SecPro#44:Running the LAPSUS$ Attack, Risk Profiling, and Assessing Risky Firmware

Hey,

Another week has gone by and the world of cybersecurity has brought even more surprises. This is especially true if you have been following the bizarre legal proceedings around the LAPSUS$ hacking team – not only did teenagers manage to compromise some of the biggest organizations in the world, they did it with social engineering and open-source, easily downloadable tools. If the world’s largest cybersecurity teams become victims to committed, quick-witted teenagers, what hope is there for the rest of us?

As always strength in numbers and depth in knowledge is the only way to protect ourselves against the adversary. They could be a teenager with a GitHub account or a battle-hardened red teamer gone rouge, shared threat intelligence, reliable patching practices, and secure supply chains will help cybersecurity teams stay ahead of the game. 

TL;DR 

• How LAPSUS$ Breached Okta (and Why You Should Test Your Own Capabilities) 
• How to do Insider Threat or Risk Profiling
• MITRE ATT&CK – T1053: Scheduled Task/Job
• Dell, HP Still Using Risky Firmware Despite Years to Correct This
• Secret Knowledge: Building Your Security Arsenal

Cheers! 
Austin from Packt 

Attack Analysis: How LAPSUS$ Breached Okta (and Why You Should Test Your Own Capabilities)

By Austin Miller

If you have been following the developments in the Okta and LAPSUS$ cases, you will have noticed that every day seems to bring a new development. That’s certainly true of Bill Demirkapi, who analyzed the leaked Mandiant report of the Sitel breach. The young cybersecurity researcher has come under fire in the past few days for exposing those secrets to the public, leading to him losing his job at Zoom. 

In the interest of continued accuracy and to provide a cautionary tale of script kiddies and the damage they can cause, the SecPro has chosen to analyze the tactics, techniques, and procedures (TTPs) used by the hacking group. Due to the resource-light nature of the attack, penetration testing your own systems using the same tools could unearth some interesting (or terrifying!) findings. 

Want to read the rest? Click the button below to find the full article.

Threat Hunting: How to do Insider Threat or Risk Profiling

By Ricoh Danielson

I think most of us would agree that it is important to perform insider threat profiling and hunting. Unsurprisingly, our security professionals are in agreement with this too! After all, 91% of confirmed data breaches involved an insider threat or malicious employee. This makes sense, since it only takes one person to make a huge mess out of the organization you work so hard to build!  

Do you know why it is important to perform insider threat profiling and hunting?

Have you ever asked yourself why you should perform insider threat profiling and hunting? First, have you ever wondered whether your organization is vulnerable to an insider threat? The answer is more than likely yes. There are many factors that make an organization vulnerable to insider threats. At the core of these vulnerabilities stem from individuals with malicious intent who have been able to bypass controls and security measures meant to protect sensitive data.

Want to read the rest? Click the button below to find the full article.Take me to the Article!

Threat Hunting: MITRE ATT&CK – T1053: Scheduled Task/Job

By Austin Miller Why do something today when you can put it off until tomorrow? 

My grandad gave me many pearls of wisdom when I was younger, but this adage probably stuck with me the most. Of course, if we’re willing to accept that, why not take it to its logical conclusion? Why do something today when I can make the computer do it forever for me? 

Scheduling tasks and jobs to be completed automatically are a godsend for cybersecurity professionals. But just like they have many uses for the good guys, they are also actively employed by the adversary. Using a scheduled task allows the adversary to launch attacks automatically, potentially creating persistence that is difficult for the security team to deal with. 

Want to read the rest? Click the button below to find the full article.

Vulnerability News: Dell, HP Still Using Risky Firmware Despite Years to Correct This

By Austin Miller

A damning report from Binarly has shown that a number of Dell, HP, and other major enterprise vendors have been loading critically vulnerable firmware onto their systems for at least six years. Described as “repeatable failures”, the list of CVEs that are associated with these vendors is now growing to an incredible size. 

The frustrating thing from Binarly’s perspective is that these firmware issues have been included in numerous iterations of the firmware released by Dell and HP. Although these vulnerabilities have been known to many major vendors for years, they are still included in the firmware of some of the most popular products available! Firmware development is dense and difficult to enter, but now that the adversary is looking to exploit these recurring vulnerabilities. 

Want to read the rest of this week’s news? Click the button below. 

Secret Knowledge: Building Your Security Arsenal

Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting. 

Threat Detection and Hunting 

• DetectionLab – Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.
• Unfetter – A reference implementation provides a framework for collecting events (process creation, network connections, Window Event Logs, etc.) from a client machine and performing CAR analytics to detect potential adversary activity.
• RedHunt-OS – A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker’s arsenal as well as defender’s toolkit to actively identify the threats in your environment.
• hollows_hunter – Scans all running processes, recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Endpoint Monitoring 

• Velociraptor – Endpoint visibility and collection tool
• Kolide Fleet – A flexible control server for osquery fleets
• Zeek Agent – An endpoint monitoring agent that provides host activity to Zeek

Fingerprinting Tools 

• HASSH – Profiling Method for SSH Clients and Servers
• FingerprinTLS – A TLS fingerprinting method
• Mercury – Network fingerprinting and packet metadata capture
• RDFP – Zeek Remote desktop fingerprinting script based on FATT (Fingerprint All the Things)
• FATT – A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic