing tools to customize the displayed image when a particular URL gets shared on social media) to mask the ownership and redirection of domains APT36 controlled.

4. Android malware: APT36 did not directly share malware on Meta platforms but used the above tactics to share links to spoofed websites.

The “Emerging Harms” Networks

The report states that Meta’s threat disruption began by tackling inauthentic operations where users hide who’s behind them and advanced to authentic actors engaging in harmful and adversarial behaviors on its platform. This section of Meta’s report discusses how it is taking proactive steps to stay ahead in this adversarial space. 

Steps Meta Took:

Meta deployed control levers to enforce against networks having broadly varying aims and behaviors like:

1. Groups that coordinated women’s harassment

2. Decentralized movements that collaborate a call for violence against government officials and medical professionals

3. An anti-immigrant group inciting harassment and hate

4. An activity cluster focused primarily on spreading misinformation

Mass Reporting

Under its Inauthentic Behavior policies, Meta removes activity when it finds adversarial networks coordinating an abuse against its reporting systems to get content or accounts incorrectly taken down from the platform. Threat actors do it intentionally to silence others. In Q2 of 2022, the report states that Meta removed a network of 2,800 accounts, Pages, and Groups in Indonesia. They coordinated to report users for violations like impersonation, terrorism, hate speech, and bullying to get them wrongfully removed from Facebook. Meta researchers found that the reports mainly focused on Indonesian users, particularly the Wahhabi Muslim community. Factors considered while investigating Mass Reporting:

1. Coordination Signals

2. High Report volume

3. Misleading and abusive nature of reports.

Brigading

Under its Bullying and Harassment policies, Meta removes activity when it discovers adversarial networks engaging in repetitive behavior, for mass-commenting on their target’s posts or sending them direct messages. The report suggests that the behavior intends to harass, overwhelm or silence the target. 

In Q2 of 2022, Meta took down a brigading network of 300 Facebook and Instagram accounts in India that collaborated to mass-harass people, including actors, activists, comedians, and other influencers. The network actively posted across the internet, including Instagram, Facebook, Twitter, YouTube, and Telegram. Factors considered while investigating Brigading:

1. Repetitive targeting to silence or harass people, with unsolicited comments or messages

2. Coordination Signals

3. A high volume of activity

4. Efforts to evade enforcement

Coordinated Violating Networks

Meta’s Account Integrity policies remove coordinated violating networks (CVNs) when it finds people (with authentic or fake accounts) coordinating to violate or evade its Community Standards. Hence, Meta removed two clusters of Pages and accounts on Facebook and Instagram in Greece that collaborated to repeatedly violate its policies against hate speech, misinformation, and incitement to overthrow the government violently. Factors considered while investigating Coordinated Violating Networks.

1. Coordination signals showed an organized group directly working under centralized directions.

2. Systematic violation of Meta’s community standards.

3. Efforts to evade enforcement

Inauthentic Behavior

Meta defines Inauthentic behavior (IB) in its Community Standards as something that misleads the platform and the users about the popularity of the content, the people’s identity behind it, or the purpose of a community (i.e., Events, Groups, Pages). The report suggests that the behavior is centered around increasing and amplifying content distribution and is mostly (not exclusively) financially motivated. IB operators mainly focus on the quantity and not the quality of engagement. For example, they use many low-sophistication fake accounts for mass-posting or liking their content — commercial, social or political. 

Steps Meta Took:

In focus: Philippines

1. Manual investigations and disruptions:

Ahead of the Philippines election, Meta’s investigative teams took down over 10,000 accounts for violating its IB policy. The accounts used IB tactics to increase the distribution of content like election-related posts, including others using politics as a spam lure when people showed interest in following these topics. The report states that Meta used threat intelligence and continued working on identifying repetitive behavior patterns showing characteristics of IB clusters in the region.

2. Automated detection at scale:

Working on the actionable insights, Meta automated the detection of IB patterns and complemented the manual investigations. Consequently, the security teams consulted experts to identify numerous IB clusters in the Philippines and enforced quick action against 15,000 accounts. Meta researchers concluded that most IB clusters were not more than six months old when they got disabled. 

3. Automated enforcement:

Complimenting automated detection and manual disruptions, Meta focused on automating enforcement against these IB patterns, relying on its rigorous election preparation in the Philippines. Hence, the security teams could tackle specific repetitive and high-confidence inauthentic behavior (IB) in the Philippines and worldwide.

