SecPro #10: SASE How to, “Charming Kitten”, Finding DOM Polyglot XSS, SecPro Rewards!
In this Issue:
- Transforming Network Security with SASE
- How to Perform a Network Vulnerability Assessment using Nmap
- Charming Kitten: 9 Lives of a Nation-State Attacker
- Finding DOM Polyglot XSS
- What’s Observability and Why it Matters
- Resources and Tools
Special thanks to expert creators Scott Arenson and Glen D. Singh for helping develop this issue!
Cloud Network Security
Transforming Network Security with SASE
Today, more data, applications, workloads are living in the cloud than in on-prem company data centers. At the same time, mobile and remote users depend heavily on SaaS solutions to get their work done. And the need for network security is now greater than ever with the expectation that IT admins deliver high-availability services, globally and at scale.
Yet traditional on-premises network security solutions have never been easy to deploy or secure. They are expensive and require networking security expertise to maintain service levels, keep users safe and hackers at bay.
For organizations to maintain a strong security posture, they must be able to deploy network services securely for all resources and users, both on-prem and in the cloud, anywhere and at any time. This seemingly complex problem is now solvable with SASE (pronounced “Sassy”) or Secure Access Service Edge solutions.
SASE combines software-defined wide-area networking (SD-WAN) technology with cloud-delivered network security services such as a Cloud Access Security Broker (CASB), Firewall as a Service (FWaaS), and Zero Trust Network Access (ZTNA).
“SASE capabilities are delivered as a service-based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems, or edge computing locations,” says Gartner, inventor of the concept.
SASE Identity-centric Architecture
Vendors that offer SASE solutions vary. Some SD-WAN vendors have added SASE security features to their SD-WAN technology while others like Palo Alto Networks have developed a tightly integrated and comprehensive solution. SASE technologies include Data Loss Prevention, DNS Protection and Traffic Shaping to SaaS Acceleration, QoS and Software-Defined Perimeter technology. Not every vendor offers every single SASE technology, however. What would be considered “core” SASE solutions include:
- SD-WAN
- Zero Trust Network Access (ZTNA)
- Firewall as a Service
- Cloud Access Security Broker
- Secure Web Gateway
- DNS Filtering
- Encrypted Tunneling
- Cloud Sandboxing
When deploying a SASE solution, Perimeter 81 says that organizations don’t necessarily need to deploy SASE technologies all at once. Companies can begin with Zero Trust services, for instance, and then scale up as needed. Moreover, the company says that due to COVID-19, many SD-WAN deployments are on hold as businesses are enabling SASE to quickly secure their remote workforces in the same way that they subscribe to apps and subscription services.
SASE doesn’t offer new technologies but it does leverage existing security and networking solutions that any company, both small or large, can deploy to improve its security posture.
- The Future of Network Security is in the Cloud
- SASE Surge: Why the Market Is Poised to Grow
- How to Implement Secure Access Service Edge (SASE) in 6 Steps
Offensive Security: “Charming Kitten” – 9 Lives of a Nation-State Attacker
Small mistakes can have big consequences for hackers.
Case in point: Guccifer 2.0, the hacker who took credit for providing U.S. Democratic National Committee emails to WikiLeaks, was identified as a Russian military intelligence officer (GRU) after failing to activate a VPN when logging into a social media account. This mistake enabled US investigators to link the persona to a Moscow IP address, and then directly to GRU headquarters.
In an upcoming talk at this year’s Black Hat Conference titled The Kitten that Charmed Me: The 9 Lives of a Nation-State Attacker, IBM X-Force researchers will reveal how a Charming Kitten operator set up a machine and various personas (hence 9 lives) to run offensive operations and steal data.
Charming Kitten, also known as APT35, Phosphorus, Ajax Security, and NewsBeef is an Iranian government cyber warfare group and identified as an advanced persistent threat (APT). Charming Kitten conducts spear-phishing attacks most likely for cyber espionage purposes. In 2014, The first Charming Kitten TTPs were creating fake news domains and personas for spear-phishing campaigns. These same TTPs are the foundation of Charming Kitten’s operations and remain that way today,
The group has a history of hacking journalists, a Nuclear scientist, researchers involved in COVID-19 vaccine development, and even HBO leading to the leaking of unaired Game of Thrones episodes.
The IBM X-Force team found an infrastructure error that ultimately enabled them to access a Charming Kitten operator’s server.
