Tag Archives: Security

Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS), (Wed, Dec 11th)

This post was originally published on this site

Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited.

 

iOS 18.2 and iPadOS 18.2 iPadOS 17.7.3 macOS Sequoia 15.2 macOS Sonoma 14.7.2 macOS Ventura 13.7.2 watchOS 11.2 tvOS 18.2 visionOS 2.2
CVE-2023-32395: An app may be able to modify protected parts of the file system.
Affects Perl
    x          
CVE-2024-44201: Processing a malicious crafted file may lead to a denial-of-service.
Affects libarchive
  x   x x      
CVE-2024-44220: Parsing a maliciously crafted video file may lead to unexpected system termination.
Affects AppleGraphicsControl
    x x        
CVE-2024-44224: A malicious app may be able to gain root privileges.
Affects StorageKit
    x x x      
CVE-2024-44225: An app may be able to gain elevated privileges.
Affects libxpc
x x x x x x x  
CVE-2024-44243: An app may be able to modify protected parts of the file system.
Affects StorageKit
    x          
CVE-2024-44245: An app may be able to cause unexpected system termination or corrupt kernel memory.
Affects Kernel
x x x x       x
CVE-2024-44246: On a device with Private Relay enabled, adding a website to the Safari Reading List may reveal the originating IP address to the website.
Affects Safari
x x x          
CVE-2024-44248: A user with screen sharing access may be able to view another user's screen.
Affects Screen Sharing Server
      x x      
CVE-2024-44291: A malicious app may be able to gain root privileges.
Affects Foundation
    x x x      
CVE-2024-44300: An app may be able to access protected user data.
Affects Crash Reporter
    x x x      
CVE-2024-54465: An app may be able to elevate privileges.
Affects LaunchServices
    x          
CVE-2024-54466: An encrypted volume may be accessed by a different user without prompting for the password.
Affects DiskArbitration
    x x x      
CVE-2024-54476: An app may be able to access user-sensitive data.
Affects PackageKit
    x x x      
CVE-2024-54477: An app may be able to access user-sensitive data.
Affects Apple Software Restore
    x x x      
CVE-2024-54479: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
  x            
CVE-2024-54484: An app may be able to access user-sensitive data.
Affects MediaRemote
    x          
CVE-2024-54485: An attacker with physical access to an iOS device may be able to view notification content from the lock screen.
Affects VoiceOver
x x            
CVE-2024-54486: Processing a maliciously crafted font may result in the disclosure of process memory.
Affects FontParser
x x x x x x x x
CVE-2024-54489: Running a mount command may unexpectedly execute arbitrary code.
Affects Disk Utility
    x x x      
CVE-2024-54490: A local attacker may gain access to user's Keychain items.
Affects AppleMobileFileIntegrity
    x          
CVE-2024-54491: A malicious application may be able to determine a user's current location.
Affects Logging
    x          
CVE-2024-54492: An attacker in a privileged network position may be able to alter network traffic.
Affects Passwords
x x x         x
CVE-2024-54493: Privacy indicators for microphone access may be attributed incorrectly.
Affects Shortcuts
    x          
CVE-2024-54494: An attacker may be able to create a read-only memory mapping that can be written to.
Affects Kernel
x x x x x x x x
CVE-2024-54495: An app may be able to modify protected parts of the file system.
Affects Swift
    x x        
CVE-2024-54498: An app may be able to break out of its sandbox.
Affects SharedFileList
    x x x      
CVE-2024-54500: Processing a maliciously crafted image may result in disclosure of process memory.
Affects ImageIO
x x x x x x x x
CVE-2024-54501: Processing a maliciously crafted file may lead to a denial of service.
Affects SceneKit
x x x x x x x x
CVE-2024-54502: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x   x     x x x
CVE-2024-54503: Muting a call while ringing may not result in mute being enabled.
Affects Audio
x              
CVE-2024-54504: An app may be able to access user-sensitive data.
Affects Notification Center
    x          
CVE-2024-54505: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x x x     x x x
CVE-2024-54506: An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.
Affects IOMobileFrameBuffer
    x          
CVE-2024-54508: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x   x     x x x
CVE-2024-54510: An app may be able to leak sensitive kernel state.
Affects Kernel
x x x x x x x  
CVE-2024-54513: An app may be able to access sensitive user data.
Affects Crash Reporter
x   x     x x x
CVE-2024-54514: An app may be able to break out of its sandbox.
Affects libxpc
x   x x x x x  
CVE-2024-54515: A malicious app may be able to gain root privileges.
Affects SharedFileList
    x          
CVE-2024-54524: A malicious app may be able to access arbitrary files.
Affects SharedFileList
    x          
CVE-2024-54526: A malicious app may be able to access private information.
Affects AppleMobileFileIntegrity
x   x x x x x  
CVE-2024-54527: An app may be able to access sensitive user data.
Affects AppleMobileFileIntegrity
x   x x x x x  
CVE-2024-54528: An app may be able to overwrite arbitrary files.
Affects SharedFileList
    x x x      
CVE-2024-54529: An app may be able to execute arbitrary code with kernel privileges.
Affects Audio
    x x x      
CVE-2024-54531: An app may be able to bypass kASLR.
Affects Kernel
    x          
CVE-2024-54534: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x   x     x x x

