Cymulate research team updates
- 36 Topics
- 6 Replies
Halloween is on the horizon, but a far spookier threat lurks online, targeting businesses and governments worldwide. I'm talking about the elusive cybercriminal group known as the Silence Group. Let me tell you about their spine-chilling tactics. Emerging in 2016, the Silence Group, also known as Truebot, has been infiltrating networks, spying on operations, and stealing sensitive data and funds. They initiated attacks through phishing, including appear-phishing that included malicious attachments, hoodwinking target organizations’ employees. They also use remote service exploits to gain initial access. The phishing malicious attachments masquerade as Microsoft Office docs or help files. If opened, they trigger secret scripts that let the attacker in. Today, the Silence Group infrastructure includes global command and control capabilities and direct access to compromised servers across the globe. Given this hyper focused asset bank and capability set, the Silence Group has become a
Our research team has just unveiled a new advanced scenario template for preventing Lateral Movement attack tactics. A detailed description can be found here, but for an immediate snapshot, take a look at the Advanced Scenarios interface on the Cymulate platform. Preview of the Lateral Movement Template in Action Begin by setting up an assessment using the Top Lateral Movement Template found under the Advanced Scenario tab. Afterwards, review the results to gain insights into your system's vulnerabilities. Get more information. Get guidance on mitigation strategies. Once you've implemented mitigation measures, you can easily verify their effectiveness by re-running the assessment with just one click. This Lateral Movement template is part of an ongoing series covering various attack categories. The previous ones explored credential dumping, data exfiltration, and command and control tactics. Being aware of the effectiveness of people, processes, and technology allows organizations
Data leakage, a cybersecurity concern, has been present since the beginning of humans. This is the unintentional or intentional transfer of restricted information into the wrong hands, such as company secrets and Personally Identifiable Information (PII) restricted by regulatory policies like HIPAA and GDPR. All industries, regardless of size, have been dealing with this problem, and many attempts have been made to limit or block data leakage, but have been unsuccessful according to Cymulate's Annual Usage Report. OpenAI's generative AI platform, ChatGPT, has created a human-like AI interface that can answer complex questions accurately and learn from interactions.However, this technology poses a threat to sensitive and confidential data since users feed the system with information daily, some of which may be PII or company confidential data shared by unaware users. While OpenAI warns against sharing sensitive or confidential data, it is challenging to prevent users from accidentally v
Our research team just published a new advanced scenario template for Command and Control attack tactical steps. A full description is available here but you can get an immediate preview of how it looks in Cymulate Advanced Scenarios interface. Preview of the Command & Control Template in Action After creating an assessment from the Top Credential Dumping Command & Control Template from the Advanced Scenario tab Check the results. : Get more information: Get mitigation guidance After mitigation, verify the implemented mitigation measures effectiveness at a click by re-running the assessment. The Command and Control template is the third of an ongoing series of templates covering additional attack categories. The two previous ones were credential dumping executions that lead to gaining an initial foothold through abusing credentials, and data exfiltration executions leading to data theft. Knowing the effectiveness of people, processes, and technology enables or
Cymulate’s honeypot network was able to track a massive load of exploitation of CVE-2022-27255 - RCE: with the the Suricata signature - “ET EXPLOIT Realtek eCos RSDK/MSDK Stack-based Buffer Overflow Attempt Inbound” ID: “2038669”CVE-2022-27255 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27255]: Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. This allows an attacker to remotely execute code without authentication via a crafted SIP packet that contains malicious SDP data.We think that these new attacks are related to the Infobyte demonstration on Defcon of a new vulnerability they found.The POC exploit provided by infobyte’s can be found on their github: https://github.com/infobyte/cve-2022-27255/tree/main/exploits_nexxtTheir github includes both analysis (test to see if you are vulnerable or not) and also the POC of the exploitation.This easily means that attackers follow all kinds of security confer
Why is this important?It accelerates work It is the first installment of a series of such templates covering MITRE ATT&CK tacticsThe credential dumping template is the first of a series of soon-to-be-available templates covering additional attack categories that come right from what customers are using the Cymulate platform to accomplish. As with all of the platforms, performing simulations of threat actor actions allows the organization to become proactive in its cybersecurity resiliency.
