APT10 Breach Managed Service Providers

An alleged Chinese APT (Advanced Persistent Threat) known by the name APT10. This group is also known as:

  • Red Apollo by PwC UK
  • CVNX by BAE Systems
  • Stone Panda by CrowdStrike
  • POTASSIUM by Microsoft
  • and menuPass Team by Trend Micro

The group behind the attacks has targeted Canada, Brazil, France, Norway, Finland, Switzerland, South Africa, Australia, Japan, and India for intellectual property and other sensitive information, according to a recent PricewaterhouseCoopers (PwC) UK and BAE Systems report and the technical annexure.

You need to take cognizance of the fact that if your MSP is in the list of compromised service providers, and you are sitting in a different country, you need to assume that you have been compromised.

The following companies are noted to have been breached by a hacking campaign called ‘Cloud Hopper’.

  • IBM
  • Ericsson
  • Fujitsu
  • HPE
  • Tata Consultancy Services
  • NTT Data
  • Dimension Data
  • Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.
  • Sabre
  • Huntington Ingalls Industries
  • And many of their clients….

Some evidence of the breach at the compromised MSPs (Managed Service Providers) dates back as early as 2010.

If you feel you may have been compromised through a 3rd-party service provider. I recommend that you engage with an independent expert for an investigation and NOT the same MSP as we have found that it is easy to ‘hide’ evidence.

RDP – ‘Really Do Patch’

With the release of security notice CVE 2019-0708 on the 14th of May 2019, a sudden increase in port 3389 scanning on our external honeypot as can be seen from the image below.

So far I have seen that there are more than 1 million IP addresses exposed to the Internet that are vulnerable to “BlueKeep” exploit.

If we look at victimology, we need to understand the reason and also look at the source of the attacks. As we can see from the image below, Russia is the largest ‘culprit’ just after the exploit was made known. As a low-level cyber-war is taking place under our noses, we may have been compromised without realizing it. It is also said that a system compromise is normally detected after 150 days. I have worked on a breach that has been active for more than 240 days.

RDP – Attacks by Country

The following image to me is a bit more worrying as a very small percentage on the left diagram is ‘anonymizer’. A source using an anonymizer may be a more sophisticated attacker which may have tools to exploit your system. The problem with a system that has been breached, it still stays breached after you apply the patch.

RDP – Attack Source Reputation

As a CIO/CSO of your organization, you should have a handle on the assets internal as well as external facing. Many companies are allowing for RDP (Terminal Services), TCP 3389 to be accessible from the Internet which in fact should not be allowed. It is a high risk to the organisation and usually, I do not find any logging and monitoring on such systems.

If you need access to any system, this should be done via a secure VPN with a proper authentication solution such as a 2FA (Two-Factor-Authentication) scheme.

It is time to do a system check!

Dunning-Kruger Effect in the Workplace

Information Security, IT Auditing, IT Risk Management, and many of these types of functions within an organization lend itself to many traits that can be classed as psychological egoism and can have a negative impact in the work environment. One of the most dangerous users you may encounter suffers from the Dunning-Kruger Effect. Let me explain what I have seen in some organisations and some of the attributes exhibited by the ‘problematic’ users.

Egocentric Superman

There could be many reasons why we find these users in our work environment. But before we try and classify others we need to also look at ourselves critically to make sure we do not fall into that category.

A challenge with a ‘CIO’ made me take a step back and have an independent subject-matter expert review my work as well as legal discovery to make sure that I am not at fault or lacking in my delivery. Let me describe what I have seen in the workplace over the years.

  • To hide laziness or incompetence, you will find the user shouting and complaining with a curse-words thrown in as a matter of expression. He will hide mistakes by moving the blame in public communication to create conflict. This conflict is used to direct attention away from the actual problem. His co-workers would mostly avoid the conflict and he would feel satisfied as he managed the ‘expectation’ but alas only in his eyes.
  • The next user is a parasite leaching of his co-workers to climb the corporate ladder and exhibit knowledge that he actually do not have. In the book 40 Rules of Power by Robert Greene , rule 7 states ‘Get others to do the work for you, but always take the credit’. You know the guy… asking in email, or any other communication, for solutions to a problem and then publish it to management as his own. He will not share information with co-workers and if there is a team-effort he will treat it as a one-way street.. to his benefit.
  • The last one for this topic, there are more, is the user that exhibits the Dunning-Kruger Effect. This is a total lack of empathy and a self-fulfilling attributes a person can have. Decisions are made without consideration of any data but a believe that he is right beyond any doubt. If he is challenged, he would use others that he has convinced to be in his circle to do the ‘dirty-work’ to support his decisions. Examples include writing reports or emails that are filled with half-truths or deflecting from the evidence at hand. The company he works for is not important, just his existence.