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Patch Tuesday: December 2024, (Tue, Dec 10th)

This post was originally published on this site

Microsoft today released patches for 71 vulnerabilities. 16 of these vulnerabilities are considered critical. One vulnerability (CVE-2024-49138) has already been exploited, and details were made public before today's patch release.

Significant Vulnerabilities

CVE-2024-49138: This vulnerability affects the Windows Common Log File System Driver, a subsystem affected by similar privilege escalation vulnerabilities in the past. The only reason I consider this "significant" is that it is already being exploited.

Windows Remote Desktop Services: 9 of the 16 critical vulnerabilities affect Windows Remote Desktop Services. Exploitation may lead to remote code execution. Microsoft considers the exploitation of these vulnerabilities less likely. Even without considering these vulnerabilities, Windows Remote Desktop Service should not be exposed to the internet.

LDAP: Remote code execution vulnerabilities in the LDAP service are always "interesting" given the importance of LDAP as part of Active Directory. Two critical vulnerabilities are patched for LDAP. One with a CVSS score of 9.8. A third critical vulnerability affects the LDAP client.

CVE-2024-49126: LSASS vulnerabilities always make me reminisce of the "Blaster" worm and the related vulnerability back in the day. This one does involve a race condition, which will make exploitation more difficult. It could become an interesting lateral movement vulnerability if a reliable exploit materializes.

