All posts by be4sec

Office 365 Vulnerability Allows Attackers to Encrypt Files

Proofpoint announced that they have discovered a vulnerability in Office 365 that allow attacker to encrypt files stored on SharePoint and OneDrive.

Proofpoint also has identified the attack chain as initial access, account takeover & discovery, collection & exfiltration, and monetization. “Once executed, the attack encrypts the files in the compromised users’ accounts. Like with endpoint ransomware activity, those files can only be retrieved with decryption keys” was said for the attack.

If an attacker gains access to the victim’s cloud, then he has two options; limiting the number of autosaves to one, or using the autosave feature 500 times after reaching the limit. At that point, researches explains that it is unlikely that an attacker would encrypt more than 500 files. Such an operation requires a lot of scripting work and a lot of computer resources, while significantly increasing the risk of detection.

Whichever option is chosen by the attacker, if a hacker encrypts the files until the saves work, then the victim has only two options: use backups physically isolated from the infrastructure or pay the attacker for a decryption key.

A Glimpse into AI and the SOCs of the Future

About twenty years ago, antivirus, IPS and firewall were managed by security teams – mostly organizations had only one information security team, and the most important thing was getting up to date IPS signatures and antivirus database. But, SOCs are growing year by year because of new attack techniques and new security controls to prevent them. Today, an enterprise organization has more than fifty different security technologies to defend against these complex attacks. But, a SOC has two core elements: Security controls and people.

With the increasing number of devices, the logs of all these devices need to be analyzed and interpreted. And the log size that needs to be analyzed has reached enormous amounts. As data grows, human resources must also increase in direct proportion. Meanwhile, one of the biggest problems of the sector is to find trained analysts. We see that many organizations are trying to continue their SOC operations with less personnel than they need. And, these personnel is not only responsible for incident response, but also for red teaming, purple teaming, threat hunting, threat intelligence, and others.

The task of an analyst is not only to examine that log, but also to analyze the logs of other devices with the findings he/she detects after the examination. While the log size increasing day by day, it may take hours in some cases to analyze all these logs for only one incident. Because of these situations, many SOC analysts are experiencing burnout on the job and most of the organizations cannot response to alerts as fast as it should be.

At this very point, AI, the most popular technology of recent years, comes to the aid of SOCs. The use of AI powered autonomous platforms – as an example, Mandiant’s Automated Defense and DarkTrace’s Cyber AI Analyst – have become widespread and looks like it will have a bigger role in future SOCs. These devices can collect logs, analyze, determine and keep analyzing other system’s logs to decide whether the alert is false positive or a real incident. With AI, all these processes are done at machine speed and analysts can get the results in a very short time. So, this provides SOC teams to respond as fast as possible. Additionally, AI makes fewer mistakes than human analysts. In recent years, we saw many cases that although there were logs showing an attack, it was marked as false positive by analysts and closed.

AI is still evolving. As in all other fields, it is obvious that it will add a lot to us in the field of information security in the future. And with this evolving AI, in future SOCs, team member will focus on threat hunting, threat intelligence and red teaming works more. This situation will enable people to do better quality work and to educate themselves.

Weekly Breaches – 22th of May

We face too many breaches happen every day. Just want to share some important ones of them happened this week here.

As an important note; these are the sharing of attackers and these information need verification.

Indonesia Vaccine Data:
The threat actor RichTheKid shared that they have 690k records of Indonesia vaccine data. It takes 1.3 GB.

pipl.com Database Leak
pipl.com is one of the most important identity information provider. The threat actor toprakbilen90 claimed that they have leaked pipl.com’s database including first and last name, aliases and past name , e-mail address , physical address, date of birth, court and bankruptcy notes, phone number, social media profile links, political affiliations, race, religion, skills, gender, employers past and present, automobiles and proper. The data is about 2.96GB.

BBVA Mexico
A threat actor shared BBVA Mexico data with screenshots in a private Facebook group. As seen from the screenshots that the threat actor shared, they include customer identity information, transaction information and so on.

Ministry of Justice – Qatar Database
The threat actor keftar claimed they have the database of the Ministry of Justice. The data includes lots of csv files and the total size of the data is unknown.

Russian Satellite TV Hacked

The Russian – Ukraine war continues in the cyber world at the same speed as on the ground.

Attackers hacked into the broadcasting network of satellite TV channels in Russia.

The incident happened this morning and according to officers, attackers added anti-war announcements against operations in Ukraine at the bottom of the screen.

According to post of 66.ru, “Our specialists are doing everything possible to resolve the problem as soon as possible. In the near future, everything will be restored, ”the company said.

It is specified that several providers were subjected to the attack.

Wanted Conti!

Ransomware is a growing danger day by day and unfortunately, no permanent measures can be taken against these attacks. It seems like for now, the USA seems to apply the most correct non-technical method against Ransomware attacks.

The Department of State is offering a reward of up to $10M for information leading to the identification and/or location of any leaders of the Conti ransomware group. Additional $5M reward for any information conspiring Conti. The statement was published on 6th of May.

According to several reports, annual income of Conti is about more than $150M and it seems like they are located in Russia.

