Intro

Computer Forensics is a sub-field of cybersecurity, that pertains to gathering evidence of usage of a computer. Generally, it would fall under the larger field of Digital Forensics, dealing with all kinds of digital devices, from examination and recovery to analysis of the data found within them.

Digital forensics is used, and needed, widely, from the private sector – where you might want to analyze your organization internally, or if you, for example, are doing incident response/analysis.

In a legal sense, digital forensics can be used to support some hypotheses in a civil/criminal case – or vice versa.

There are even cases that went cold for years before actually being solved through the techniques used in this field. One famous example is the BTK serial killer case that has gone cold for years, but the perpetrator met his downfall once he started taunting the authorities by sending letters to them.

Eventually, the police managed to recover a deleted MS Word document from the drive, analyze the metadata of the document, pinpoint the killer, and finally arrest him!

From the Wikipedia page, that can be found here:

Police found metadata embedded in a deleted Microsoft Word document that was, unknown to Rader, still stored on the floppy disk.[54] The metadata contained the words “Christ Lutheran Church”, and the document was marked as last modified by “Dennis”.[55] An Internet search determined that a “Dennis Rader” was president of the church council.[52] When investigators drove by Rader’s house, a black Jeep Cherokee—the type of vehicle seen in the Home Depot surveillance footage—was parked outside.[56] This was strong circumstantial evidence against Rader, but they needed more direct evidence to detain him.[57]

As you can see, computer forensics can be quite useful, and can provide us with a lot of insight on what has happened on/to our computer systems. Connecting the dots further, it can even help us ascertain what someone might have done – as illustrated in the example above.

Windows

This is de facto the most used Desktop OS right now – 75% of the market share, to be precise. That’s mostly why I intend to focus on Windows forensics but will talk about Linux forensics in the future as well.

Why is the Windows Registry important from a forensic perspective?

The Registry in Windows is practically the Database for the OS itself. It contains all the configuration data for the system – and is organized in a hierarchical way.

From MS docs:

The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and service that run on Windows. The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values.

This means that the registry holds information about the software, hardware, and even the user. This includes data about recently used programs or files as well as the devices that may have or are connected to the system. You probably can infer how this can be of great value to a forensic investigator.

The registry on your Windows systems comprises of these five root keys:

1. HKEY_CURRENT_USER
2. HKEY_HKEY_USERS
3. HKEY_LOCAL_MACHINE
4. HKEY_CLASSES_ROOT
5. HKEY_CURRENT_CONFIG

 

HKEY_CURRENT_USER – Contains the root of the configuration information for the user who is currently logged on. The user’s folders, screen colors, Control Panel settings are stored here. This information is associated with the user’s profile. This key is sometimes abbreviated as HKCU.

HKEY_USERS – Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as HKU.

HKEY_LOCAL_MACHINE – Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as HKLM.

HKEY_CLASSES_ROOT – Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as HKCR. Starting with Windows 2000, this information is stored under both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys. The HKEY_LOCAL_MACHINE\Software\Classes key contains default settings that can apply to all users on the local computer. The HKEY_CURRENT_USER\Software\Classes key contains settings that override the default settings and apply only to the interactive user. The HKEY_CLASSES_ROOT key provides a view of the registry that merges the information from these two sources. HKEY_CLASSES_ROOT also provides this merged view for programs that are designed for earlier versions of Windows. To change the settings for the interactive user, changes must be made under HKEY_CURRENT_USER\Software\Classes instead of under HKEY_CLASSES_ROOT. To change the default settings, changes must be made under HKEY_LOCAL_MACHINE\Software\Classes. If you write keys to a key under HKEY_CLASSES_ROOT, the system stores the information under HKEY_LOCAL_MACHINE\Software\Classes. If you write values to a key under HKEY_CLASSES_ROOT, and the key already exists under HKEY_CURRENT_USER\Software\Classes, the system will store the information there instead of under HKEY_LOCAL_MACHINE\Software\Classes.

HKEY_CURRENT_CONFIG – Contains information about the hardware profile that is used by the local computer at system startup.

These root keys, combined with values and subkeys, are what make the Registry Hive.

You can check this by opening regedit.exe to look around the registry – directories you see are the Registry Keys, and the values are whatever data is stored within – as mentioned above.

Access Hives Offline

Please note that the above is true if you’re accessing a live system – through the in-built utility regedit.exe. But, if you only have the disk image, you will go on about this in a slightly different way. First, you should now that the registry hive is located on the disk in the C:\Windows\System32\Config directory.

