All posts by be4sec

Log4j Vulnerable Hosts List on Sale

log4j persistently keeps its place on the agenda. Although it has been stated that it is very critical and many articles have been written about it, a list has been published and put up for sale that is including more than 500k potential and 220k vulnerable hosts. You can reach to repo for this sale with the link below;

https://github.com/razz0r/CVE-2021-44228-Mass-RCE

Log4j is highly critical because it does not require user permission to run the vulnerability, and very easy to exploit. It is highly recommended to implement the patches quickly.

Image Reverse Search

With the growth of social media usage, fake news and social media scams are growing too. For many reasons, we need to correct the posts before we believe and/or share them. Image reverse shell is an OSINT technique, very important because of these social media and news scams and as easy as it is important.

To see if the news is true, one of the tools we can use is image reverse search. There are many ways for this but here, we will explain the easiest ones.

Suppose we have the above image and we want to know when and where it was filmed. We start with Google search.

Google

In Google Images, press the camera icon and upload the image.

We can then directly find the web sites including this image. So, we can find where and when it was filmed. We now learn that this image is from Syria and showing an airstrike. So if we see that it was shared for another news as scam, we can know the truth about it.

Yandex

It is also same with Yandex. We upload the image to Yandex Images in the same way.

Yandex can find more than Google so I recommend you to use Yandex too in your searches.

Cyber Attack to Belgian Defense Ministry

Belgium’s ministry of defense confirmed on Monday it had been hit by a cyber attack.

Log4j vulnerability discovered earlier in December and very popular in recent days. According to the Belgian Defense Ministry officials, hackers exploited Log4j vulnerability in one of their systems. The ministry uncovered the attack last Thursday.

A lot has been written about Log4j in recent days, we will not touch on the details of the vulnerability here but it is important to say that this vulnerability hit a long list of software.

We already know that some hacker groups including state sponsored groups started using this vulnerability. It is a really critical vulnerability and need to patched as soon as possible (today) if not done yet.

DFIR Problems in the Cloud

As more and more companies are starting to use cloud because of ease of deployment and integration with business needs and due to its scalability, the pandemic and changing business models forced usage of it more.

From IT perspective, cloud usage provides a lot of convenience. With using cloud, companies can pay for only the resources they need and scale up or down to meet their needs easily. With this scalability, they do not need to guess future usage and butgeting it. Additionally, while it takes days or weeks to implement a new server, it only takes a few minutes to get a new one in cloud and it saves on expenses like cabling, staff, broad network access and data center. Cloud also provides a global infrastructure and high availability for systems easily.

Because of reasons above and more, it is very understandable why cloud market will keep growing in next years and the expectations are the market will have more than $800 billion in value in 2025. However, this convenience causes different problems and challenges on the security, incident response and digital forensics side.

Separation of Responsibilities in the Cloud

Security is difficult in cloud for customers because the cloud customer does not have access and responsibility of all the systems those need to be secured. So, it is crucial to know shared responsibility models of the cloud.

As the content of this article, we do not go into the description of what these cloud services are one by one.

Challenges of Security

This shared responsibility model shown above, makes security, incident response and digital forensics more difficult. It is not enough to know the organization’s assets only, security teams need to work together with cloud security provider’s (CSP) security teams. For all types of models, the organization’s teams will not have access and control on data, OS, storage, network traffic, or etc. The difficulties are not these only. Most of the organizations are using hybrid clouds and more than one CSP. This means, systems are distributed between different data centers and locations and teams need data from these different systems in different CSP and structures.

The distributed multi CSP structures causes difficulties to collect data during an incident. So, investigation real-time incidents in the cloud becomes more difficult. One of the reasons of this situation is the access rights; in all types of cloud service model, the incident handler and forensic analyst has limited access and control over data. And the other can be differences in the operational details and procedures in different CSPs. Also, with using different CSPs, and according to the CSP’s structure, logs can be stored as distributed across different servers and locations. This situation also creates difficulties investigation an incident. A correlation an activity between different CSPs is challenging due to lack of interoperability. Time stamps of the logs and time correlation will contribute to this challenging too.

Many new items can be added to this technical challenges list. However, there is also legal side of using cloud. As CSPs distributed their structure in different location all over the world, customers can face some legal issues. Data collection, protection and governance laws change according to the region that the servers located in. It creates a challenges to standardize processes. This differences can also reflect on SLAs.

We can easily increase the items that challenging security teams on cloud like; having experiences in handling cloud environments for admins, gathering and knowledge of cloud investigation and forensics tools, international communication, privacy concerns, unknown location of data, data volatility, time and timestamp synchronization, log format differences, etc.

Apple Delays CSAM Detection Plans

Before, we posted about Apple’s CSAM detection plans and worries about this process of customers that it could be weaponized against users’ privacy. Apple now temporarily pausing the process because of these worries of the customers.

Apple announced this delay on its Child Safety website as; “Update as of September 3, 2021: Previously we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them and to help limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.

CSAM detection was one of new features that Apple announced in August. Normally, the changes were planned to go live with iOS 15 and macOS Monterey later this year in US. Despite the delay, it seems like the company has not given up on its plan. The date of going live of CSAM detection is not yet known.

How to Download Windows 11 ISO

Windows 11 was made available for users with Insider. Microsoft released the Windows 11 ISO file for test users today.

To test Windows 11 with the Insider program, users had to update from Windows 10 build 21354. Windows 11, which is still in beta, has finally been released. It is expected that the new version will be available to all users by the end of this year.

How to download ISO

  • Click here and login with the insider account.
  • Choose “Windows 11 Insider Preview (Beta Channel) 22000.132
  • You can use this downloaded ISO file on your virtual environment or to create a bootable USB

*Please do not trust to any third party download sites and download the file from Microsoft’s site.