Recommended action is that you must always document any interaction with co-workers to ensure that conflict is managed before it escalates where it becomes a Human Resources problem. I suggest reading ’40 Rules of Power’ and try to analyse yourself and your co-workers as a start.

‘Evidence trumps Dunning-Kruger’

Takes these challenges and make sure they feed your growth as a person with your primary focus on delivery for the organisation. One challenge I experienced triggered me to complete a task that has been on the back-burner for a while. Everything is a learning experience.

Do you have a view of the attacks in your network?

All traffic in and out of your environment MUST be monitored for unknown traffic and reviewed by skilled staff and if required incident response initiated.  In the following image (clickable for

Struts Attack to targeted server

large view) you can see that there are attacks from Indonesia on the Apache Struts exploit.  I can note here that the server being attacked is a Hikvision security DVR.  This server is targeted based and preliminary reconnaissance (high port) and sometimes a random attack hoping for the best (port 80) on the fact that it is seen as a DVR and there are admin elevation attacks for a number of these devices.

The lesson that I want a person to take away here is to think about if you have a continuous viewpoint of your network of all the ‘weird’ traffic in-and-out?  The following checklist would be helpful to pick some low-hanging fruits.

I would also look at the first step in your IT risk management landscape is the asset management process.  If you do not know what you have, you have no control on the actual risks present in your environment.  Assets include, hardware, software, data-flow, data, users (internal and external), configuration of devices and many more.

  • Do you monitor all traffic in and out of your network?
  • Do you review the data using a review methodology (policies, standards, procedures and guidelines)?
  • The staff reviewing the data, are they skilled based on the requirements?
  • In case of an incident, what is your incident response plan?
  • Is the data trustworthy for evidence selection in case of an investigation?
  • Do you test your team by injecting some alerts at random times? (example: http://testmyids.com should trigger an event)
  • What reports are available and how is this presented as part of your management pack?

One recommendation I can give you is NOT to have a knee-jerk reaction and spend money without having a proper PoC (Proof-of-Concept) as well as solution evaluations.  If you are suspicious of your environment, there are many opensource tools as well as inherent (you already own it as part of your hardware OS or other Operating Systems).

If you would like to get additional information on services and solutions feel free to leave a message with your email address in the form below.

Websites want me to remove my Ad-blocker

More and more sites I visit is detecting that I use an ad-blocker and asking me to either pay a daily or monthly fee to access their content, or whitelist the site in my system.  If the content is valuable which is not available free from other sites I would not mind having a small subscription and get a regular feed.  To remove my ad-blocker or white-list a site may result in your 

Possible threat from an ad being delivered

system being compromised. This is due to ads being delivered may contain harmful code from fraudsters and users with malicious intent buying ad space from ad re-sellers.  As can be seen from the image, anti-virus is blocking a potential risk from an ad delivering site trying run run a java-script on the workstation.

Websites wanting ad to be displayed on your system have no clue on what risk they are deliver to the unsuspecting users.

In the future, ads will be blocked more at the enterprise level on all platforms as it is realized that the threat is bigger than thought before.  This is all to the fraud syndication embracing technology for another compromise to the defense layer.

I would recommend to not allow any ads while browsing the Internet or at least have current and good anti-virus on your system and do not log onto your system with a privileged account.

 

Getting caught by unsubscribing from spam

By unsubscribing you confirm your email to the main spamming company and you will only get more spam

Have you ever received an spam email that you have unsubscribed from before?  Today I had a very interesting encounter with a local company getting onto the bandwagon to sell training by obtaining email lists from definitely dubious sources.  My argument here is that we see many coming from the same source without anyone subscribing.  Personally, I have unsubscribed during May 2018 without being removed.  Today (close to 4 months later and numerous requests to be removed) the evidence of a spamming engine came to fore.

My local defense layer consists of multiple security ‘check-points’.  As you come from the Internet, the first router has the normal edge protection such as attack mitigation, source validation, and more, but only at a rudimentary level.  It is more effectively used for egress (from the inside out) destination validation.  This is a very nice feature which came in handy in this example.

Perimeter router with IDS and IPS

The next level is a firewall with IPS (Intrusion Prevention Services) that actively blocks access to malicious sites, including TOR, Ransomware Command and Control Centres, Trojan and other real-time updated IP addresses.  This is both ingress and egress. and finally before a packet is allowed in or out of the ‘worker’ segment, it is monitored using a Network Security Monitor for attack signatures.  It is amazing to see the amount of actual attacks from countries to gain access to, as an example, command access to the D-LINK routers.