Let me just digress here for a bit. Why is this important? Well, in an investigation you would typically clone the disk first – hence the disk image – and you would conduct your investigation on the clone. You don’t want to mess up your potential evidence by working on the original. As mentioned here, even though cloning is a straightforward process in theory, in practice it can be quite different.

The goal is simple – you want to clone one disk to another. The drive you want to clone is typically removed from the computer and connected to another computer or a cloning device. However, it is vital to have some sort of control over the writing process i.e. a hardware write block which is placed between the cloned (source disk) and the destination disk (one we’re cloning to). You need this, because you don’t want to accidentally mess up your investigation by writing data to the cloned/source disk.

You should also forensically clean the destination disk beforehand. Forensic imaging tools (FTK Imager, Autopsy, etc.) will usually create some sort of proof that the cleaning had happened. Finally, when all the preparations have been made successfully and the process starts, upon successfully cloning the disks you would have matching hashes for the source and the clone – i.e. your proof that you have an exact clone of the disk that’s investigated.

I will mention the tools above, and others, in my future articles on this topic, but for now let me get back on track and talk about the locations of the aforementioned hives on the respective disk(s).

These hives are:

1. DEFAULT (mounted at – HKEY_USERS\DEFAULT)
2. SAM (mounted at – HKEY_LOCAL_MACHINE\SAM)
3. SECURITY (mounted at – HKEY_LOCAL_MACHINE\Security)
4. SOFTWARE (mounted at – HKEY_LOCAL_MACHINE\Software)
5. SYSTEM (mounted at – HKEY_LOCAL_MACHINE\System)

Aside from these hives, there are two more hives that keep information about the user and can be found in the User directory. The path is found at C:\Users\<username>  (this is true for Windows 7 and above versions of the Windows OS)

The two hives are these:

1. NTUSER.DAT (mounted at HKEY_CURRENT_USER after the user would log in)
2. USRCLASS.DAT (mounted at HKEY_CURRENT_USER\Software\CLASSES)

NTUSER.DAT is found in the C:\Users\<username> and the USRCLASS.DAT is found in the C:\Users\<username>\AppData\Local\Microsoft\Windows. Please note that both of these hives are hidden.

NTUSER.DAT

  USRCLASS.DAT

 

Finally, the Amcache hive, which is quite important in the Windows OS since it keeps information about programs that have been run recently. It is located at C:\Windows\AppCompat\Programs\Amcache.hve

Amcache Hive

 

Conclusion

To conclude, I covered some basics about Computer/Digital Forensics in general, as well as the Windows OS Registry Hive. This is exactly what threat actors exploit in numerous ways, and we will be looking at how to ascertain what they did to our devices in the next article. I will also talk about the mentioned forensic tools such as Autopsy, FTK Imager, and others. (Linux forensics will be covered too!)

Stay tuned.

Cover image by Immo Wegmann

#registry #forensics #windows

The era of quantum computers has arrived.

This isn’t just another “next step” of computing… The application of emerging quantum computing tech in the cybersecurity industry will result in arguably the most significant disruption the world has ever seen.

It could change healthcare by revolutionizing the creation of more effective medicines and vaccines.

It could change the environment by significantly decreasing energy consumption and waste.

It could save lives that would otherwise be lost in natural disasters by facilitating the creation of extremely accurate weather forecasting.

And it could change the face of cybersecurity by obsoleting modern cryptography.

Oops.

Just how can a new evolution of computing do all this? Through the strange world of quantum mechanics.

How Quantum Mechanics Have Evolved Our Thinking

We all know the story of Schrödinger’s cat – it exists as both dead and alive inside a box until someone opens said box. If that sounds confusing, you’re not alone – the same quandary provoked the most brilliant minds in the universe nearly 100 years ago during the fifth Solvay Conference.

Nobel Prize winning minds such as Albert Einstein, Erwin Schrodinger, Werner Heisenberg, and many more, gathered to debate the most preeminent problems in the worlds of physics and chemistry. At this particular conference, the prizefight concerned a controversial theory that defied common sense. Back then, the world as most people knew it was dictated by Newtonian mechanics – the school of thought derived from Isaac Newton’s Laws of Motion.

Newtonian mechanics is, at its core, the body of physical law that emerged in the 1600s with Isaac Newton. According to Newton, objects have positions and speeds, of which they are acted upon by forces. The central tenant of Newtonian mechanics is that objects move in smooth, orderly, and predictable patterns. These are the laws that govern the physical dimension we know, see, and interact with each day.

It has defined our reality for so long that it is nearly impossible to imagine a world where any other system of mechanics could be possible at the macro level. And with it come centuries of developing, testing, and validating these classical laws of the physical world.