“When we saw this open server, we collected videos and stole information,” says Allison Wikoff, a senior IBM threat analyst. “In the last 18 months, we’ve been getting the same errors from this group on a continuous basis.”
Researchers were also able to obtain a training video that showed how to configure compromised email accounts and maintain access and steal data.
A 2021 RAND Corporation study using MITRE’s ATT&CK framework modeled the group’s techniques.
ClearSky CyberSecurity has detailed Charming Kitten impersonation attack vectors such as a message pretending to be from a research colleague or researcher with a link to a Google Site. If the victim downloads the file, their credentials will be compromised.
Other attacks favored by Charming Kitten include SMS message phishing, login alert messages, social network impersonation, and digital infrastructure attacks.
- ‘Charming Kitten’ APT Siphons Intel From Mid-East Scholars
- A Brief OSINT Analysis of Charming Kitten IoCs
- APT35 ‘Charming Kitten’ discovered in a pre-infected environment
Web App Security: Finding DOM Polyglot XSS
Finding DOM Polyglot XSS: Finding DOM-based XSS vulnerabilities is tough when they can be scattered across thousands or millions of lines of code. According to OWASP, “DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client-side script so that the client-side code runs in an “unexpected” manner.”
DOM XSS vulnerabilities occur when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users’ accounts, says PortSwigger.
Finding DOM Polyglot XSS: Defending against DOM-based XSS attacks means checking that your JavaScript code does not incorrectly interpret URI fragments. There are a number of ways to do this including the use of a JavaScript Framework such as AngularJS and React, detecting unsafe code using development tools, and implementing a content security policy (CSP).
Researcher Gareth Heyes found an interesting polyglot DOM XSS affecting PayPal. In his post, he’ll take you from the initial discovery to using unintended script gadgets to bypass allow list-based content security policies.
PortSwigger recently introduced DOM Invader to help solve the problem of Finding DOM Polyglot XSS via their Burp Suite tool. Offered as a free add-in for their Burp Suite Community Edition, DOM Invader is deployed as an extension in the embedded browser.
Burp Suite is developed in tandem with PortSwigger Research. Their security research team constantly discovers new vulnerabilities and zero-day threats making Burp Suite one of the most used web security tools on the market.
More on Finding DOM Polyglot XSS…
- Burp Suite – Kali Tools
- Make Burp Community feel a little more like Burp Professional
- Introducing DOM Invader: DOM XSS just got a whole lot easier to find
Network Security: Performing a Network Vulnerability Assessment using Nmap
A vulnerability assessment allows cybersecurity professionals such as ethical hackers, penetration testers, and even system engineers to identify the number of security weaknesses which exist within their organization. Vulnerability assessment does not only help discover security flaws on a system but also helps professionals to determine the vulnerability score and risk factors. This information can help you to allocate resources to resolve higher priority risks quickly and prevent potential cyber-attacks and threats.
The Nmap Scripting Engine (NSE) is a powerful component of Nmap that allows creating special scripts to automate special scans and even use existing scripts within the Nmap Scripting Engine (NSE) to find security vulnerabilities.
To get started with Nmap, use the following steps:
- Head over to https://nmap.org/download.html and download the Nmap version suitable for your operating system, whether you’re running Windows, Linux, or MAC OS. Keep in mind, Nmap uses a command-line interface (CLI) by default.
- If you’re installing Nmap on a Windows host computer, the graphical user interface (GUI) version of Nmap is also installed automatically, this version is called Zenmap. It has similar capabilities as its CLI counterpart.
- Additionally, if you’re an ethical hacker or penetration tester, you’re most likely using Kali Linux. The best thing about Kali Linux is that it has Nmap pre-installed ready to be used.
Getting Started
Use the following commands on Kali Linux or your OS of choice to perform a scan to identify the operating system of a host machine:
kali@kali:~$ nmap -A -p-
This allows Nmap to profile the target, providing us with the operating system version, all open ports, their service versions, and basic script scanning.
We now need to perform research on the service versions found on each open port. Let’s take the service version of the FTP service, which is vsftpd 2.3.4 to search on Google for known vulnerabilities and exploits.
As shown in the above screenshot, with a little research using the service versions of open ports, you can quickly determine the security vulnerabilities on the running service.