The first step is email in my inbox which was from a local site (South Africa) which needs to conform to the ECT Act of 2002 that defines that a recipient should be able to unsubscribe.  In this case,

after numerous attempts, we are still receiving emails and finally with a new updated signature realized that the email .marketing’ company the local company is using is registered as a spamming agent.  This is after receiving an email with an unsubscribe link, and only to be warned that the linked is blocked as it is a spamming company.

Also, just a quick look at the registration details of the company we see the following.

Link to the direct information at the South African registrar for Internet Addresses/Names shows that the company registered in 2008 in the USA (CA) with telephone numbers and email addresses ‘withheld’.  The hosting company locally will be contacted for comment.

 

 

The following warning is received from the external perimeter that the site connecting to the unsubscribe link.

Spam ‘Haus’

So what does this mean?

Sometimes when you unsubscribe, you only confirm the validity of your email address to spamming engines and other email marketing companies.  With some local laws protecting you, many of these spam companies are outside your country and your recourse becomes difficult if not impossible.

An option could be to complain to the hosting company copying to ‘abuse@sendercompany…..’ (of course replace sendercompany) or adding the sender domain as a spam email to your antivirus. This sometimes is reported to the ‘mother-ship’ and can help fighting spam.

Spam still is one of the biggest problems and also lends to phishing and other attacks.  A very good book is by Brian Krebs called Spam Nation… highly recommended.

Let’s wait and see how long it takes for this to sink in and get an unsubscribe to all domains requested.  It may be possible that the sender has no idea, but it is not an excuse of course.

It could be beneficial to train recipients on how to complain to the registrar of the company sending the spam.  HOLD THAT THOUGHT!

Data Leakage – A covert channel

If you think you are safe having adequate NAC (Network Access Control) but not controlling local administrative access and application execution on your workstations, you should think again.  This post will go through some of the risks as well as some of the controls in an enterprise environment.  This is an example of bypassing a NAC and the controls what you can put in place to ensure that your risk is mitigated.

The weakest point is normally an unsuspecting administrator, lack of proper configuration, and simple default installs.  In this example, let’s look at a complete CISCO ISE implementation whereby

Guarding the ‘Perimeter’

the workstations have been locked down to a secure realm and the MAC Address is used as one of the authentication mechanisms.  Here, for argument, we will be using an user connected to the network using a physical cable.  The user has a laptop with a Wireless LAN adapter as well. (As we can see, a compromise will depend on many requirements to be met).

I will not go in detail on the actual application that compromises access, but the normal PowerShell command are in the public domain.

The workflow of the penetration is to activate the WLAN card on the laptop to act as a Access Point and use the authenticated users credentials without his knowledge to access the Internet.  This of course may lead to implicating the user into actions against the Acceptable Use Policy.

The windows commands are as follows:

  • NETSH WLAN set hostednetwork mode=allow ssid=Your_SSID key=Your_Passphrase
  • NETSH WLAN start hostednetwork
  • The next step is to enable sharing on the WLAN device and this is done normally through the Network Connection Properties.  This can be done programatically via updating registry keys.
  • In order to stop the share the following command must be entered NETSH WLAN stop hostednetwork
  • and then NETSH WLAN set hostednetwork mode= disallow

Now visualize a possible compromise

  1. Develop and application requiring UAC elevation privileges and give this to a user with local administrative rights
    1. This application will execute the above commands using either PowerShell or an API
    2. The unsuspecting user’s laptop is Wireless Access Point (AP) with your predefined SSID and Password
  2. One this is done, any wireless device can connect to the AP and access the Internet
  3. If the local user has authentication to the Domain/LDAP (or other authentication mechanism) to access the Internet, any access via the local AP will be through his account using his MAC address of the wired connection.

Controlling the risk

  • A simple to control to the risk by ensuring users do not have local administrative access.
  • Ensure only known (white-listed) applications can run on administrator workstations
  • Monitor and report on user behavior (access to the Internet)
  • Monitor, log and react on system changes outside the acceptable defined control framework

Free Internet at Santander Totta

The banking landscape is changing at an exponential rate.  Travelling a bit and finding myself on the island of Madeira.  Off the continent of Africa, closest country is Morocco, but it is part of Portugal.  A few years ago, BANIF Bank was experiencing some financial stability and was bought out by a the Spanish Bank Santander Totta.

UALA

User Agreement

A very interesting finding was that while sitting outside the bank I saw the Wi-Fi SSID of the bank.  It was ‘unsecured’ (no password required) and I decided to connect to the Wi-Fi.   To my amazement, I got connected to the Internet with full browser functionality.  Whatsapp worked, Instagram as well as Facebook, and other social media applications.

This is a total different approach to some of the banks I have experience in and I think it will be good to comment on the approach here.  As part of a past implementation of a new infrastructure, it was discussed to give GUEST access to clients in the bank limited by time.