That all changed in 1894, when physicist Max Planck took a gig in which he would investigate the quality of heat, energy, and light within light bulbs. During his experiments, Planck noticed that as the filament of the bulb heats up, its color changes, going from red to yellow to white. Planck wondered why the filament did not turn blue as more heat energy was applied. He then assumed energy is not delivered in a continuous wave, but in packets. Packets he called “quanta,” which are mathematically proportional to a given frequency. This breakthrough led to a Nobel Prize as it described a new theory of physics: “quantum mechanics.”

Then, in 1897, J.J. Thomson identified a subatomic particle now known as an electron. This discovery turned the world upside down. If you think of Newtonian mechanics governing common, everyday scenarios, you’d imagine how objects should move and how objects should interact with one another.

For example, at a construction site, a wrecking ball colliding with a brick wall should result in the wall’s destruction. At the classical mechanical level, the space occupied by the brick wall cannot simultaneously be occupied by the wrecking ball.

But shrink our construction site down to the size of an atom and look at this from the quantum level. Here, the wrecking ball does not destroy the wall… it “quantum tunnels” through it and back again! Both the wrecking ball and the brick wall are intact.

Oh, it gets weird. But it’s real.

Enter Einstein, whose 1905 paper on the quantum mechanics of the photoelectric effect proposed that certain wavelengths require specific amounts of energy to release electron packets, called photons. This cemented the theory pioneered by Planck that light energy is released in wave packets. If the heat applied to the wavelength does not match this exact energy requirement, no photons are released.

This led to the double-slit experiment, where large objects are fired through two slits – one on the left and one on the right – into a wall behind the slits. Not all the objects fired through the left slit make it through to the wall. Some collide with the edges and are rejected – classical mechanics in action – and fall to the ground. Those that do make it through will hit the wall on the other side, forming a slit-shaped pattern on the wall’s left side. On the right side, the same thing happens.

Now, let’s reiterate this experiment in the quantum world and shrink this experiment down. Instead of large objects, we’re now firing electrons. And rather than getting the same results as in the Newtonian world, where we see two slit-shaped bands aligned with the two openings, we get five bands aligned on the back wall.

So what happened? Probability.

In quantum mechanics, each slit-shaped band on the back wall represents a potential outcome, rather than a Newtonian outcome.

The next few years were ones of rigorous academic study and debate, where the world’s foremost thinkers challenged the limits of their intellect in a back-and-forth of academic papers.

“God does not play dice with the universe,” said Einstein. To which Niels Bohr shot back, “stop telling god what to do.”

But despite this evolution in technology, the world mostly remained governed by Newtonian physics. Only today, nearly a century after quantum mechanics stumped Einstein, are we finally on the tipping point of using quantum mechanics to revolutionize everything.

But how exactly will quantum mechanics change the way we secure our collective online presence?

Read on…

The Quantum Revolution Arrives

Through quantum mechanics, the world’s biggest technology companies are building quantum computers that obsolete today’s most advanced supercomputers. How? Because they turn binarily stored data into a more powerful form, known as qubits, which can be both “1″ and “0” data stores simultaneously. This makes them extremely valuable in modern day technology, like in artificial intelligence (AI) programs that need exponentially greater processing speeds for tasks such as facial recognition software or voice transcription services.

The potential for quantum computing is almost limitless. Scientists have only just begun exploring its capabilities, but it’s clear that this technology will shift our understanding of how information can be stored and processed in ways we never thought possible before. Imagine being able to run any amount of data you want with ease – even computationally demanding tasks your current computer struggles through.

Therefore, the potential for quantum computing to revolutionize how we process information is massive. With their ability to perform tasks at incredibly fast speeds or generate complex results with pinpoint accuracy, even the most security-illiterate individuals could hack into the world’s most secure networks with ease.

Which means we will need to rethink cybersecurity from the ground up.

And we’re currently right at the doorstep of quantum computing becoming ubiquitous. For example, Google’s Sycamore achieved quantum supremacy in 2019. Amazon, too, is heading into quantum computing with Braket, forging Quantum-Computing-as-a-Service (QCaaS).

It’s very exciting stuff. But with the emergence of quantum computing comes a huge security problem that threatens to obsolete modern cryptography and expose all our online data. And within five to 10 years, everything that you think is safe will be compromised.

How to Combat the Quantum Threat

Today, cybersecurity is primarily based on asymmetric encryption, built on top of mathematical cryptography. Computers based on Newtonian mechanics are not capable enough to quickly break that mathematical cryptography. However, quantum computers are capable. And as a result, the world’s current cybersecurity systems will be made obsolete.