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Input Method Editor (IME) Remote Code Execution Vulnerability
%%cve:2024-49079%% No No Important 7.8 6.8
Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
%%cve:2024-49124%% No No Critical 8.1 7.1
Microsoft Access Remote Code Execution Vulnerability
%%cve:2024-49142%% No No Important 7.8 6.8
Microsoft Defender for Endpoint on Android Spoofing Vulnerability
%%cve:2024-49057%% No No Important 8.1 7.1
Microsoft Edge (Chromium-based) Spoofing Vulnerability
%%cve:2024-49041%% No No Less Likely Less Likely Moderate 4.3 3.8
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2024-49069%% No No Important 7.8 6.8
Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
%%cve:2024-49096%% No No Important 7.5 6.5
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
%%cve:2024-49122%% No No Critical 8.1 7.1
%%cve:2024-49118%% No No Critical 8.1 7.1
Microsoft Office Defense in Depth Update
ADV240002 No No Moderate    
Microsoft Office Elevation of Privilege Vulnerability
%%cve:2024-49059%% No No Important 7.0 6.1
%%cve:2024-43600%% No No Important 7.8 6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2024-49065%% No No Important 5.5 4.8
Microsoft SharePoint Elevation of Privilege Vulnerability
%%cve:2024-49068%% No No Important 8.2 7.1
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2024-49064%% No No Important 6.5 5.7
%%cve:2024-49062%% No No Important 6.5 5.7
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2024-49070%% No No Important 7.4 6.4
Microsoft/Muzic Remote Code Execution Vulnerability
%%cve:2024-49063%% No No Important 8.4 7.3
System Center Operations Manager Elevation of Privilege Vulnerability
%%cve:2024-43594%% No No Important 7.3 6.4
Windows Domain Name Service Remote Code Execution Vulnerability
%%cve:2024-49091%% No No Important 7.2 6.3
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
%%cve:2024-49114%% No No Important 7.8 6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2024-49088%% No No Important 7.8 6.8
%%cve:2024-49090%% No No Important 7.8 6.8
%%cve:2024-49138%% Yes Yes Important 7.8 6.8
Windows File Explorer Information Disclosure Vulnerability
%%cve:2024-49082%% No No Important 6.8 5.9
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2024-49117%% No No Critical 8.8 7.7
Windows IP Routing Management Snapin Remote Code Execution Vulnerability
%%cve:2024-49080%% No No Important 8.8 7.7
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2024-49084%% No No Important 7.0 6.1
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
%%cve:2024-49074%% No No Important 7.8 6.8
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
%%cve:2024-49121%% No No Important 7.5 6.5
%%cve:2024-49113%% No No Important 7.5 6.5
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
%%cve:2024-49112%% No No Critical 9.8 8.5
%%cve:2024-49127%% No No Critical 8.1 7.1
Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
%%cve:2024-49126%% No No Critical 8.1 7.1
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability
%%cve:2024-49073%% No No Important 6.8 5.9
%%cve:2024-49092%% No No Important 6.8 5.9
%%cve:2024-49077%% No No Important 6.8 5.9
%%cve:2024-49078%% No No Important 6.8 5.9
%%cve:2024-49083%% No No Important 6.8 5.9
%%cve:2024-49110%% No No Important 6.8 5.9
Windows Mobile Broadband Driver Information Disclosure Vulnerability
%%cve:2024-49087%% No No Important 4.6 4.0
Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability
%%cve:2024-49097%% No No Important 7.0 6.1
%%cve:2024-49095%% No No Important 7.0 6.1
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
%%cve:2024-49129%% No No Important 7.5 6.5
Windows Remote Desktop Services Remote Code Execution Vulnerability
%%cve:2024-49106%% No No Critical 8.1 7.1
%%cve:2024-49108%% No No Critical 8.1 7.1
%%cve:2024-49115%% No No Critical 8.1 7.1
%%cve:2024-49119%% No No Critical 8.1 7.1
%%cve:2024-49120%% No No Critical 8.1 7.1
%%cve:2024-49123%% No No Critical 8.1 7.1
%%cve:2024-49132%% No No Critical 8.1 7.1
%%cve:2024-49116%% No No Critical 8.1 7.1
%%cve:2024-49128%% No No Critical 8.1 7.1
Windows Remote Desktop Services Denial of Service Vulnerability
%%cve:2024-49075%% No No Important 7.5 6.5
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
%%cve:2024-49093%% No No Important 8.8 7.7
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
%%cve:2024-49085%% No No Important 8.8 7.7
%%cve:2024-49086%% No No Important 8.8 7.7
%%cve:2024-49089%% No No Important 7.2 6.3
%%cve:2024-49102%% No No Important 8.8 7.7
%%cve:2024-49104%% No No Important 8.8 7.7
%%cve:2024-49125%% No No Important 8.8 7.7
Windows Task Scheduler Elevation of Privilege Vulnerability
%%cve:2024-49072%% No No Important 7.8 6.8
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
%%cve:2024-49076%% No No Important 7.8 6.8
Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability
%%cve:2024-49098%% No No Important 4.3 3.8
%%cve:2024-49099%% No No Important 4.3 3.8
%%cve:2024-49103%% No No Important 4.3 3.8
Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability
%%cve:2024-49094%% No No Important 6.6 5.8
%%cve:2024-49101%% No No Important 6.6 5.8
%%cve:2024-49111%% No No Important 6.6 5.8
%%cve:2024-49081%% No No Important 6.6 5.8
%%cve:2024-49109%% No No Important 6.6 5.8
WmsRepair Service Elevation of Privilege Vulnerability
%%cve:2024-49107%% No No Important 7.3 6.4


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[Guest Diary] Business Email Compromise, (Thu, Dec 5th)

This post was originally published on this site

[This is a Guest Diary by Chris Kobee, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].

Business Email Compromise (BEC) is a lucrative attack, which FBI data shows 51 billion dollars in losses between 2013 to 2022 [2]. According to SentinelOne, nearly all cybersecurity attacks (98%) contain a social engineering component [3].The social engineering attacks include phishing, spear phishing, smishing, whaling , etc.  Figure 1 is a distribution of social engineering attacks from Statista depicting Scamming, Phishing, and BEC attacks worldwide [4]. Scamming is the leader, followed by Phishing and BEC [5]. BEC and other social engineering attacks are the path of least resistance with a high rate of success versus attempting technical network intrusions.