We think that rewarding is an important measure against ransomware groups because although a lot of technical measures have been taken and talked about, the cases are increasing day by day. With this reward action, Conti members are likely to be exposed in a few months. We will see together whether such a measure will work.

China’s Plan to Stop Using Foreign-Branded PCs

With the Russian occupation of Ukraine and the subsequent sanctions, foreign dependency issues began to come to the fore in all countries and sectors. Lastly, China has ordered to replace foreign-branded computers with nationally developed ones in two years.

The primarily reason of the measures are to reduce the dependence on rivals such as the U.S. for everything from semiconductors to servers and phones, and will be applied firstly to central government agencies and state-backed corporations.

The Chinese authorities are expected to plan to replace at least 50 million devices at the central government level alone. It seems like if successful, this decision will create serious problems on producers like Dell, HP, and others.

Source: Bloomberg

GitHub Blocks Russian Accounts

According to a Russian website – habr, at least dozens of accounts have been blocked by GitHub.

Sanctions against Sberbank and Alfa-Bank, the country’s largest private banks, include the freezing of bank assets and the imposition of a ban on US citizens and companies from doing business with them. Under the sanctions, as an example, these GitHub accounts of these two banks have been blocked;

https://github.com/Sberbank-Technology

https://github.com/sberbank-ai-lab

https://github.com/alfa-laboratory

Today, some researches reported that some personal accounts have been blocked too.

Still Have 445 Port Open to Internet?

CVE-2022-26809 is a vulnerability exists within the Remote Procedure Call Runtime component in Microsoft Windows. If an attacker successfully exploits the vulnerability, then she/he could run arbitrary code on the affected system.

To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

The vulnerable system can be exploited without any interaction from any user.

This is a really contains a high risk and should be patched immediately.

Vulnerable Technologies:
Microsoft reports that the following products and versions are vulnerable:

Windows 7 32-bit SP 1
Windows 7 x64 SP 1
Windows 8.1 32-bit
Windows 8.1 x64
Windows 10 32-bit
Windows 10 x64
Windows 10 20H2 32-bit
Windows 10 20H2 ARM64
Windows 10 20H2 x64
Windows 10 21H1 32-bit
Windows 10 21H1 ARM64
Windows 10 21H1 x64
Windows 10 21H2 32-bit
Windows 10 21H2 ARM64
Windows 10 21H2 x64
Windows 10 1607 32-bit
Windows 10 1607 x64
Windows 10 1809 32-bit
Windows 10 1809 ARM64
Windows 10 1809 x64
Windows 10 1909 32-bit
Windows 10 1909 ARM64
Windows 10 1909 x64
Windows 11 ARM64
Windows 11 x64
Windows RT 8.1
Windows Server 2008 32-bit SP 2
Windows Server 2008 x64 SP 2
Windows Server 2008 R2 x64 SP 1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server Version 20H2

Mitigation:

Microsoft recommends blocking port 445 at the perimeter firewall as a technique to mitigate the possibility of internet-based exploitation.

Remediation:

Organizations need a continuous port/vulnerability scan to detect to see if any port is open momentarily to the outside. If a continuous scan is not possible because of sensitive systems, an Attack Surface Management system should be used for instant detection.

Parrot is Used to Conduct Malicious Campaigns

Parrot TDS (Traffic Direction System) has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites.

The situation discovered by Avast and is currently being used to run a campaign called FakeUpdate that distributes the NetSupport Remote Access Trojan (RAT) via fake browser update notifications.

FakeUpdate Campaign (From Avast’s post)

Parrot TDS acts as a gateway for further malicious campaigns to reach potential victims. Attackers buy TDS services to filter incoming traffic and send it to the final destination serving malicious content.

According to Avast analysts, activity in TDS servers increased in February 2022 by detecting suspicious JavaScript files on compromised web servers.

A detailed technical analysis shared by Avast here.

How was Ukrtelecom hacked?

One of the largest Ukrainian telecom-providers, Ukrtelecom, suffered in the powerful attack on March 28, 2022. It was just an incident during the hybrid warfare between Russia and Ukraine, that we are always trying to inform you about the latest situations.

Ukrtelecom’s CIO Kyrylo Honcharuk spoke about the details of the Ukrtelecom attack:

Ukrtelecom as part of Ukraine’s vital information infrastructure is in the focus of hackers’ attention all the time. We’ve been observing the increase in the number of cyberattacks against our infrastructure since the very beginning of the invasion. The attack on March 28 was powerful and sophisticated,

Officials mentioned that the discovery phase of the attack launched from the Ukrainian territory recently temporarily occupied by the Russians. The hackers used for discovery a compromised account of the company’s employee.

Once they gained access, the hackers then tried to disable Ukrtelecom’s equipment and servers to gain control over its network and equipment. There was also an attempt to change the passwords of employees’ accounts and of logins to access equipment and firewalls. With the attack, Ukrtelecom temporarily limited the access to its services for private and business clients. The traffic in the network fell to 13% from the regular regime of the network’s functioning. The Internet access for the clients started to be restored late on March 28. The following day, Ukrtelecom services became available to almost all its users.

The investigation continues. We saw several attacks on Ukraine’s organizations related to Russian invasion, however, this attack cannot be attributed to any hacker group. We expect to see more attacks on Ukrainian targets including government, energy and financial organizations.