Undetected Brute force attacks in Microsoft Azure AD.

Hello World!

Recently Security Researchers have released a PoC (proof-of-concept) exploit that allows for username enumeration and password brute-forcing on vulnerable Microsoft Azure servers, more specifically Azure active directory. Is is able to do this by taking advantage of weaknesses that lie within the Autologon mechanism.

Let’s do a quick breakdown on some of these words here, for those who are unsure –

Exploit – An exploit is something that is designed to take advantage of a single or sometimes multiple weaknesses within another person or device, however it is a universal term and not limited to only people or computer systems.

Enumeration – Enumeration is the process of identification, categorization and documentation. Here we are using it to refer to username enumeration, this in simple terms means “gathering a list of usernames.” This can be achieved with various methods and again isn’t necessarily technical.

Brute-forcing – Let’s take a PIN number on a phone for example, if you have no idea what it might be, but you continue to guess every combination possible until you get it right, you’ve brute-forced it.

Lockout – Not mentioned in the first paragraph but is essential to understanding brute-force attacks and the most simple mechanism to stop them… Lockouts, so the phone we brute-forced was an example. In case you’ve never seen what a lockout looks like, try inputting the wrong password/pin into your phone a few times (Not too much because the lockout will increment up to around 24 hours.) This mechanism detects incorrect input and assumes you are not authorized, should you incorrectly input your username/password multiple times, then you will be blocked from further attempts for X amount of time. (And there should be a log the administrators can see that will show ALL successful/unsuccessful attempts and provide further info.)

Active Directory – I took this one from techterms.com as Active Directory and Azure Active directory are a lot to take in and I really don’t want to scare non-technical users with lots of different names to remember, click the link and it’ll show more information, but still only scratches the surface.

“Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers. Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.”

Azure – Azure is Microsoft’s Cloud Platform, its what AWS is to Amazon. Essentially cloud means off-site, however there are many different models that are used such as SaaS and PaaS. Additionally attackers use the cloud and have been seen operating RaaS (Ransomware as a service).

“This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant,” researchers from Secureworks Counter Threat Unit (CTU) said in a report published on Wednesday.

It would appear that this vulnerability affects Office clients older than the Office 2013 May 2015 update, it also seems that these older versions do not use Kerberos. Instead in order to carry out authentication a password-based endpoint called “UserNameMixed” is used instead, either generating an access token or an error code based on the input from the user.

So here’s the problem and we will come back to where Autologon plays a role in this… Whilst successful sign-ins generate logs when they send the access tokens, authentication from Autologon to Azure AD is not logged, this allows attackers to leverage this fact around the logging in order to carry out password spraying/brute force attacks without generating logs. (Password spraying is a type of brute-forcing but involves more guessing, for example trying the known default credentials for admin accounts, or using usernames found elsewhere in an attack to really cut down the amount of attempts needed, sometimes this can be used to just brute force one field, where the other is known as a constant.)

Finally let’s see how the vendor responded… “Secureworks said it notified Microsoft of the issue on June 29, only for Microsoft to acknowledge the behaviour on July 21 as “by design.” ” Oh okay! Ambiguous and puzzling… nothing new here.

Sources: https://arstechnica.com/information-technology/2021/09/poc-exploit-released-for-azure-ad-brute-force-bug-heres-what-to-do/ https://thehackernews.com/2021/09/new-azure-ad-bug-lets-hackers-brute.html

Operation Layover – Attack campaign against Aviation sector uncovered.

Hello World!

I wanted to take a look at a recent phishing campaign that was uncovered after being active for roughly two years, interesting for me as I have studied Aviation operations in the past and have good knowledge of their procedures and practices.

So let’s see what we know about this threat actor… They are suspected to be operating out of Nigeria, and from what we can gather aren’t very technically skilled. A quote from the Microsoft Security Intelligence team who first released research of these attacks in May 2021 and talks of a “dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT.”