In May 2024, a significant cybersecurity incident unfolded within an organization, showcasing the vulnerabilities that can arise from BEC harvesting user credentials and the exploitation of cloud services like Microsoft 365  . This post aims to break down the events, identify the vulnerabilities exploited, and review implemented and proposed mitigations to thwart similar threats.
 


Figure 1: Distribution of Worldwide Social Engineering Attacks

Organization Incident Overview

From May 20 to 23, 2024, a threat actor successfully accessed a Microsoft 365 account belonging to a user in the organization’s accounting department with the user’s valid credentials. The actor manipulated account details in a pending invoice and redirected funds to their own bank account. The incident was characterized by several key actions  beginning on May 20 when the actor successfully logged into the Microsoft 365 account after a rejection pattern of an expired session ID and MFA denials. 

The actor conducted reconnaissance on May 22, potentially identifying the pending vendor invoices for payment. The attacker logged into the user’s email account on May 23rd and created a new inbox rule to direct any correspondence with the vendor organization’s name to the RSS Feeds folder in the inbox. The actor altered the target document and sent it to the next stage in the approval process. The accounting department’s processes broke down and did not catch spelling and grammar errors that could have tipped off potential fraud. The document was approved, the ACH payment was authorized, and payment was completed. The organization’s Managed Service Provider/Managed Security Service Provider (MSP/MSSP) receive an alert and re-secured the account later in the early evening, effectively locking out the actor. Figures 2 and 3 display a high-level summary of the events and timeline. 


Figure 2: Business Email Compromise Attack Timeline

 


Figure 3: Threat Actor Login Attempts

Initial Access

The  attacker logged into the organization's M365 tenant using compromised credentials on May 20, 2024, and re-entered the system on May 22 for reconnaissance. The actor appears to have conducted reconnaissance on May 22 for approximately thirty-four minutes, during which the pending invoice was potentially discovered.

Fraud Executed

On May 23, the attacker logged into the email exchange and executed bank fraud by altering the invoice's destination bank account. They also implemented new inbox rules  (Figure 4) within the Outlook account to obscure their activities by redirecting any email traffic with the vendor’s name to an obscure folder. The newly created inbox rules, one rule for each organizational name the vendor employs, directed any incoming communications to the RSS Feeds folder for obscurity from the authorized account user. The target vendor was purchased by another company and sends correspondence from both companies, which the attacker covered with both rules. The attacker sent the fraudulent invoice to the next accounting staff member for further processing. 


Figure 4: Threat Actor Action on Objective

 

Covered Tracks 

The threat actor attempted to cover their actions by deleting items and folders created while in the organization’s cloud account (Figure 5),  withdrew the funds shortly after the transfer, and closed the bank account. The organization reached out to the actor’s financial institution to reverse the payment, but the financial institution rejected the request to reverse the payment due to the account closure.


Figure 5: Threat Actor’s Covering Tracks Attempt

Detection 

The organization's MSP/MSSP detected an unusual inbox rule change and resecured the compromised account (Figure 6), but not before the attacker could execute their plan. 


Figure 6: Threat Actor Activity Detected by MSP/MSSP

 

Analysis 

Analysis of the logs, provided by the Cloud Service Provider, suggests MFA was bypassed and potential collusion or manipulation of the organization’s assigned user. Further research revealed a CVE written against the Microsoft Authenticator application employed by the organization on company issue and BYOD mobile devices.

Multi-Factor Authentication (MFA)

MFA was enabled during the attack, with logs indicating the attacker faced several denied attempts before successfully logging in. This suggests potential insider collusion, manipulation of the authorized user, and/or an Attacker-in-the-Middle tool, such as evilginx2 [5] or later version used for to phish user credentials, session cookies, and bypass MFA. Figure 7 depicts the pattern of a failed login with an expired session ID, followed by three failed logins due to MFA denials, and a successful login on May 20th and 22nd [6]. 
 


Figure 7: Threat Actor Login Attempt Pattern

 

Vulnerability in Microsoft Authenticator

The incident points to a specific vulnerability (CVE-2024-21390) in the Microsoft Authenticator application (Figure 5), which can be exploited if an attacker gains access to the user's local device and convinces the user to relaunch the authenticator app [7][8]. The threat actor potentially compromised the user’s mobile device through malware delivered via phishing or smishing vector allowing the opportunity to manipulate the user to close and re-launch the application on the mobile device.
 