Requirements

This new operating system may not work on all systems, so it is important to check the requirements for Windows 11.

  • Processor: 1 gigahertz (GHz) or faster with two or more cores on a compatible 64-bit processor or system on a chip (SoC).
  • RAM: 4 gigabytes (GB) or greater.
  • Storage: 64 GB* or greater available storage is required to install Windows 11.
    • Additional storage space might be required to download updates and enable specific features.
  • Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.
  • System firmware: UEFI, Secure Boot capable.
  • TPM: Trusted Platform Module (TPM) version 2.0.
  • Display: High definition (720p) display, 9″ or greater monitor, 8 bits per color channel.
  • Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features.
    • Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use.

Please visit here for more information about the requirements.

AT&T Data Breach?

ShinyHunters claiming that they have the database of AT&T including sensitive information of more than 70 million customers. With a post they shared, threat actors demand 200k$ for this database. They shared this post a few days after a threat actor sold information about T-Mobile customers. T-Mobile has confirmed the data breach, however a relationship between these two events has not yet been determined.

According to the example records that ShinyHunters shared, database is including these information of the customers;

  • Name and surname
  • Addresses
  • Postal code
  • Birthday
  • e-mail addresses
  • Social security numbers

AT&T claimed that the aforementioned information is not related with their systems and refused the breach.

Both AT&T and T-Mobile, have been marred by several security incidents in the recent past.

CSAM Detection on Apple Devices and Privacy

Apple announced new features for limiting the spread of Child Sexual Abuse Material (CSAM) in the U.S. “The Messages app will use on-device machine learning to warn about sensitive content, while keeping private communications unreadable by Apple” says Apple.

Source: https://www.apple.com/child-safety/

New Features Against CSAM

Apple is introducing new child safety features in three areas. First, as we told upper, is an on-device machine learning used in Messages app. The Messages app will inform parents and also children when receiving or sending sexual explicitly photos.

The other feature is against spreading CSAM online. “To help address this, new technology in iOS and iPadOS will allow Apple to detect known CSAM images stored in iCloud Photos. This will enable Apple to report these instances to the National Center for Missing and Exploited Children (NCMEC)” says Apple. Apple claims that this feature is designed with user privacy in mind. With this feature, system performs an on-device scan with a hash database of known CSAM materials provided by NCMEC and other child safety organizations.

With another technology called threshold secret sharing, if a user’s account crosses a threshold of known child abuse imagery, the cryptographic technology allow Apple to interpret the contents and disables the user’s account.

What About Privacy?

After the announcement, Edward Snowden tweeted “if they can scan for kiddie porn today, they can scan for anything tomorrow.” Also researchers claim that Apple create a backdoor on its devices and Messages app will no longer provide end-to-end encryption.

The changes apple announced are extremely disappointing. As Edward Snowden said, if they can scan photos today, it means they can scan anything one day and this situation showing us privacy for users will be much more difficult day by day.

Threat Hunting III – Pyramid of Pain

As we mentioned in the previous sessions, IoCs are crucial important for a proactive threat hunting process. Threat hunters should know most of the information of newly threats and implement them to their hunting processes. Pyramid of Pain classifies IoCs and helps us understand better the usefulness of them.

The pyramid of pain was created by David Bianco (Fireeye). He also has a Youtube video for presenting it.

Pyramid of Pain

This pyramid classifies the IoCs and with going up the pyramid, IoCs help us more to detect the suspicious. Also, as we go up, it is harder to obtain these IoCs. Now, lets check these IoC types shortly;

Hash Values: A hash value is a unique identifies of the data. In theory, the hash value of each data is expected to be unique to itself. So, it gets easier to identify a data, file with its hash value. As an example, you can see below the hash values (both md5 and sha256) of openvpn.exe.

Hash values of openvpn.exe

Hash values are at the bottom of the pyramid because it is very easy to change a file’s hash value and if you do not have the newly changed hash, that means you cannot detect this file anymore.

IP Addresses: IP blacklists still used by many different products, however it is also easy to change the IP address for an attacker. So, it is again does not help much to detect an adversary.

Domain Names: Everyday we can see that attackers can obtain new domain names very fast and can continue their attacks with ever changing domain names.

Network/Host Artifacts: These are the clues that adversaries left on the pc or network. These can be registery keys, processes, user agent strings, etc. Surely, to obtain such information, a forensic analysis need to be done in compromised pcs or networks.

Tools: Adversaries have their favorite tool to attacks, like pentesters have. It is important to know the tool that your enemy using and if you are good at detecting these tools, you can easily detect the attack or this situation forces the attackers use some other tools. This situation will slow down the attack and will save your time.

TTPs: Tactics, techniques and procedures are the patterns of activities or methods of a specific threat actor. As you all know, you can find all TTPs in the Mitre’s website and they are the most valuable data to identify an attack. If you know the TTPs of your enemy, it means you know what to check for a possible attack and mitigate.

Importing Module in Powershell

Modules are typically work in Powershell directly. “Get-Module” command can be used to see imported modules.

“Get-Module -ListAvailable” command show the modules available.

For the additional modules we want to use, we should import them first. Once we import the module, we can use its all commands anymore. We will add PowerSploit as example. PowerSploit project is a project no longer supported but sometimes we may want to use its capabilities. For importing, we firstly download the package from here. After downloading the module, we need to copy it to one of the module folders in PC. There are different module locations and we can see them with “$Env:PSModulePath” command.

We create a folder called PowerSploit and copy all files here from the downloaded package.

“Import-Module PowerSploit” command will install the module and all its commands will be available for us to use.

“Get-Command -Module PowerSploit” command can list all commands of this module.

“Get-Help <command>” command will show you the usage of the commands.