Okay! So what’s a RAT? A RAT or Remote Access Trojan is another form of computer malware, a cousin of the computer virus and brother of the rootkit. This program acts as a backdoor to the victims device, it will then establish communications with a command-and-control server, where it will receive further instructions from the attackers. This communication could be to upload further malware such as a rootkit or crypto locker and/or exfiltrate data and information from the victim and hold it for ransom (However a sophisticated attacker might first look for privilege escalation and then pivot to a machine that hosts something like… Hmm anything really, a database for example. Or if your team is having a really bad day, they might even get into your backups if you haven’t taken the necessary steps to store these backups off-site and on tape, as well as following your organisations guidelines… and put simply, you cant restore if the backups f****ed)

To read from the Cisco TALOS post here: researchers Tiago Pereira and Vitor Ventura said. “The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.” Now this is a tactic that’s become more prevalent the last few years with less skilled threat actors, who often lack the programming knowledge to create malware or even edit malware in some cases. This use of a different crypter, format or language will change the outcome of the file (In some cases actors have just taken malware and switched it to another language, compiled it and boom). This isn’t a magical bypass by any means, but our signature-based security devices will fail to recognize this threat and take action, for this we need a solution for the canonicalization of this data; but, ultimately lack this ability.

Our Signature based security devices will look for known signatures given off by documented malware, this could be anything from know IP addresses of command-and-control servers, known malicious domain names to a SHA256 hash of a known malicious file. It’s in the latter where one single character will change the hash completely and render this form of security ineffective until it is given the new intelligence. However this is where other forms of security device would pick up and identify the threat, a reminder to layer your security… but not to over-complicate things.

So, we’ve covered the geeky stuff about what’s going on here. Now for the heart of this campaign which is less geeky and probably a familiar sight to any security staff… The vector of attack? Social Engineering.

In this case it was a spear-phishing campaign, the emails aren’t anything fancy just very legitimate looking as you would expect from pretty much any spear-phishing campaign as they tend to be the hardest to spot, it was through these phishing emails that the victim would be prompted to install (a disguised version) of the remote access trojan as shown by the email at the beginning of my post.

Source: https://thehackernews.com/2021/09/malware-attack-on-aviation-sector.html

Another Google Chrome patch…

Hello World!

So for those who aren’t aware what exactly a 0-day is, let me give you the briefest definition I can form… Essentially a bug that has just been found (or also used to refer to something that hasn’t been found… yet.) Well a new one was just fixed and Google released an update that will mitigate the issue.

Google Chrome has been subjected to multiple vulnerabilities being exploited in the wild (Internet) this year, the most recent one being given the CVE-2021-30563 name, CVE stands for common vulnerabilities and exposures and allows people to identify and accurately research vulnerabilities.

In all, Google has patched eight Chrome zero-day bugs exploited by attackers in the wild since the start of 2021. Besides CVE-2021-30563, the company previously addressed:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021
  • CVE-2021-30551 – June 9th, 2021
  • CVE-2021-30554 – June 17th, 2021

The most recent vulnerability “reported by Google Project Zero’s Sergei Glazunov is described as a type confusion bug in V8, Google’s open-source C++-based and high-performance WebAssembly and JavaScript engine.”

So what should you do? Well all you need to do is open your Chrome Browser and enter this into the search bar: chrome://settings/help , this will open the about chrome page and automatically check for updates and then update your browser (a restart may be required.)

“Let’s just pay the ransom” – some unknown CEO

Source: https://www.bleepingcomputer.com/news/security/google-patches-8th-chrome-zero-day-exploited-in-the-wild-this-year/

Massive Ransom… Contingency planning – Food for Thought #2

Hello World!

If you thought I would be talking about the Kaseya supply chain attack, well… If you haven’t read about it yet do a quick google but there is enough already out there about it.

I wanted to talk about contingency plans, well, one particular contingency plan that I feel might be overlooked. I’m talking about solar flares.