This is what’s known in the industry as the “Quantum Threat.” And it’s coming. But while many computer scientists believed that the quantum threat was 15-plus years away as recently as 2019, rapid advancements in quantum computing have most pegging the quantum threat to arrive between 2025 and 2030.

That means investment in modernizing today’s encryption methods needs to start now because overhauling the world’s cybersecurity system will take time. And to be ready for the quantum threat, governments and companies need to develop new quantum-safe cryptography today.

There are dozens of companies across the world working on this quantum-safe cryptography today. One such company is Arqit, which has developed the best quantum-safe method in existence to date.

Arqit’s solution involves placing a tiny quantum computer on a constellation of satellites in orbit. The satellites transmit quantumly encrypted (and unbreakable) special keys into datacenters around the world. In-house software then distributes those keys to end-point devices, like phones and laptops. The result is a provably secure ecosystem protected by unbreakable quantum encryption.

To be clear, that is a gross oversimplification of what Arqit does. But it’s sufficient in describing exactly how cybersecurity systems might change in the wake of the quantum threat.

A terrestrial version of Arqit’s technology is commercially available today in a very limited capacity. In 2023, the company intends to launch two quantum satellites into space aboard a Virgin Orbit rocket, at which point it will begin full-scale commercial operations.

As with any new breakthrough technology, investment in quantum encryption technologies to expand rapidly. This is the next evolution – and arguably the final destination – of cybersecurity. The quantum threat, however, is likely still more than five years away.

Giving us at least some time to get our collective shit together.

#vicarius_blog #quantum_computing

The Blockchain Threat

This is the conclusion of a two-part series. Read part one here.

One of blockchain technology’s claims to fame is that it enables trustless interactions between parties. For the most part, this is a true statement.

Corrupt technology and fallible human actors can cause unwanted outcomes. But for better or worse, the truth of the matter is that we’ll never be able to do away with the need for trust. Humans must remain in the equation in some way or another.

Blockchains simply alter who we need to trust.

For example, when sending money to someone, banks normally function as the trusted intermediary. They take the money you want to send, and then they pass it on to your friend.

Thanks to “trustless” blockchains, folks can send money to a far-off friend without the need for a trustworthy bank.

And despite there being no direct middlemen involved, trust is still involved in the process.

We’re not required to trust a bank in this case, but we are still required to trust. We must place our trust in the developers of blockchains, smart contracts, wallets, and the like.

It isn’t a bank handling our money — it’s thousands (and thousands) of lines of code.

But what if that code contains mistakes, or is compromised in some way?

How Blockchains Can Be Compromised

Blockchains are vulnerable in four main ways:

• Phishing.
• Sybil attacks.
• Routing.
• 51% attacks.

Phishing: Phishing in the blockchain world is accomplished by targeting wallet key owners. A bad actor may send an official-looking email that prompts the reader to enter their wallet key credentials.

Sybil: In a Sybil attack, one bad actor tries to take over a network by creating multiple nodes on a blockchain network. They then crash the network by flooding it with false network identities.

Routing: As the blockchain passes data back and forth via large, real-time data transfers, bad actors can intercept said data before it gets to the ISP. Once they’ve intercepted the data, these hackers can steal your data and/or money, all without ever setting off an alarm.

51% Attacks: In order to exert control over a blockchain ledger, a participant must own more than 50% of the network. This is theoretically possible if a group of blockchain miners band their computing power together to attain more than half of the mining power on the network. From there, these bad actors could edit the ledger as they see fit.

Being able to prevent hacks from happening is the best-case scenario.

But clearly, this doesn’t work — more than $1.2 billion has been stolen so far this year… and that’s only money taken from decentralized finance (DeFi) platforms.

Since hackers often move faster than these platforms, it can seem futile to try and keep pace with them.

But keeping pace with the threat are exactly what several blockchain-based cybersecurity firms are doing.

The Cryptos Tackling Blockchain Security

Take CertiK, a blockchain cybersecurity firm that provides a variety of security solutions for the crypto world. CertiK performs audits of crypto projects, aiming to reveal any issues that could be exploited by bad actors. After first letting project developers fix their code, CertiK publishes these reports online to remain transparent in its ratings. And it keeps an updated “Web3 Security Leaderboard” on its website for all to see.

Obviously, not everyone has the time, energy, and expertise to manually dig through code to find potential flaws.

And that’s one reason CertiK exists — to manage the technical side of research for investors and end users.

CertiK also offers on-chain smart contract monitoring via its Skynet platform.

Skynet is powerful. It monitors on-chain activity in real time, which enables teams to not only detect unintended network usage but also monitor growth metrics.

