Tag Archives: Threat

Russian Threat Actors are Preparing to Attack Azerbaijan

Large-scale cyber attacks against the electronic information resources of Azerbaijan have been prepared.

The Center for Combating Computer Incidents of the State Service of Special Communication and Information Security of Azerbaijan released information about this.

“The Center for Combating Computer Incidents of the Special Communication and Information Security State Service (XRITDX) monitors cyber attacks against our country 24/7 and successfully prevents DDOS and other types of cyber attacks against state information resources since 03.05.2022.”

“XRITDX calls on state and non-state information resource administrators, as well as our citizens, to be careful and vigilant against phishing attacks.”

Today, posts about Azerbaijan in many Russian telegram channels attracted attention. It is mentioned that the threat actor will attack to government targets of Azerbaijan for a few weeks.

Later, the sharing of information about some of Azerbaijan’s airports and important gas station networks in Telegram groups drew attention too.

We will try to share the developments on the subject as soon as possible.

TTP-Based Threat Hunting – Why and How?

In its simplest definition, threat hunting is a process to identify whether adversaries reached to the organization’s network or not.

Despite many precautions taken at the perimeter level and many technologies used, breaches cannot be prevented. As a result of this situation, technologies to detect whether an attacker is inside have also come to the fore in recent years. EDRs and NDRs are mostly developed and used for detecting and they use many different methods for this.

Pyramid of Pain

In the event of a breach, the most important way to lower dwell time is to implement a regular and continuous threat hunting process. Earlier, as discussed in pyramid of pain, there are several methods for threat hunting like using signatures, IoCs, anomaly detection or TTPs.

A signature can be IP addresses, domains, or file hashes about the threat actor but as you can see above, they are at the bottom of the pyramid. Because they can be changed very easily by the attacker and these information mostly include false positives. When attackers register a new domain, or get a new IP address, it will be a 0-day for the organization and will be impossible to detect the attack via IoC sweep.

Therefore, using the attackers’ TTPs for threat hunting will give much more accurate results. Attackers do not change the techniques that they are using frequently, especially if they have been successful before with these techniques. The MITRE ATT&CK framework is the best way for this technique. Many organizations have adapted their infrastructure to miter or continue to work on this issue. If they haven’t started this yet, they should start as soon as possible.

Threat Intelligence: For a better and continuous threat hunting, threat intelligence is essential. There are lots of techniques and tactics in Att&ck and analysts must decide with threat intel where to start. For a start, it may be a good method to start by identifying the actors that will threaten them depending on the country, region and sector of the organization. This process will prioritize TTPs for hunting. It must be ensured that the threat intel provides this information up-to-date.

Developing Hypotheses: After prioritizing the TTPs for hunting, next step is to creating the hypotheses. This step means determining the data that should be collected to detect the adversarial behavior. According to the required data, it is determined with which security controls the detection should be made.

At this stage, also there is a need to make a gap analysis to be ensure that we can detect all the related activity. If necessary, other security controls should be added. This process can be done with security validation tools like Verodin, since In Verodin all tests and reports are Att&ck based. Hunt teams should correct both they can get needed logs from every piece of the network and these logs are sent to SIEM regularly. So Verodin also should be used for these steps.

This data selection phase also provides to use SIEM more effective. By understanding the adversarial techniques, organizations can reduce the log size by reducing the volume of data collected. This will also allow analysts to encounter fewer false positive alerts and saves time.

The most annoying thing in SIEM administration is the volume of data. Thus, while we are getting data from host or network security controls, we should carry out that we do not send useless data to the SIEM. Be careful about both EDR and especially NDR solutions can create huge amount of data.

Reward for Conti Up To $15m

In may, we announced that The Department of State is offering a reward of up to $10M for information leading to the identification and/or location of any leaders of the Conti ransomware group. Additional $5M reward for any information conspiring Conti.

On 25th of July, The Department of State increased the reward to $15M for information that could identify Conti members. Additional $5M offering for data that will allow to arrest the members is also still existing.

Conti has involved lots of cyber attacks.

Beware of Django SQL Injection Vulnerability

Django is a free and open source Python web framework and maintained by the independent Django Software Foundation.