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. Our team at Cymulate Research strives to stay ahead of the threat curve to provide our customers with relevant breach and attack simulations.This latest template simulates Quantum ransomware.
Quantum ransomware is typically deployed by ransomware affiliates using the initial access of the Emotet malware. This malicious software is designed to encrypt data on a computer, making it inaccessible to the owner. Once the data is encrypted, a ransom note is displayed, usually demanding a payment in exchange for a decryption key. Emotet malware, is typically delivered through a malicious email attachment or link. Once the malicious file is opened, it will be deployed onto the system, allowing the ransomware to be delivered by ransomware affiliates.The ransom message will include instructions for making a payment, usually in the form of a cryptocurrency such as Bitcoin, as well as details on what the payment will provide the victim. Typically, this includes a decryption key that will allow the user to regain access to their data. Our team at Cymulate Research strives to stay ahead of the threat curve to provide our customers with relevant breach and attack simulations.This latest te
IntroductionThanks to everyone who took part in Cymulate’s Capture the Flag (CTF) challenge, “Binushka”. The challenge was created for the Blackhat 2022 event and everyone who solved it was able to claim a prize at Cymulate‘s Blackhat booth. For anyone who was curious about the full solution, this article will go through it step by step. The Binushka Challenge (Reversing) A rule of thumb is that before beginning to solve a CTF challenge, you should see if the name of the challenge hints to its solution. The name of this one was “Binushka”, which can be split into two parts: “bin” and “ushka”.The first part of the name is clear. “Bin” stands for binary. Something that also hints to this is that the name of the file is “bin_bin_bin”.The second part of the name, “ushka” is from the second half of the word “babushka.” Apart from the literal meaning of “babushka” (grandmother in Russian), there is also a doll named thebabushka doll—whose official name is actually the matryoshka doll. The ma
Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks.Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine - this time aimed at a large software development company whose software is used in various state organizations within Ukraine.Cisco Talos believes that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests.As this firm is involved in software development, Cisco Talos assesses that there is a possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time Cisco Talos do not have any evidence that they were successful.
TA505 - "Clop" (sometimes stylized as "Cl0p") has been one of the most prolific ransomware families in the past three years. It has gained infamy for compromising high-profile organizations in various industries worldwide using multilevel extortion techniques that resulted in huge payouts estimated at US$500 million.
As for any organization, the security department needs to measure cost-effectiveness, justify budget usage, and support its next budget claim. But organizations often have difficulty accurately measuring the effectiveness and cost of their information security activities. This is because security is not usually an investment that provides profit – it provides loss prevention. What is the amount an organization should invest in protecting information and how can we quantify the return on this investment? There are many good articles about the term "ROSI" – Return On Security Investment. The ROSI calculation uses a simple formula that relies on the following parameters: Annual Loss Expectancy (ALE) - The total annual financial loss from security incidents. Mitigation Ratio and mALE - The modified ALE is the same as above but includes losses that were prevented by implementing a security solution. The value of prevented losses can be obtained by determining the mitigation ratio, whi
In this series of articles, we will discuss a variety of MITRE ATT&CK techniques for Google Cloud Platform (GCP). The articles will cover techniques such as persistence, privilege escalation, lateral movement, and more. The first technique we will discuss is privilege escalation in GCP through a process called "google-guest-agent". Google Compute Engine Services Google Compute Engine (GCE) has some services that are run by the systemd daemon, including "google-guest-agent.service". This service is responsible for executing the binary "google-guest-agent" at boot. As we can see the agent is child of the init process and is running as root. What is google-guest-agent?‘Google-guest-agent’ is a daemon that is responsible for handling GCE platform features. The guest agent functionality can be separated into various areas of responsibility. Historically, on Linux these were managed by separate independent processes, but today they are all managed by the guest agent.The guest agent handl
On June 02, 2022, Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity of unauthenticated remote code execution vulnerability.The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance and is currently being exploited by a specific threat actor. in order to bring value to our customers and help them test and verify their systems are secure against it our research team rushed to release a purple team module for that specific reason.You can find it under the following name: Confluence Pre-Auth Remote Code Execution via OGNL Injection(CVE-2022-26134)The execution expects two input arguments:Hostname : the vulnerable host to checkCommand : the command we would like to run if the host is found to be vulnerable (defaults to whoami which will print the current running username.)