SkyTrace is another of its monitoring tools. It’s like Skynet but is specifically designed to track wallets. SkyTrace detects suspicious activity and fraud, and it can also verify that wallets comply with certain regulations before being interacted with. And this feature is free for public use.

CertiK also offers penetration testing for wallets, exchanges, and decentralized applications (dApps) to help discover bugs and exploits before they’re taken advantage of.

Then there’s Lossless, which got its start when one of its founders was affected by a DeFi hack.

Wanting to take matters of security into their own hands, they worked diligently to find ways to mitigate risk to their own personal assets.

And somewhere along the way, they realized the significant impact their idea could have within the entire DeFi space. Lossless was born – the first and only DeFi hack mitigation tool.

Rather than attempt to prevent hacks from happening, it’s fast and effective at stopping malicious actors as quickly as possible.

When most hacks happen, the affected projects are quite hopeless. It’s entirely up to the hacker to return any stolen assets. Hopefully, there’s some way to prevent further damage, but this isn’t always the case.

With Lossless, hacking scenarios play out differently.

Here’s how it’s typically used:

1. A project integrates Lossless’ code into its own, which enables certain functions like token freezing.
2. When a bad actor attempts to steal funds in some way, finders — who have access to the Lossless SDK to build hack detection tools — can stake LSS tokens to temporarily freeze the affected ones. Other parties can add to this stake if they believe the finder to be correct in their assumption.
3. Members from the Lossless team, the project team, and other Lossless committee members then meet to determine whether the hack is legitimate.
4. If there is a hack, the bulk of the money that was frozen is returned to the project. As a reward for preventing a potentially crippling hack, a percentage of the recovered funds goes to the finder and others that staked to them, as well as to the Lossless team. This incentivizes finders to develop cutting-edge threat detection, and it provides funding for the crypto’s team.
5. If there is no hack, the money is unfrozen, and the finder’s stake is confiscated. This ensures only threats that appear legitimate are reported and the ability to freeze transactions is not abused.

Freezing assets might sound antithetical to crypto’s decentralized tactics, but many would see the financial damage done through hacked funds far outweighing any inconveniences.

And perhaps the committee that determines whether a hack has occurred may someday be replaced with a more decentralized body of individuals. The sky is the limit in the future. But for most projects, some amount of centralization is necessary at the start.

And most likely, unless you’re moving vast amounts of money or completing bizarre transactions, you’ll never be affected by it.

For many with money invested in DeFi protocols, the peace of mind a Lossless integration allows far outweighs any cons.

#vicarius_blog #blockchain

Just as we have cybersecurity professionals working diligently to secure organizations and prevent the loss of information assets, there are also threat actors that offer offensive services such as commercial cyber surveillance or spyware as a service. Similarly, government-backed actors are acting at the behest of state surveillance agencies. Another breed of cyber threat actors identifying themselves as Hack-for-hire groups is also actively operating in the current cyber ecosystem. Below is more information on who they are, how they work, and what organizations and individuals can do to keep them at bay.

Who are the Hack-for-hire Groups?

Hackers as a whole need no introduction. As a subgroup, Hack-for-hire groups constitute experts who offer hacking as a service to entities not having the skills or the capability to do so. For instance, police and law enforcement agencies engage hackers to help them get breakthroughs in cybercrime. These kinds of experts are referred to as ethical hackers. On the flip side, different groups are offering hacking services to various entities to also carry out  illegal or illegitimate activities.

While ethical hackers offer services to genuine organizations to ward off infiltration from malicious actors, ‘hackers for hire’ groups generally offer their services to various entities in order to spy on their rivals and steal or corrupt sensitive information. For instance, when there is litigation between two companies, one of them may use the services of a Hack-for-hire group to infiltrate their opponent’s email account or information systems as a way to predict their next moves or learn something they can leverage against their competitors.

The Hack-for-hire entities either offer their services to a limited audience or advertise their services to anyone willing to provide proper remuneration, regardless of the final objective. Google’s Threat Analysis Group (TAG) has identified ‘Hack-for-hire’ groups from India, the UAE, and Russia to be among the foremost actors in this activity sphere.

Some Hack-for-hire groups masquerade as private investigators, whereas some work with the freelancing community to avoid employing their personnel directly. 

Are the Hack-for-hire Groups Similar to Commercial Surveillance Vendors?

Though the activities are similar, commercial surveillance vendors are different from Hack-for-hire groups because these companies sell their product to the user in order to operate and secure their information systems from cyber-attacks. On the other hand, the Hack-for-hire groups conduct cyber-attacks by exploiting security vulnerabilities and taking advantage of known cybersecurity flaws when undertaking their campaigns. As mentioned above, Hack-for-hire services usually help one entity to exfiltrate crucial data of its opponent. Therefore, they are also known as cyber mercenaries. The similarity of both these vendors is that they sell their services to others.

Whom do these Hack-for-hire Groups Target?

Hack-for-hire groups generally target high profile individuals, journalists, political activists, human rights activists, and other high-risk users globally, compromising their privacy, safety, and security. Besides, these cyber threat actors conduct cyber espionage and trade secret theft. Hack-for-hire services are not only offered at the corporate  levels but also at the individual level. The below graph shows the typical pricing for various hacking services. It could be hacking social media, changing grades on an educational institution network, or infiltrating personal computer systems to steal information. In essence, anyone can be a target for the Hack-for-hire groups. The following graph shows the average prices threat actors charge for providing hacking services, among which personal attacks, website hacking, and grades change are among the ones with the highest costs (Prices are in USD, converted from Bitcoin). 

(Image Source: comparitech.com)

How do the Hack-for-hire Groups Work?

TheHack-for-hire groups work in various ways. Google’s TAG has observed that the Indian Hack-for-hire entities use freelance actors and try to avoid getting involved directly. They also work with third-party investigative services as a way to maintain some form of distance between their work. Below are some examples that would help you understand how they work.

The Indian Hack-for-hire Entity

TAG has observed an Indian hand in the recent targeting of an IT business service provider in Cyprus, a Nigerian educational institution, a shopping mall in Israel, and a Balkan fintech company.

TAG has been tailing the Indian Hack-for-hire actors since 2012. It was found that the threat     actors have worked previously for Indian offensive security service providers like Belltrox and Appin. Additionally, a specific group belonging to them has targeted healthcare, government, and telecom sectors in Saudi Arabia, the UAE, and Bahrain with credential phishing campaigns. 

Sample AWS Phishing Interface

(Image Source: Threat Analysis Group | Google)

They have links with Rebsec, an entity that has openly advertised offering corporate espionage on its website. 

Rebsec’s Offerings

(Image Source: Threat Analysis Group | Google)

The Russian Hack-for-hire Connection

Russia is generally considered a major source of cybercrime as many cyber incidents over the past decades have originated there. Google’s TAG has encountered a Russian threat actor targeting journalists, politicians, and various NGOs and non-profit organizations while investigating a 2017 credential phishing campaign. However, investigations revealed that the targets included many people or entities not affiliated with these organizations. This ‘Hack-for-hire’ actor has been referred to as Void Balaur.

The campaigns usually start with a credential phishing email that includes a link to a phishing page. Usually, it consists of notifications and messages spoofing Russian government agencies. Once the user’s system is compromised, the cyber attackers continue to break down security measures by granting an OAuth (Open Authorization) token to themselves on genuine email applications like Thunderbird. They may also link the user’s account to that of an attacker on a third-party provider network. They can then access email contents via IMAP (Internet Message Access Protocol) using a custom tool.

Russian Phishing Message

(Image Source: Threat Analysis Group | Google)

TAG also observed that the hacker website(s) advertised their capabilities for hacking and claimed it had received positive reviews from Russian underground forums like Probiv.cc and Dublikat.

Hacker Service Pricing List

(Image Source: Threat Analysis Group | Google)

The United Arab Emirates Hack-for-hire Modus Operandi

TAG has found out that the UAE Hack-for-hire group is usually active in the Middle East countries and North Africa (MENA region). Generally, they target government organizations, educational institutions, and political entities. The modus operandi involves using fake Google or OWA (Outlook Web App) password reset emails to filter out credentials from their targets. 

While many Hack-for-hire malicious groups use open-source phishing frameworks, the UAE group uses a dedicated suite of tools, like Selenium, to automate web browsers. Additionally, this group works similar to the Russian entity by presenting OAuth tokens or linking the compromised target’s email account to the adversary-controlled account on a third-party email service provider. 

Investigations revealed that the UAE Hack-for-hire group had connections with the original developers of the H-Worm and njRAT. 

Fake Google Alert for Phishing

(Image Source: Threat Analysis Group | Google)

Preventive Measures to Protect from the Hack-for-hire Actors

Here are the preventive measures one can take to protect their information assets from these ‘Hack-for-hire’ actors.