Coordinated Inauthentic Behavior (CIB)

Meta views CIB as a coordinated effort to manipulate the public discourse for a strategic goal, having fake accounts at the center of the operation. The report says that in these cases, people coordinate and use fake accounts to mislead others about what they do and who they are. 

Steps Meta Took:

Meta’s security team investigated and removed the CIB operations by focusing on behavior rather than content. According to the report,  it did not matter who was behind them, what they posted, or whether they were foreign or domestic. 

Malaysia

Meta removed 596 Facebook accounts, 72 Instagram accounts, 180 Pages, and 11 Groups for violating their policy on coordinated inauthentic behavior. The network originated in Malaysia, targeting its domestic audiences.

Israel

Meta removed 259 Facebook accounts, 107 Instagram accounts, 42 Pages, and 9 Groups for violating its policy on coordinated inauthentic behavior. The network originated in Israel, targeting Nigeria, Angola, and the Gaza region in Palestine.

Russia

The report has a detailed sub-section on how the security researchers investigated the CIB in Russia. Meta took down an Instagram account network operated by a troll farm in Russia’s St. Petersburg that targeted global public discourse regarding the Ukraine war. The report underlines that the campaign was a poorly executed attempt and that threat actors publicly coordinated through a Telegram channel. They wanted to create a grassroots online support perception for Russia’s invasion and used fake accounts to upload pro-Russia comments on influencers and media content. The researchers linked the activity to a self-proclaimed entity, “Cyber Front Z,” and individuals associated with the Internet Research Agency (IRA). Meta has banned Cyber Front Z from its platforms. 

Conclusion

The Meta Quarterly Adversarial Threat Report Q2 offers insight into the risks Meta sees globally and across multiple policy violations. It covers Meta’s expanded threat reporting areas like cyber espionage, inauthentic amplification, mass reporting, brigading, and other malicious behaviors. Furthermore, It alerts people who Meta believes were targeted by these campaigns. Thus, it is a reliable guide for tech companies, governments, law enforcement, and security researchers in helping them understand the social media threat landscape and preventive measures that can be taken to limit the damage caused by malicious actors.

Reference

Ben Nimmo, David Agranovich, Margarita Franklin, Mike Dvilyanski, Nathaniel Gleicher. (2022, September 8). Quarterly Adversarial Threat Report. About.fb.com. Retrieved September 8, 2022, from  

https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf

Photo by Dima Solomin on Unsplash

#meta #facebook #adversary #CIB #threats #security #espionage

You have gotten a shell but you are not yet a privileged user, and now you want to enumerate the system to try and find a way to escalate those privileges so that you can become a system level user.

System Enumeration

With a quick findstring – findstr, and a couple of other commands we can issue a command like this:

You can easily see what system and version you run, architecture, etc. Remember! You want to find adequate exploits for the system in question, you might run into an x86 architecture, or a Windows Enterprise system, so you don’t want to bombard it with random exploits. That’s why enumeration is key – so you can extract information that you can use. As we all know there are five stages to the process – but enumeration is usually the vital part! Enumerate, enumerate, enumerate!!

To check for patches and other stuff that’s installed on the target Windows computer, you might use a command like this:

wmic qfe

Wmic is the Windows Management Instrumentation (WMI – sysadmins/engineers and our support guys knows what this is about) and the WMIC is a command-line interface for the WMI.

QFE in the command above will look for recently installed patches. Very useful when trying to discover what type of exploit the computer will be vulnerable to. QFE stands for Quick Fix Engineering. After running the command on my system, you can observe the following:

As you can notice, you will see the related KB – knowledge base, type of update (security, etc.), who installed it, the HotFix ID, as well as the date it was installed on. Further, if you only want specific stuff, like the Caption, HotFixD and Installed on, you can run something like this:

wmic qfe get Caption,HotFixID,InstalledOn

To enumerate drives, you can issue a command like this:

wmic logicaldisk

This will give a messy output, though, so you can use the same methodology as the above and for example say get Caption:

wmic logicaldisk get Caption

And quickly check if there are any drives other than the C: drive on the computer. (In my case there’s not, but if there are, this command will find them, and you might want to look around those drives in search for something interesting…)

Of course, you can also use the good ol’ hostname and whoami to check the name of the computer you’re currently within, and to check the domain/username of that same computer, respectively.

Network Enumeration

I will just do a few of the commands here, just so you can get a basic idea of what you might end up doing upon entering the system. You would probably start with the basic ipconfig command or the ipconfig /all command to see the information about stuff like the default gateway, DNS server, etc. If you’re on a domain, you might see a DC as a DNS server.