It is crucial to protect yourself from cyber-attacks that can compromise your security posture and cause damage to your organization. With proper configurations and implementations, you can help prevent these cyber-attacks from impacting your organization. For each attack vector, we have compiled the top 3 recommendations for risk mitigation. Email Gateway Block unnecessary attachment file types – allow the minimum that is required for operating your organization. Enable aggressive anti-malware scanning such as advanced AV, Sandbox, or CDR. Enable URL scanning, sandboxing, and rewriting – in email body and attachments. Web Gateway Block downloads or allow the minimum required list of file types that is required for operating your organization. Block browsing categories that are not required for operating your organization. Focus on questionable categories such as “Newly Registered Domains,” “Parked Domains,” and “Uncategorized.” Implement browsing isolation to ensure th
Leverage Cymulate Exposure Management and Security Control Validation to Support All MITRE 11 Strategies for a World-Class SOCBlog
MITRE just published the 11 Strategies for a World-Class Cybersecurity Operations Center book. A recurring theme in this book is the importance of Cyber Threat Intelligence (CTI) as instrumental to “augment the SOC’s ability to identify adversaries and discern their movements from those of authorized users.” The document further states that CTI “moves the SOC from a per-incident approach to an adversary-focused paradigm.”As Cymulate for Exposure Management and Security Control Validation is designed to provide extensive in-context CTI capabilities and, as such, supports each one of these tactics as briefly broached below.MITRE Strategy 1 - Know what you are protecting and why:Exposure Management and Security Control Validation provides a continuously updated situational awareness of the security posture of individual attack vectors, including iteratively observing, orienting, deciding, and acting through:the creation and continuous updater of a composite inventory of all exposed assets
One of Cymulates greatest features is the Purple Team module. It allows users to create advanced attack scenarios for Threat Hunting scenarios using templates which are the chained sum of the plethora of executions created by Cymulate. Bundled with the Immediate Threat Module, one can create strong Threat Hunting scenarios.But how does one create good threat hunting scenarios and really challenge ones Blue Team and test their capabilities?The Pyramid of Pain Let’s look at the pyramid of pain from a great article written way back in 2014.Designed back in 2013, as a response to the APT 1 report written by Mandiant. It was created as a response to the discussion about the report – people were talking mostly about the host-based indicators and the network-based indicators detection instead of leveraging the information describing the TTPs reported within the report.In short –Hash values – the computed hash values for malware and tools dropped in a compromise, these can be added into
Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher (CVE-2022-22536)
On February 8th, SAP disclosed several vulnerabilities in the Internet Communication Manager (ICM), a critical component of its NetWeaver Application Servers. One critical vulnerability, named ICMAD (CVE-2022-22536), received a CVSS score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).A remote unauthenticated attacker could exploit this vulnerability by sending a simple HTTP request, and lead to a full system takeover and complete compromise of Confidentiality, Integrity and Availability of the system.While the best mitigation would be to patch the vulnerable servers as soon as possible, the following SAP Notes provide additional information around patch and mitigations:3123396 – [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher 3137885 – Workaround for security SAP note 3123396 3138881 – wdisp/additional_conn_close workaround for security SAP note 3123396The Cymulate team published an Advanced Scenario scanner allow
Last week, a local privilege escalation vulnerability was introduced in the Polkit component, affecting every major Linux distribution. Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It allows a non-privileged process to communicate with privileged ones.This memory corruption vulnerability, which got the name PwnKit, exploits a bug in polkit’s pkexec utility where it doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands.This easily exploited vulnerability, which received a CVSS score of 7.8, allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration. The exploit to this vulnerability was published and is now available to all.To mitigate this vulnerability, it is necessary to update the operating system and patch this vulnerability. If full patching is not an option at the moment, an example of a temp