What is a solar flare you may ask, well as I don’t study the sun and I assume you don’t either, it is basically a big ejection of charged particles caused by magnetic stress on the sun. Well, one happened a few days ago and it caused a few problems but nothing major. However experts are warning that bigger flares are likely coming the next few months/years, as the sun follows a predictable cycle of magnetic activity.

This event could have drastic effects on the power infrastructure and possibly go so far as to damage electrical components without adequate shielding, however even at the lower levels it’s enough to cause interference with communications. We are due some big solar storms, a few factors have to fall into place for a “perfect hit” on our planet, but its always certain we will be hit by some. It’s quite possible the biggest cybersecurity event in the next few years won’t be caused by a hack, but a solar flare and its subsequent damage.

“We’re in the stone age of cyber security. Real learning will only come after the 1st major incident.”

Android apps caught stealing Facebook Passwords. Removed from Play store.

Hello World!

Google have recently announced they have removed 9 apps which were harvesting users Facebook credentials, estimating it to affect 5.8 million users.

The list of apps are as follows –

  • PIP Photo (>5,000,000 installs)
  • Processing Photo (>500,000 installs)
  • Rubbish Cleaner (>100,000 installs)
  • Horoscope Daily (>100,000 installs)
  • Inwell Fitness (>100,000 installs)
  • App Lock Keep (50,000 installs)
  • Lockit Master (5,000 installs)
  • Horoscope Pi (>1,000 installs)
  • App Lock Manager (10 installs)

The apps were completely functional and the attack was carried out by tricking “victims into logging into their Facebook accounts and hijacking the entered credentials via a piece of JavaScript code received from an adversary-controlled server.”

Effectively these apps were acting as trojan horses, presenting adverts that would make victims do actions required for the communication and hijacking of the Facebook logins. As stated in the source article, whilst this targets Facebook credentials only, there is no limit to what legitimate applications might be targeted by this method in the future.

Google has announced it will be requiring developers on its play store platform to use 2 step verification (2SV), this will mean that developers will have to basically register themselves up with google. Who they are, where they live, what they do and so forth… Maybe some mixed feelings here about privacy but certainly a good step in the way of security.

“Never underestimate a developer with a deadline.”

Source: https://thehackernews.com/2021/07/android-apps-with-58-million-installs.html

Crypto waning in an open-source, eco friendly world.

Hello world!

Nothing particularly important to mention today, Google has patched yet another 0-day vulnerability in their Chrome browsers, so updating your browser is an important thing to do. However crypto prices and “hype” will be todays topic, as they are increasingly in decline.

Law enforcement are able to track much of the crypto-currency obtained illegally, due to the fact it runs off what’s known as the blockchain, an example website of this would be etherscan.io, which allows you to to track payments and transfers made over the Ethereum blockchain. This is likely a minor addition to the factors causing the decline, but lots of criminals are finding out that crypto isn’t “untraceable money that doesn’t exist”, certainly diminishing the hype around it.

Secondly the eco-friendly world we live in, Bitcoin mining alone (choosing on what source you pick) undoubtedly uses more electricity than it should. This only makes governments and corporations more likely to crack down on the crypto world in order to preserve their eco-friendly international face.

Nothing more for now, however its probably not long until another company gets phished and hit with ransomware, so stay tuned!

Credential marketplace shut down by FBI.

Hello world!

This news isn’t the newest but occurred within the past fortnight, so you may have already heard. Slilpp marketplace was a significant marketplace where mostly illegally obtained credentials (emails, phone numbers, passwords etc etc.) were sold freely for nearly 10 years.

“Authorities from four countries shut down an online marketplace where vendors sold more than 80 million stolen login credentials to buyers, who frequently used them to make unauthorized transactions, including wire transfers.” the U.S. Justice Department said last Thursday. Banking credentials were being sold for just $71-$500, maybe a worrying factor for many but don’t fret.