Figure 8: Microsoft Authenticator Vulnerability

 

Conclusion, Mitigations, Lessons Learned

Business Email Compromise was the main factor in this attack as the threat actor used it as the attack vector and sent emails between the accounting department from the compromised user’s account to commit bank fraud. The attacker most likely obtained the user’s credentials through a phishing email tricking the user into clicking a link and inputting credentials on a web page highly resembling a Microsoft login page. Due to the nature of the Cloud Service Provider (CSP) / Cloud Customer Software as a Service (SaaS) model employed by organization, limited logging and insights are available, as the CSP manages the lower network layers. Analysis of the provided logs suggests that MFA was enabled and operational before, during, and after the incident. The pattern of MFA rejections with the error code long description defined by Microsoft as "Strong authentication is required and the user did not pass the MFA challenge" indicates potential insider collusion (witting or unwitting) to authenticate the attacker, but the rapid succession of MFA denials before the successful login is evidence of an automated attack, such as evilginx2 interacting with the MFA server.

After a thorough review, the organization found gaps in log auditing by the organization and the MSP/MSSP, as well as process gaps in the affected department. MFA and password complexity were in place, but appear to have been bypassed. The MSP/MSSP alerting process operated successfully, allowing the account to be re-secured quickly to prevent further lateral movement, privilege escalation, or establishment of a C2 channel. The following Information Security mitigations were adopted to address the gaps:

  • All corporate personnel involved in accounting related duties were issued digital signature tokens from an external certification authority to enforce non-repudiation. Digitally signed emails provide recipients in the accounting department with validation the sender is the authorized user.
  • Internal IT/Cybersecurity personnel audit authentication logs provided by MSP/MSSP monthly.
  • Organization confirmed log retention of one year.
  • Confirmed through MSP/MSSP the Microsoft Authenticator application is the current patched version.
  • Developing a corporate phishing simulation program based on the Gophish open-source framework with custom python automation scripts.
  • Increasing the frequency of phishing email and social engineering bulletins and awareness training.

Lessons Learned:

  • Technical: Ensure authentication applications are patched and updated.
  • Training and Awareness: Increase organizational awareness of malicious phishing and smishing attempts.
  • Policy: Ensure data and document flow policies are understood and followed.
  • Policy/Compliance: Continue to improve Cybersecurity posture by working closer with the MSP/MSSP to ensure controls and policies are clear, updated, and enforced.

Organizations can apply the lessons learned in this post to avoid the financial losses and compliance reporting requirements this target organization suffered. Training and awareness coupled with continuous improvement in Cybersecurity posture will harden the organizations users and systems against social engineering and technical network attacks and intrusions.

 

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://abnormalsecurity.com/blog/fbi-bec-51-billion-threat
[3] https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-statistics/#:~:text=Almost%20all%20(98%25)%20cyberattacks,individuals%20into%20divulging%20sensitive%20information
[4] https://www.statista.com/statistics/1493497/globla-social-engineering-attack-by-type/
[5] https://www.kali.org/tools/evilginx2/
[6] https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-21390
[8] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21390

 

 


Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Data Analysis: The Unsung Hero of Cybersecurity Expertise [Guest Diary], (Wed, Dec 4th)

This post was originally published on this site

[This is a Guest Diary by Robert Cao, an ISC intern as part of the SANS.edu BACS program]

As a cybersecurity professional, I've always prided myself on my technical skills—understanding protocols, setting up secure systems, and knowing the ins and outs of firewalls and authentication mechanisms. But a recent deep dive into firewall and SSH logs taught me a lesson I wasn’t expecting: being technically savvy is only part of the equation. True success in cybersecurity also hinges on being an effective data analyst.

When I began examining the logs, I expected to find the usual culprits—brute force attempts, unusual traffic patterns, and the occasional misconfiguration. What I didn’t expect was how the data itself would tell a story far more valuable than any single technical fix. For instance, a repetitive pattern in the SSH logs from IP 137.184.185.209 showcased over 30 login attempts using common credentials like rootpaired with passwords such as Qaz@123456. At first glance, it seemed like just another brute force attempt. However, when I correlated this with firewall data, the same IP surfaced as repeatedly probing port 2222, a non-standard SSH port. Suddenly, it became clear: the actor wasn’t just relying on brute force; they were systematically targeting configurations presumed to be "secure by obscurity."