As part of the Professional-Services packages we offer our clients, Cymulate’s security experts ran Lateral Movement campaign together with the clients. The main security misconfigurations our team identified were associated with the usage of golden images to deploy new servers and workstations.The usage of golden images can help IT managers to easily deploy new endpoints in the network. By preconfiguring once, the IT team can rest assured the new endpoint will include all the necessary settings and configurations, without the need to configure each new endpoint every time. The problem starts, when the deployment procedure lacks changing the password of the local users on the new endpoint following the deployment.By reusing the token of the local users, especially the local administrator user, a potential threat actor could easily move laterally and reach high risk network areas and critical assets. In severe cases, the Domain Controller’s local administrator password is reused as well
In the last Patch Tuesday (Jan, 11th 2022), Microsoft introduced a patch for a critical vulnerability in the HTTP Protocol Stack (http.sys) CVE-2022-21907. This vulnerability, who got a CVSS Base Score of 9.8, allows an unauthenticated attacker to send a specially crafted packet to the server and run malicious code.The affected operating systems include Windows 10, Windows Server 2019 (Builds 1809 and 20H2 or higher) and Windows Server 2022.Windows 10 and Windows server 2019 build 1809 are not vulnerable by default, unless “HTTP Trailer Support” was enabled. It can be checked by querying the registry for a specific key, meaning this configuration is enabled (a temporary mitigation could be deleting this registry value).Windows 10 and Windows server 2019, builds 20H2 or higher, and Windows Server 2022 have “HTTP Trailer Support” enabled by default, making them vulnerable.Cymulate released a small scanner under the “Advanced Scenarios” part of the platform, to help our customers scan the
Let’s talk about another interesting case. I could, for example, create a lambda function, which, in turn, does some sort of activity. It’ll be function, created at your system and running with your level of permissions.For the POC, I’ll make one that simply creates another user upon receiving a specific input.Is this operation logged? Yes, CloudTrail has “CreateFunction%” event. And there is also “UpdateFunctionConfiguration%” event for updating existent function.But would it be a good point to catch the attacker? Well, it depends. If your organization has limited use of lambda functions, then this would be abnormal activity and would be easily seen in your logs. Yet, if your organization makes heavy use of lambda, then it is far less likely this will be seen as abnormal and because of the nature of the typical development lambda function we are showing, every development activity will trigger a false alarm. So that could easily be missed by a security team. Where else can a maliciou
As workloads have shifted from on-premises to the cloud so too have attacks on cloud infrastructure become a new focus. Not surprising, Cloud services provide many benefits but also demand quite a degree of responsibility, shared responsibility may be “shared” but the responsibility is far greater now.It’s fairly easy to name the main reasons for the vulnerability of cloud components in various organizations but one of my top reasons is misconfigurations. Followed quickly by absence of configurations in logging systems. Cloud is Complex, and Complex systems totally rely on highly configured logging to report any anomalies. Default configurations, coming with so many solutions, rarely can be helpful. As we see too often you must have a certain level of development knowledge within the infrastructure you are about to configure logging for or suffer the consequences of default logging not being enough.Let’s look at some examples. In this article we will stay with AWS as our examples throu
Login to the community
No account yet? Create an account
LoginCUSTOMER / CYMULATE EMPLOYEE LOGIN
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.