What can be realized as a benefit to the bank?

  • Branding is number 1 here.  Your bank’s logo will be shown as part of the agreement.  The user, client or not, will be happy for this free service and will relate ‘happiness with the bank’s logo’.
  • Based on the User Agreement, it will be possible to obtain some statistics of usage and possibly have some leads for product sales.

Are there any new risks to the bank?

I can see no material risk to the bank if the network access via the Wi-Fi is totally separate from the bank’s production network.  The bank of course should have good practices in place where IPS (Intrusion Prevention Services) are part of the delivery platform.

  • Make sure users cannot visit blacklisted sites.
  • Make sure that exploits are blocked.
  • Monitor access as the platform may be used for criminal activity.
  • Only allow services such as HTTP, HTTPS and other protocols that will enable a good experience for the user but cannot be used as a springboard for malicious intent.

Based on the rules, it is simple to control and monitor.

The only recommendation is the security certificate that is not properly implemented.  This should be updated.

This is a plus for the Bank.  Well done Santander Totta.

Links

Santander Totta

Bank Re-branding – Criminal Exploitation

ABSA Bank, from whom Barclays has dis-invested, re-branded the bank with a new logo and with some fanfare.  As expected the criminals are waiting for such events to exploit bank clients during the ‘transition’ phase.  The interesting fact here is that the compromised sites with the Phishing exploit code is mostly in South Africa.  This shows that the fraudsters are actively thinking about their attack vectors.  If an unsuspecting ABSA client clicks on the Phishing email and he is directed to a local site, it will see valid and the risk of account compromise is higher.

Compromised site

One of the emails received contained a link to a local (.co.za) site called http://absaonlineupgradeservicesecure(.)co(.)za and reviewing the registration details, it is noted that this site was registered on behalf of a client through MWEB.

Planning process

Having obtained the source code from a compromised site, the analysis was quite simple and it seems that the ‘hackers’ are not that complete by closing access to the compromised site.  On one

Possible fraudster source in Ghana

of the sites, we noted a text file that contained the results of the Phished users.  There were also many test IP addresses which possibly virtual shows the source of the hackers.  This was noted to be from Ghana.

Within the text file, there was account numbers with PIN.  This information was forwarded to fraud@absa.co.za with all personal contact details in case they needed to complete this for verification.  No communication received after a week. (update: Communication received after 9 days)

The problem exists that it is not possible to educate all of the users to NOT CLICK on a link as the Internet was designed to click links. 

Two approaches to combat cybercrime must be followed and that is one from the end-user and the other from the bank.  This is not an exhaustive list, but will help to secure the eBanking process and make life for fraudsters more difficult.

End-Users (Bank clients) needs to be educated and this is an ongoing process.

Text file of compromised accounts on the compromised server

The bank can use technology to combat online fraud and some of the steps include:

  • Monitoring for increased access of the bank logos in relations to referenced pages.  This will only indicate a possible new Phishing campaign and allow the active monitoring to be placed in a higher level of readiness
  • Monitoring of client accounts from outside normal IP addresses.  For example if the source IP is outside South Africa (in this case), additional authentication should be required.
  • The bank should get actively involved with fraud notifications.  I have had two experiences now where two different banks do not respond.  The other was a possible fraud on a credit card and one of the options was block and phone the client back.  This never was done. (Not ABSA here)
  • The positive for ABSA here is the 2nd level access which the user selected passphrase is broken up into multiple selections.  This makes it more secure against actual compromise.
  • Banks also need to supply 2-factor authentication at all times to ensure that a physical token (mobile phone as an example) is required at all times.  I did experience problems with ABSA while travelling outside the country with the SecureCheck mobile app. Acknowledgement never was delivered and could not do any transactions.

This does not exclude the fact that the fraudsters may use other methods, such as a phone call or social engineering, to obtain information that is lacking to complete the fraud.

We have to acknowledge that some major changes has to take place in order to make it more secure for the end-user.  Combating fraud is a leap-frog exercise where bank security specialists have to be highly skilled and dedicated.

 

Why do programmers love Mac?

It is no doubt that if you take a look at a room filled with programmers about 80% of them will be using Mac, But why is this?

The Use Of Unix:

Mac uses Unix, a unix command line closely emulates your target server. The use of Unix and common software is loved by programmers.

The Build Quality:

The build quality of a Mac is second to none, I can vouch for this as I type away on my butterfly keyboard on my MacBook Pro. Programmers spend alot of time working on their Macs and most have pretty extreme standards.

OS X Supports Cross Platform:

If you want to program for iOS you have to use a Mac, but on a Mac you can also program for Windows. Where as on a Windows machine you cannot develop for Mac or iOS.