• Phishing protection: You will notice a pattern if you watch the modus operandi of these Hack-for-hire actors. The attacks usually begin with a phishing email; therefore, a preventive measure is to increase awareness of phishing and similar fraudulent activities.
• Multi-factor authentication: Users can opt for 2FA (2-Factor Authentication) or Multi-factor authentication (MFA) as an additional layer of security against these threat actors. 
• Updates and advanced protection: Google TAG recommends that high-risk users update their devices and enable Advanced Protection on their accounts. It also advises allowing Google Account Level Enhanced Safe Browsing.
• Spoofing precaution: Email spoofing is another crucial area of concern. As a user, one must be careful while accessing websites via search engines or any other source that cannot authenticate the genuineness of the website, for example, through a random email from an unknown source. 

Generally, Hack-for-hire actors do not go further than compromising the email inbox and exfiltrating data. They mainly concentrate on social engineering attacks rather than introducing any malware. However, it would be best if you remained cautious as we cannot rule out instances of increased severity from malicious actors.

Final Words

Hack-for-hire groups are not a new phenomenon. As long as the objective is honorable with good intentions, such as fighting cybercrime, there should not be a problem with the Hack-for-hire actors as it falls within the ambit of ethical hacking. However, if their intentions are malicious, these groups have the potential to cause harm, as seen in various examples in the article. Thus, the need of the hour for organizations and even the general public is to take necessary countermeasures to prevent becoming targets of such malicious groups.

References

1. Huntley, S. (2022, June 30). Countering hack-for-hire groups. Threat Analysis Group. https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/
2. Glover, C. (2022, June 30). Investigation reveals network of Indian ‘hack-for-hire’ groups who steal data for paying clients. TechMonitor. https://techmonitor.ai/technology/cybersecurity/hack-for-hire-indian-cyber-mercenary
3. Pernet, C. (2022, July 1). The business of hackers-for-hire threat actors. TechRepublic. https://www.techrepublic.com/article/what-are-hackers-for-hire/ 

#Google #phishing #threats #hacking #vicarius_blog

Amid the chaos on the world stage, the macroeconomic backdrop is full of uncertainties. But there is one thing we’re absolutely certain of: cybersecurity solutions will become much more prominent over the next few months and years as global cyberwarfare sets the stage for cybersecurity’s permanent elevation at both the national and corporate levels. 

Companies and governments are being hacked mercilessly in 2022. Even cybersecurity giants such as Entrust are being breached. The firm revealed that parts of its system were hacked on June 18. Before that, Okta was hit, impacting more than 366 of its corporate customers.

That’s just scratching the surface amid a sea change where cybersecurity solutions go from “optional” to “necessary.” This shift is starting today, but it will play out over the next several years. As it does, global cybersecurity spending will substantially accelerate. So will the need to understand the Common Vulnerability Scoring System (CVSS).

Let’s explore how the scoring system works and even how it doesn’t work.

What Is CVSS

The Common Vulnerability Scoring System is a scoring system for vulnerabilities created by FIRST.org. CVSS communicates the severity of vulnerabilities through three top-level metrics: base, temporal, and environmental:  

Base Metrics

On the base level, you’ll see a score that ranges from 0-10 (but can be modified by scores in the other categories). Base factors, in a nutshell, represent the characteristics of the vulnerability. Base CVSS scores are readily available, as enterprises can use them as a starting point to prioritize threats. 

CVSS can create a pathway to accurate and consistent vulnerability scoring, which is why it’s used as the standard of measurement. Right now, CVSSv3.1 is used the most, although not everyone has kind things to say about it (we’ll get to that in a bit). 

For now, let’s focus on how CVSS works, starting with its scoring methodology which runs from 0.0 to 10.0 in 0.1 increments. 

As a system, the two most prevalent use cases are in 1) calculating and ranking threats based on severity of impact to your system environment, and 2) prioritizing which vulnerabilities to remediate first.

This is where it gets complex. For instance, CVSSv3.1 uses an “Access Vector” to represent vuln severity as a function of how difficult it is to connect to a system in a targeted environment. 

Let’s unpack that by considering two situations: one in which many thousands are running that system through a network, and a second in which very few are running a system that requires physical adjacency to exploit. The second situation would score as less severe than the situation reliant on network access. 

But there are many variables to consider. For example, the Access Vector variables include network, adjacent, local, and physical. And there are many more levels, which we will explore in future CVSS articles.

The important part to focus on is the permutations of scores. That is, is there a unique score for every possible variable combination? In short, no. There are roughly 101 values to map variable levels to, and more than 2,000 possible variables.

Further, CVSS base metrics comprise three subscores: exploitability, scope, and impact. Within these subscores are several more sub-components, which differ depending on the subscore. For instance, the “impact” score focuses on what outcome could be achieved by a successful exploit, and leverages confidentiality (how much data the attacker has access to), integrity (the ability of the attacker to edit data), and availability (whether it impacts use of systems for a large or small number of users). 