Furthermore, you can invoke the Nmap Scripting Engine (NSE) which contains a ton of pre-built scripts for specific vulnerabilities on a system. Visit https://nmap.org/nsedoc/ to see a list of all the NSE scripts, their description, and categories. To perform a scan using a script with NSE, use the following syntax:
nmap –script script-name target-IP-address
Below is an example of a vulnerability scan on a target to determine whether a vsFTPd 2.3.4 is an actual vulnerability to allow backdoor access if exploited by a threat actor:
nmap –script ftp-vsftpd-backdoor 172.30.1.26
The following snippet shows the results of this scan:
NSE was able to send special network probes to the target and was able to determine if a vulnerability really existed within the running application of the target.
While there are hundreds of scripts to choose from within NSE, you can use NSE to execute all the scripts of a particular category. All necessary scripts for vulnerability detection can be found at https://nmap.org/nsedoc/categories/vuln.html. If you want to use all the scripts within the list on single or multiple targets, you can simply specify the entire category by using the following commands:
nmap –script vuln 172.30.1.26
The scan will take a bit longer time to complete as Nmap tests the target against each script within the vulnerability category. The final result of the scan will display the vulnerabilities found and which script from the list was a reference to discover the security flaw on the target as shown below:
I hope you found this article useful and understood how to use Nmap to perform a vulnerability scan and assessment on systems within an organization’s network.
Disclaimer: Do not perform scans on systems or networks which you do own or have legal permissions to do so. Scanning is considered to be both intrusive and illegal without proper permission.
DevSecOps: What’s Observability and Why it Matters
As organizations continue to shift their IT resources and application development efforts to the cloud, the need to monitor and manage security within complex and interdependent cloud environments is essential.
From a developer’s perspective, the ideal approach to managing this complexity is finding and fixing coding errors and API dependencies before apps are deployed to production. This includes eliminating configuration errors, security vulnerabilities, and privacy and compliance risks all before going live. The end goal is to gain real-time intelligence on application performance and fix security issues first.
The typical development approach to understanding application intelligence is to first bring together and analyze application metrics, events, and logs from security, performance, compliance or behavioral insights. Application event streams may include system calls, library calls, network activity, 3rd party APIs, external dependencies, and cloud service consumption data. Most would call this application monitoring and many tools such as AppDynamics, or services from GitHub and GitLab already do this.
Mike Larkin, CTO of DeepFactor writes that “observing an application’s behavior at runtime and ensuring it meets a baseline set of rules for “sane” application behavior is especially important.” He says that although companies like GitHub and GitLab have introduced services such as dependent module vulnerability scanning as part of their offerings, their checks only happen at source code check-in time.
This means that if your code is dynamically importing something from a container’s base image or from the base operating system, some security vulnerabilities may not be detected and could make it to production, warns Larkin. This is a major blind spot.
Eliminating blind spots means that developers must focus on application “observability,” not just monitoring. Observability may sound like application monitoring but it’s not the same thing.
Observability “tells you” what your app is doing during development through a stream of events or alerts that simulate a production environment to eliminate blind spots you may have missed.
According to engineer and blogger, Ernest Mueller “observability is a property of a system. You can monitor a system using various instrumentation, but if the system doesn’t externalize its state well enough that you can figure out what’s actually going on in there, then you’re stuck.”
Observability should proactively answer application security questions about what is happening not only inside a complex cloud application but also about the dependencies across the microservices it may consume and the multi-cloud environments where it lives.
Organizations want to embrace DevSecOps best practices that embed security and observability tools within an application for more context of the overall IT environment, says Ilan Rabinovitch of Datadog.
Datadog Application Security Platform
The company’s recent acquisition of Sqreen will expand the scope of its security and observability services.
- Observability versus Monitoring: Which is Better for DevOps?
- Why observability is the future of systems monitoring
- Rethinking Application Security in the API-First Era
Resources and Tools
- iacsecurity/tool-compare
This repo offers IaC scanning test cases and compares the results from several options: Checkov, Indeni Cloudrail, Kics, Snyk, Tfsec, and Terrascan. - Yor: Automatically tag IaC resources for traceability and auditability
Yor helps security teams trace a security misconfiguration from code to cloud, automates the tedious work of manually tagging cloud resources. - Kaboxer: A tool for managing applications in containers by the Kali Linux team
Kaboxer helps pentesters use older applications that don’t work on modern operating systems, apps that need to run in isolation, and applications that are hard to package properly. - redcanaryco/atomic-red-team
The Atomic Red Team is a library of simple tests that security teams can execute to test their controls using “atomic tests” that exercise the same techniques used by adversaries (all mapped to Mitre’s ATT&CK).