An issue was discovered (CVE-2022-34265) in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

On 4th of July, The Django Project announced that the vulnerability was fixed in the latest versions 4.0.6 and 3.2.14. The developers mentioned that they will also release patch for older versions.

Affected Products:
Django main branch
Django 4.1 (currently at beta status)
Django 4.0
Django 3.2

Weekly Breaches – 22th of May

We face too many breaches happen every day. Just want to share some important ones of them happened this week here.

As an important note; these are the sharing of attackers and these information need verification.

Indonesia Vaccine Data:
The threat actor RichTheKid shared that they have 690k records of Indonesia vaccine data. It takes 1.3 GB.

pipl.com Database Leak
pipl.com is one of the most important identity information provider. The threat actor toprakbilen90 claimed that they have leaked pipl.com’s database including first and last name, aliases and past name , e-mail address , physical address, date of birth, court and bankruptcy notes, phone number, social media profile links, political affiliations, race, religion, skills, gender, employers past and present, automobiles and proper. The data is about 2.96GB.

BBVA Mexico
A threat actor shared BBVA Mexico data with screenshots in a private Facebook group. As seen from the screenshots that the threat actor shared, they include customer identity information, transaction information and so on.

Ministry of Justice – Qatar Database
The threat actor keftar claimed they have the database of the Ministry of Justice. The data includes lots of csv files and the total size of the data is unknown.

Wanted Conti!

Ransomware is a growing danger day by day and unfortunately, no permanent measures can be taken against these attacks. It seems like for now, the USA seems to apply the most correct non-technical method against Ransomware attacks.

The Department of State is offering a reward of up to $10M for information leading to the identification and/or location of any leaders of the Conti ransomware group. Additional $5M reward for any information conspiring Conti. The statement was published on 6th of May.

According to several reports, annual income of Conti is about more than $150M and it seems like they are located in Russia.

We think that rewarding is an important measure against ransomware groups because although a lot of technical measures have been taken and talked about, the cases are increasing day by day. With this reward action, Conti members are likely to be exposed in a few months. We will see together whether such a measure will work.

Parrot is Used to Conduct Malicious Campaigns

Parrot TDS (Traffic Direction System) has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites.

The situation discovered by Avast and is currently being used to run a campaign called FakeUpdate that distributes the NetSupport Remote Access Trojan (RAT) via fake browser update notifications.

FakeUpdate Campaign (From Avast’s post)

Parrot TDS acts as a gateway for further malicious campaigns to reach potential victims. Attackers buy TDS services to filter incoming traffic and send it to the final destination serving malicious content.

According to Avast analysts, activity in TDS servers increased in February 2022 by detecting suspicious JavaScript files on compromised web servers.

A detailed technical analysis shared by Avast here.

Everything About Attack Surface Management

For many years, we are using vulnerability scanners to identify security weaknesses and flaws in our internet facing environment. A vulnerability scan is an automated process and critically important for organizations to see what vulnerabilities they have and attackers can use if they target them.

Despite all this success, widespread use and importance, vulnerability scan has some gaps to manage the organizations’ attack surface.

Gaps of Vulnerability Scan

Vulnerability scan process is an active scan so risky to use for sensitive assets. It can cause slowness and even interruption. Because of this, especially for systems that need 24×7 operation and are critical, it is a technical risk for the availability of the systems. This is the most important of the hurdles ahead for making the scanning process continuously. The other one is the technique behind the vulnerability scanning, since it is an active scanning process, it takes too long for a wide range of networks. This risk sometimes causes the scan not to be completed in the desired time, and the scan times are slipped and the assets can’t be scanned for a long time. A significant risk remains for vulnerabilities discovered in the time between two scans and for machines installed in the DMZ.

For scanning, a scope is determined and this scope is scanned periodically. This causes Shadow IT. Services that are out of scope for various reasons or hosted in third party institutions remains as unscanned. Shadow IT is a very big problem especially for big organizations.

Vulnerability scanning is a process that focuses only on identifying vulnerabilities. However, attackers may use several findings about the organization like misconfigurations, compromised accounts, third party connections, etc.

What does attack surface management do differently?