Temporal Metrics

There are also “temporal” metrics that can change over time. As such, they’re intended to measure how exploitable a vulnerability is right now and the availability of remediating factors. As such, CVSS temporal metrics contain several sub-levels, including the following:

• Exploit code maturity: how stable/mature is the code used to exploit a particular vulnerability.
• Remediation level: how widely available are patches and other workarounds over time.
• Report confidence: the validity of the vulnerability and its exploit.

Environmental Metrics

With environmental metrics, the score essentially modifies the base group depending on a particular enterprise’s characteristics that may increase or decrease the severity of a particular vulnerability. The sub-levels that make up the environmental group are as follows:

• Modified base metrics: Organizations with compensating or mitigating controls are taken into consideration here. For example, is the vuln within a firewall-protected server? Is it within an unused, unconnected server? Or is it within an internet-connected server with public exposure? The latter is of the most severe consequence relative to the former two.
• Security requirements: These measure an asset’s “business criticality” in terms such as “confidentiality,” “integrity,” and “availability.” Confidentiality refers to whether information can be hidden from unauthorized users. Integrity refers to an ability to protect information from being altered. Availability means how accessible information is to authorized users. 

Acknowledging that we’re only scratching the surface of what CVSS is and how it’s used to prioritize exploits, we’d be remiss not to mention how limited the base score is in accounting for real-world exploits and other mitigating factors.

CVSS Criticisms

Common Vulnerability Scoring System criticisms generally comprise two groups, which include criticisms to CVSS as a risk-identifying method and criticisms to CVSS as a scoring system. Let’s get into some specific complaints…

1. The Attack Vector is not well-defined. For example, paradoxes arise when you consider the vulnerability state of a PDF, as it shows up as “local” if downloaded and opened in a browser, but shows up as “network” if it immediately opens in a browser.
2. The Attack Complexity criteria overlaps with the Temporal score. Changes over time are meant to be isolated by the Temporal score; however, the base score tends to evolve as an exploit moves from hypothesis to the real world. That’s only supposed to happen in the Temporal score. 
3. The concept of “Scope” is confusing. This is because different equations are used depending on which Scope level is at risk.
4. “High” and “low” levels of granularity for Attack Complexity are insufficient. Compare that to CVSSv2, which had three levels of “Access Complexity.” 
5. CVSSv3.1 consistently scores higher than version 2. This inflates the workload for admins.

These are just among some of the many criticisms of CVSS, but there are others to be found. 

Perhaps the most important criticism lies in how scoring systems should make up how you prioritize threats but should not be the only part. 

As such, many enterprises misuse CVSS as a ranking of risk. For example, CVSS fails to account for much of the context for vulnerabilities, such as how they can be chained, nor does it assess impact in a way that makes sense for how people might be affected by a vulnerability.

The Future of CVSS

Criticisms or not, dissent is what leads to improvements down the line, which we’ll very likely see in the next iteration of CVSS. However, from what I’ve been able to glean from my readings, CVSSv4 will likely not depart from predecessors in a meaningful way. That is, its core construction will remain in place, and many of its proposed changes mostly comprise the tweaking/adding of variables and their values.

As we head into the future, and as every datapoint and workflow in the world exists on a computer somewhere, securing those systems via cybersecurity solutions will become increasingly vital. In other words, a once-niche industry has blossomed into a burgeoning, $150-plus billion business that constitutes dozens of multi-billion-dollar companies.

To date, this industry has experienced astonishing growth. But it is nothing compared to what will come over the next decade.

The COVID-19 pandemic accelerated the global digital adoption. Such an acceleration sparked a surge in the volume of digital data and workflows in need of security. And in response to that surge, countries and companies alike significantly upped their spending on cybersecurity systems in 2021.

But the conflict in Eastern Europe has added a ton more fuel to the fire.

The reality is that the war between Russia and Ukraine (or, perhaps increasingly more accurately, the rest of the world) has emphasized that modern warfare is cyberwarfare.

And it will only escalate from here.

As it does, so will the need for education around scoring systems, and how to best use them in context with your enterprise’s specific environment. For instance, we use several scoring systems to set a baseline for criticality, but it’s important to consider how that score may change depending on your enterprise. 

A lot of vulnerability management companies do not consider such context, and that’s a huge mistake. We’re hopeful that the next iteration of CVSS addresses such limitations… but even so, it will always remain important to a degree to consider specific contexts and adjust how your threats should be prioritized.

#vicarius_blog #CVSS #vulnerabilitymanagement #vulnerabilities