Another one is arp -a which can tell you about the stuff that’s communicating with your box. A quick look at the route tables, with a route print you can also see where your machine is communicating too. This is cool as it will show you the NICs on the machine, telling you if you need to elevate or if you can just pivot of that other NIC.

A very important command here to do is netstat! You want to do the netstat -ano and check what services are listening and where. You can gather a lot of information here, and in conjunction with the commands above with all this stuff you might also glean a bit on the architecture of the said network/systems. Of course, the mileage may vary. If you’re a seasoned pro, even though you might be using the same commands, you would immediately understand what’s happening, but regardless, it is a place to start no matter the experience.

User Enumeration

Here you can do something like:

whoami /priv

To check for the privileges you have.

whoami /groups

To see which groups you belong to.

Further, you would want to do a net user command to see what user you are… remember, if you just gained a foothold on a box, you might not necessarily be a user, you could also land on a service. In that case, you will probably want to find more users so you can escalate to them, or just immediately escalate to an administrator user.

You can also do net user <username> or net user administrator – to see what groups they belong to. To see the administrator group members you would do net localgroup administrators.

These are some basic quick and dirty commands to check stuff about your users, groups, and their privileges.

 

Remarks

All of the above can be done, and probably will if you’re doing this professionally, with tools that can automate the process. But, in order to better understand those tools and what they’re doing in the background, I created this short intro, cause ultimately it will be some variation or a more complex version of the stuff above with some more stuff tacked onto it.

Lastly, those tools just might not work, or something else along those lines. Be aware of those caveats, as for example, WinPEAS is a very, very, good tool but it requires a version of .NET that’s greater than 4 which will obviously be useless if your Windows box that you got a hold of doesn’t have and you are a user that can’t install it, or you don’t want to set off the alarms.

The main idea here is to understand the context, which is also why all the pentesting tutorials and other resources almost exclusively emphasize the importance of having rock solid understanding of the basics.

Tooling

Some of the tools you might end up using:

• WinPEAS

• Watson – Is a .sln file, meaning you have to compile (and know the .NET version on the machine)

• PowerUp – Part of Powersploit

• Win PrivEsc Checklist – Awesome checklist for PrivEsc

• Windows Exploit Suggester – a vuln checker in a format of a Python script

You might want to try these in your lab environment to familiarize yourself first. There’s also probably way more of these tools out there, but these are some of the ‘main’ ones, as they’re tried and tested.

Conclusion

Before concluding, I’d just like to emphasize again how important it is to know the context you’re in. Also, sometimes less truly is more and even though the tooling can be a tremendous time-saver, you first need to understand its nuts and bolts, otherwise you’re basically doing what script kiddies do. Take your time, and it will pay off.

Finally, enumerate, enumerate, enumerate!

Stay tuned.

Cover image by Omar Flores

#windows #enumeration

OWASP stands for Open Web Application Security Project. It is a non-profit organization whose mission is to improve software security. It is based on an “open community model,” thus, anyone can participate. 

The OWASP community is well-known; I also refer to them in some of the articles I wrote.

OWASP started to publish a top 10 list of vulnerabilities way back in 2003. Since then, the list is updated every two or three years. The latest list was published in 2021. At the end of this article, I will provide a list of important pages on OWASP’s site.

By OWASP definition: The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

And, of course, as you can guess, this list is created by the community of developers specializing in security risks.

OWASP Top ten 2021 vulnerabilities:

• Broken access control
• Cryptographic failures
• Injections
• Insecure design
• Security misconfigurations
• Vulnerable and outdated components
• Identification and authentication failures
• Software and data integrity failures
• Security Logging and monitoring failures
• Server-Side Request Forgery (SSRF)

I will not focus on historical differences within the OWASP top 10. However, I wanted to mention that the difference between new versions of the list is mainly in categorization (often in adding new categories as new malicious attacks emerge), renaming, changing scopes, etc.

In my previous articles, I already covered some of the vulnerabilities from the OWASP list. In this article, I am going to focus more on Sensitive Data Exposure which is now known as Cryptographic failures. Now the focus of this category is cryptography failures that lead to sensitive data exposure.

Sensitive Data Exposure

When web applications accidentally expose sensitive information that should not be public, that vulnerability is called “Sensitive Data Exposure.” By sensitive data, I mean the data which should be protected by the GDPR. This includes personal data such as name, date of birth, credit card numbers, and even usernames and passwords. Unfortunately, if the website’s security is poor, sometimes, data can be found on the web server. But often, it is a case where attackers would perform the “man in the middle – MiTM” technique to try to hijack sensitive data.