This realization made me question my own assumptions. In the past, I might have simply blocked the IP and moved on, feeling satisfied that I had applied a technical fix. But digging deeper into the data revealed patterns that informed broader strategies. Why was port 2222 being targeted? Could it be part of a larger campaign? These questions led to a more proactive approach: not just reacting to the attack, but trying to anticipate the next one.

Another revelation came from looking at overlapping datasets. By comparing SSH logs with firewall activity, I found four IPs—including 47.236.168.148 and 54.218.26.129—engaged in both brute force attempts and network probes. These actors were persistent, attempting to exploit systems over a short but intense window of time. Without correlating these datasets, I might have missed the coordinated nature of the attack entirely. This experience drove home the importance of cross-referencing data sources to uncover insights that no single log file could reveal.

Perhaps the most humbling realization was understanding that even advanced technical setups are only as good as the decisions behind them. Configurations that allowed root logins or didn’t enforce rate-limiting created vulnerabilities actors could exploit. As I analyzed the logs, I saw not just the actors' actions but also the blind spots in my own system's defenses. Technical knowledge helped me secure the systems, but it was the data analysis that highlighted the gaps.

This experience shifted my mindset. Cybersecurity isn't just about firewalls, encryption, and protocols—it's about understanding the data these systems generate. Data analysis is what transforms raw logs into actionable intelligence. It’s what turns a technically skilled professional into a strategist capable of predicting, preventing, and responding to threats effectively.

If there’s one thing I’ve learned, it’s that cybersecurity professionals must wear at least two hats: the technical expert and the data analyst. Technical skills build the foundation, but it’s the analysis of data that sharpens defenses and enables proactive security. As threats evolve and actors become more sophisticated, so too must our approach. Data is the key, and learning to harness its power is just as important as mastering the latest technical tools.

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Extracting Files Embedded Inside Word Documents, (Tue, Dec 3rd)

This post was originally published on this site

I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools.

First I check with file-magic.py:

The identification says Word 2007+, so this is an OOXML document. These are ZIP containers that can be analyzed with zipdump.py to take a look inside:

Stream 6 (oleObject1.bin) is an OLE object that embeds the executable. There's no need to extract that OLE file from the OOXML container, oledump.py can handle this:

The O indicator for stream A2 tells us that this stream is the OLE data structure embedding the executable.

Selecting this stream and using option -i gives us info about the OLE contained, and the contained file:

This metadata gives you the names of the embedded file and it hashes, allowing me to look it up directly on VirusTotal, for example: 3d5fe12c0aa783252431834ed8e370102f47df65165680824b9287faa88e088a.

The file can also be extracted with option -e:

Malicious Word documents like these don't execute the embedded file when the document is opened: that requires social engeneering to entice the use to double-click the embedded file.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Credential Guard and Kerberos delegation, (Mon, Dec 2nd)

This post was originally published on this site

The vast majority of red team exercises that I (and my team, of course) have been doing lately are assumed breach scenarios. In an assumed breach scenario (and we cover this in the amazing SEC565: Red Team Operations and Adversary Emulation SANS course that I also teach!) red team is usually given access as a non-privileged domain user, simulating an attacker that has someone already established the first foothold in the organization.

This works quite well as we know that eventually the attacker will succeed and perhaps get a victim (most of the time through some kind of social engineering) to execute their binary. So the first part in such an engagement is to create a malicious binary (an implant) that will evade security controls in the target organization. Most of red teams will have specialists for this.

The next step includes delivery of implant and execution in context of a regular, non-privileged domain user, on the workstation designated for the red team exercise. And if everything works well, we’ll get that beacon communicating to our front end servers.

What now? While there are many things we do next, such as getting some awareness about the organization, setting up persistence, trying to move laterally, there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos. Some actions will not need this, as we can use the builtin Windows authentication of the process our beacon is running under, but if you want, for example, to start a SOCKS proxy and tunnel some tools from your office, we will need to authenticate to target services, and for that we will either need the user’s password, their password hash or TGT. How do we get one through our implant, considering that we do not have local administrator privileges yet?

Unconstrained delegation

Back in 2018, Benjamin Deply, the famous Mimikatz/Kekeo author published a very interesting method (https://x.com/gentilkiwi/status/998219775485661184) of obtaining a user’s TGT without requiring administrator privileges.