There are several tools already in internet that we can check information about out organization. Passive subdomain tools, port scanners, certificate and dns record checkers, etc. Some of them are free and some of them paid services.

These services is also checked by attackers as the discovery phase before an attack. So, it is very important to check the findings at frequent intervals from these tools. However, there are many tools like that and it seems impossible to check all of them everyday, about all keywords of the organizations – keyword means here every word that an attacker searches for in the discovery phase, including brand, application, web site, VIP names, and others.

Fundamentally, Attack Surface Management is a passive scanning process that using these free or paid tools already hosted in internet. This passive scan provides a continuous scanning process. With the keywords explained above, Attack Surface Management tool scans all these tools continuously and since it is a passive scan, there is no any risk about the availability of the systems.

Third Party Connections

With developing technology and methods, all companies need to work with many other companies and have a direct connection for this. The number of these links is increasing day by day. This situation also creates a great opportunity for attackers and in recent years attacks over third party connections increased and they mostly succeeds. This requires the risk management teams to closely monitor third-party risks.

Very understandably, organizations normally do not let others scan their environment. It is not possible to scan the organization to determine their vulnerabilities before starting a connection with them. It remains only to rely on the company’s own tests and some paper work that we will make the third-party connection. With Attack Surface Management, it can be very fast and risk free to identify their risks before creating the connection.

What to Expect from Attack Surface Management?

For covering all internet facing risk, security teams need to master all assets they have both hosted in their own institutions and third party. An Attack Surface Management tool should firstly show all the assets that organization have. These may include all subdomains, IP addresses, dns records, cloud environments, certificates, uris, etc. And also, all the technologies that the organization is using in their DMZ like the number of the web servers, applications and operating systems.

All these findings are critical for Shadow IT. Systems that are forgotten and not patched for long time causes big risks for the organizations.

The other important – and maybe the most important – output is the vulnerabilities of the systems. Attack Surface Management tools use tools like Shodan to investigate the vulnerabilities and unlike a vulnerability scan, Attack Surface Management may show the misconfigurations like forgotten default IIS or Apache web pages, default Admin panels, and again, IIS or Apache misconfigurations. Also missed configurations like DMARC records or A records can be important seeds for attackers for their discovery phases.

As we told above, it is critical to scan all of these assets often, and it is preferable to do it every day. The fact that this scan can be done every day and the scan time is also very important.

The number of tools that an Attack Surface Management product uses in passive scanning is also very important. Do not forget that the main purpose here is to perform the discovery phase of the attacker, and a vulnerability or misconfiguration that you cannot detect after these scans, but can be found by the attacker, can lead to very bad results.

Risk Management

For risk management processes, all tasks including vulnerabilities and misconfigurations should be followed regularly. For providing this, like other vulnerability management solutions, Attack Surface Management tools should be integrated with ticketing systems in the organizations. Via this integration, tasks can be assigned to engineers and followed in a single system.

Latest Statement about Okta Incident and Lapsus$

Everything started with a post of Lapsus$ Telegram group including screenshots of Okta’s admin panel. We shared the news as asking whether Okta hacked?

An update about the incident came from David Bradbury, the CSO of Okta as “the Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.

In the continuation, Okta accepts an incident like “between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday” and claiming the impact is limited to the access that support engineers have and no customers were affected.

Against this announcement, Lapsus$ made some announcements too about the incident and the post of Okta. Lapsus$ also shared the link of the Security & Privacy Document of Okta located in okta.com and claimed that they found AWS keys in Slack.

Okta Hacked?

Since December, we are reading about the actions of Lapsus$. Samsung, Nvidia, and Ubisoft were some of their victims. Analysts suspecting that some of the members of the group are from South America, and some of them from Europe.

Lastly, the group shared a screenshot on their Telegram channel that showing they reached to the console of Okta.

Okta announced that they started an investigation after the hacker group shared the screenshot.

We will provide updates as more information becomes available” said officials of Okta.

Okta is a major Single Sign-On provider and a hack can effect thousands of other companies. If verified, an attack on Okta would represent a major attack on digital supply chains. It can cause more damage than Solarwinds incident since most major applications of the customers of Okta are already placed in their Okta interface and has a single sign-on authentication.