This attack happens when the attacker places themself between the user and the web application. They would make a fake site, so the user thinks they went to their desired site but were redirected to the attacker’s fake site. Or for example, the attacker intercepts messages between the user and the server and gains control of that conversation. Basically, they control the flow of the request and the responses.

Exposing flat-file database

The database is often used to store all kinds of data, including sensitive data.

For this example, we will consider a small web application whose database is saved is saved as a single file on the disk of a computer (server).

The most common database engine used for this database type is SQLite.

In this case, the attacker would need to navigate and find the location of the database and then download it. They would then have access to the data in the database and could query it to get the results. Of course, it will probably not be easy if the data is encrypted, but the attack becomes a lot easier if the attacker downloads the database and has the file saved locally.

In one of my articles, I described one technique-Path Traversal, which attackers are using to navigate to a certain file. Check it out! I will not describe how to find the file and download it; if you read the mentioned article, you will have an idea about how it is done.

So, we are on the step when we download the database, and now, we want to check out the results in it.

As I mentioned, in this example SQLite queries are used. You can check out select and distinct syntax with SQLite here.

For example, if you are using Kali, sqlite3 is installed by default, so you can just refer to the man pages.

To access the database, you would issue a command like this:

sqlite3 targetDB

to see the list of tables:

.tables

To check out table info for the table:

PRAGMA table_info(users)

More info about pragma statements on this site.

Check out all user’s info:

SELECT * FROM users

Then, if the passwords are stored in this database, they would probably be hashed, and the next step would be to use some tool to crack the hash, for example, John the Ripper, Hashcat, or some other password-cracking tool.

When the attacker gets to the password, it is the beginning of the game for them! And the end of the game for the user.

Prevention steps Sensitive Data Exposure

When deciding on the storage type, it is very important to remember that you shouldn’t store sensitive data that is not required (store the least amount of data). If you need to store it, first figure out the safest location to store it and how to prevent the leakage of sensitive data.

When you store the data, you must encrypt it! I found this site you can check out if you are working with ASP .NET CORE and want to see how to encrypt/decrypt data using the interface IDataProtector!

Before you store the data, it should be safe at all times, especially in transit! For safe transit, use TLS, which would enable secure communication. If you are using ASP .NET check out how to enable TLS on this blog.

As I mentioned before, attackers often use the “man in the middle” technique; because of that, you might want to consider setting up something like HSTS(HTTP Strict Transport Security). If you are familiar with and want to use Angular to implement HSTS, there is a brief explanation on their official site.

While I mentioned ASP .NET and HSTS, if the application is in production you can modify startup class(or Program.cs if it is .NET 6)to use UseHttpsRedirection(HTTPS Redirection Middleware) and a also UseHsts(HSTS Middleware). If you want to use the mentioned Middleware, check out the official site!

Conclusion

I wanted to show you how many vulnerabilities from OWASP’s Top 10 list we covered through the previous articles and how many are left to be covered.

In the end, secure code is the cheapest code!

OWASP pages related to the topic:

• OWASP Top 10 2021
• Sensitive Data Exposure 2017
• Cryptographic Failures 2021

Cover photo by Brett Jordan

#owasp #cryptographic-failures #top10

When I got the alert from CISA, I was a bit perplexed too. Why these vulnerabilities and why now? I mean we’re talking about bugs used back in 2015 to root Android devices and infect apps with the Zika malware…ergh, wait, no that’s not right… What was it? Zizi….no…ah! Tizi!

In the Binding Operational Directive (BOD), CISA makes it clear that they only add vulnerabilities to the catalog if there is clear evidence of active exploitation, despite the age of the vulnerability. So it could have been exploited midway through Obama’s first term, as is the case for CVE-2010-2568, or just as recently as last week with attackers going after a vulnerability in Trend Micro’s Apex One.

The Windows Shell Remote Code Execution vulnerability affects Windows XP, Server 2003, Vista, Server 2008, and Windows 7. I can’t say for certain how many federal agencies are running with these operating systems. But governments are typically burdened with red tape and they don’t operate like private enterprises. So there could be some vulnerable systems out there that hackers can take advantage of. 

So, at the end of the day, it doesn’t hurt to dig up these patches from the Stone Age and apply them. But I’m sure most threat actors are not paying any attention these days with so much $$$ in the crypto wallet hacks.

#cisa #cisanalysis #windows #Tizi #vulnerabilities #trendmicro