The trick is the following: as our implant is running under a regular user, that is already authenticated, we will abuse Kerberos GSS-API to ask for a ticket for a service, but not any service – a service that has been configured for unconstrained delegation!

The idea is the following – as we will be requesting a service ticket for a service that is configured for unconstrained delegation, the resulting response that we will receive from a domain controller will also include our own TGT. In a normal workflow, this response is converted to an application request (AP-REQ) that is sent to the target service.

AP-REQ is made up of two components: a ticket and an authenticator. We are interested in the authenticator – it is encrypted with the ticket session key which is known to us, and to the target service that we want to access. And this is were Benjamin’s great research comes into place – if we request a service ticket for a service that has been configured for unconstrained delegation, the authenticator component will contain our TGT (since the target service will need it)!

In other words, we can carve out the TGT of the currently logged in user, without needing administrator privileges! This functionality exists in Rubeus, but if you are running your Cobalt Strike implant (in SEC565 we use Cobalt Strike and Empire), it is better to use a BOF for this purpose. There are several BOF’s you can use, one I like is the tgtdelegation BOF available at https://github.com/connormcgarr/tgtdelegation

Before we start using it, one thing we did not mention is how to find a service that has been configured for unconstrained delegation. This is actually trivial as Domain Controllers are configured for unconstrained delegation by default, so we can use, for example, CIFS/domain.controller or HOST/domain.controller as target SPN’s.

The figure above shows how easy it is to fetch the TGT. You can see how the BOF displayed the AP-REQ output, extracted the session key and identified the encryption algorithm (AES256) and finally (not visible) extracted the TGT.

Credential Guard

By fetching a TGT we can now perform a number of other things, including relaying traffic through a SOCKS proxy. So in a recent engagement I tried to do this but all requests failed – every single time the response received did not contain a TGT, even though the target service indeed was configured for unconstrained delegation, and the account used was not marked as “Account is sensitive and cannot be delegated.

In other words, we can see that the AP-REQ was indeed received, but it did not contain our TGT in the authenticator part of the response. What could cause this?

After some time and research, it turned out that the reason for this was Credential Guard, which was enabled on the client machine.

Among other (great) security features that Credential Guard brings, one thing that is important for this particular attack (or abuse) is that Credential Guard completely blocks Kerberos Unconstrained delegation, which effectively blocks us from extracting the TGT (and will break any application that relies on this feature as well!).

Besides this, Credential Guard also blocks NTLMv1 completely and there are a number of other nice security controls, as listed https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/

Test and enable!

In engagements I do I still do not see Credential Guard enabled in many enterprises. No wonder since it can break some things, however as Microsoft is now enabling Credential Guard by default in Windows 11 22H2 and Windows Server 2025, it is definitely worth checking whether your organization is ready for a wide adoption of it. It will not stop every attack, but every single step will help!

Thanks to my team members Luka, Neven, Fran and Mislav for debugging! In a RT you need a team!
 

Bojan
@bojanz
@bojanz.bsky.social
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

From a Regular Infostealer to its Obfuscated Version, (Sat, Nov 30th)

This post was originally published on this site

There are many malicious scripts available on the Internet. Github has plenty of info stealers and RATs made available “for testing or research purposes”. Here is one that I found recently: Trap-Stealer[1]. Often those scripts are pretty well obfuscated to pass through security controls and make Security Analysts’ life harder. Let’s review a practical example.

Quickie: Mass BASE64 Decoding, (Fri, Nov 29th)

This post was originally published on this site

I was asked how one can decode a bunch of BASE64 encoded IOCs with my tools.

I'm going to illustrate my method using the phishing SVG samples I found on VirusTotal (see "Increase In Phishing SVG Attachments").

In these phishing SVG files, the victim's email address is encoded in BASE64:

With grep, I can select all these lines with BASE64 encoded email addresses:

Then I can pipe this into base64dump.py, my tool to handle BASE64 (and other encodings):

You can see the email address in the "Decoded" column (they are redacted to protect the victims).

To get just this info (decoded email addresses), you can use option -s a to select all decoded items, and option -d to dump the decoded values to stdout, like this:

The problem now is that all email addresses are concatenated together. To add a newline (or carriage return – newline in Windows) after each email address, use option -s A (uppercase a):

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.