Your bank and their fraud department work their absolute hardest to ensure that even if someone gets one thing correct, there is usually others that they don’t know. It can be easy to harvest information from places such as social media, so you shouldn’t make security questions something that either, a lot of people know about you or you post on the internet… If this is true for you, there’s no shame in doing so and the victim blaming mentality is something for another day. Change it as soon as you can and spread the word to your loved ones to keep them safe too, but don’t worry, there’s a huge team of people working to protect you from things like this… 24 hours a day, 365 days a year.

Whilst this won’t have a significant effect on the criminal world, as another marketplace will just capitalize on the demise of this one… And then get shut down itself in the future. There have been arrests made in connection with the operation of this market, which is a great outcome as cyber crime can be difficult to prosecute sometimes, mostly if your attackers reside from certain countries who let cybercriminals run free. *insert shady quote about Russian malware*

Remember kids… You need an accurate inventory of your assets before you can think about protecting them.

Source: https://www.occrp.org/en/daily/14624-marketplace-for-stolen-online-credentials-shut-down

Food for thought #1

Hello world!

Today the UK has seen what can only be described as “downtime” with some factor regarding contactless payments, and the speed at which payments were being processed. Being the Cyber security geek, one would love to speculate of a “cool” but very uncool cyber attack on the UK’s payment systems, I haven’t found any articles or official tweets but noticed today when I went to buy a meal deal and had a brief talk with the security guard about it.

From what I have gathered it bears a similarity to the expected results of denial-of-service attacks, this means that the amount of data being sent is simply too much for the system to handle and would have very severe effects if used on some of our certain security systems such as a NIDS (Network intrusion detection system). The method would likely be a SYN flood, which is a type of denial-of-service attack (One of my best friends informed me that TCP/UDP floods are more frequent in the current landscape.) Anyway, whilst this all sounds super cool (just me?)… My theory is simple, straightforward and doesn’t involve any hackers at all.

It’s been a sunny week in the UK, as we are in the gradual easing of our national lockdown and shops, restaurants, pubs and bars all open again… It seems possible that by some sort of automated (or manual) management system being in place to deal with the amount of traffic that it needed to, but not so much that it was wasting energy and money. This would of likely caused the system to get used to that amount of traffic and recent days have led to a surge in commerce, this being said not every denial-of-service is an attack.

A denial-of-service as I described earlier, means that the system is overwhelmed with more traffic than it is either built to take, is expecting to be sent or any controls done by our friendly network admins. But it doesn’t always mean you’re under attack, and I’m sure that the monitoring systems, packet captures and so on would be interpreted in this way and diagnosed correctly before progressing to the next stage of incident response.

Patch your shit!

Hello World!

Hello World!,

My name is Aaron and ever since I was an eleven year old boy I have dreamt of being what you would call a “hacker”, personally whilst this does ring true; I would much prefer the title of Security Researcher. Over the last couple years or so I have been re-discovering my passion for Information Security and feel that it is really what I want to do with my life. I have the dream of being one of the NCSC leads in 25-35 years and will work hard to make my dream come true.

I want to share important information and keep people updated about things that will affect them, and share my own viewpoints with those interested in what I have to say. If computers aren’t your thing, or you don’t want to learn about them; feel free to find a blog that you can relate to and enjoy to your hearts content.

If you know my type then you’ll know this blog isn’t going to be personal or include details about my life, its purely to inform others about cyber-security and the growing number of threats that everybody faces in our digital world. I will also be sharing my views on tools, education, current events and everything to do with cyber-security, and don’t worry if you’re scared by the idea, I will ensure to explain everything to the best extent I can, in a way everyone can understand. However for the geeks I will get technical when discussing somethings that are relevant, but will provide annotations where possible for others.

I hope that this blog is going to help people learn and become more aware of the challenges we all face, in a world of ever increasing reliance on our computer systems or the growing number of scams and con-artists aiming to take advantage of people at their most vulnerable, there are what you would know as (but I don’t really like this… generalization); white hat hackers, grey hat hackers and red hat hackers that are fighting back against the wrongdoers… And the best way we can all stay secure is through the education of others.