Cybersecurity

Bug Bounty Tips #5, Half-Life Alyx, Everyone works from home, and more…

April 6, 2020 By Craig Hays Leave a Comment

Reading Time: 2 minutes

Craig’s Newsletter April 6, 2020 Edition

Hi All!

Here’s a little update on what I’ve been doing since we last spoke.

What I’ve Been Writing

Since the last update I’ve published my 5th in a series of bug bounty hunting tips:
Bug Bounty Hunting Tips #5 — Aim to Become World-Class in Your Niche. You can read it for free on craighays.com or if you’re a medium.com member you can support me by reading it there.

What I’ve Been Watching

Things are pretty stressful for everyone right now. We can’t go outside, we can’t see family and friends, and everything’s a little bit tense. While unusual for me, I’ve been enjoying watching jacksepticeye playing Half-Life Alyx in virtual reality from start to finish. I haven’t owned a gaming PC for a very long time and I can’t justify building one just for this game. I’ve found that watching someone else play it is good enough for some well-needed escapism without investing in all the kit needed to play it.

What I’ve Been Doing

It feels like the entire world has changed since I last emailed out a couple of weeks ago. All over the world, anyone who can do it is now working from home. The safety net of the corporate firewall is gone. People are working permanently behind home routers with default passwords, firewalls turned off, and… who knows what else is happening. Therefore, I’ve spent the last couple of weeks at work making sure everything is as it was designed to be, for when things like this happen. I suspect many of you will have been in the same situation.

That said, I’ve started learning more about gRPC at a very low level as I’m really interested in bug bounty targets using this method of data transfer. It isn’t as easy to work with as text encoded HTTP requests so there might not be so many people testing this in this bug bounty space. I did, however, find this Burp Suite Protobuf plugin from NCC Group which looks really useful. Hopefully, I’ll get a chance to try it soon.

What I’m Doing Next

I’m planning on publishing an article on my work analysing external inbound and outbound email through Exchange 365 as there doesn’t seem to be any way to do it in detail in the native reports. My PowerShell scripts need a bit of polishing to make them publishable, but once done I’ll host them up on Github and link to them from the article.

As always, if you’ve got feedback, questions, or something to add, please get in touch.

Stay home, stay safe, and take care.
Craig

Bug Bounty Hunting Tips #4 — Develop a Process and Follow It

March 12, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

The easiest way to fail as a bug bounty hunter is to search at random without a methodology or process to follow. Here’s what to consider.

Photo by Mark Fletcher-Brown on Unsplash

It is really easy to jump straight in and wildly throw payloads at a system when you first approach a target. Admittedly, it can feel great for the first hour or so but after that, you can start to become bored and frustrated if you don’t find anything. And without a structured bug bounty hunting process, you probably won’t find anything new.

It is important to develop and follow your own testing process in order to test thoroughly and professionally. When you first start out your process will be weak and immature but you’ll develop and improve upon it the more bug bounty hunting you do. If you do this consciously you’ll have greater results.

[Read more…]

How Will I Recover from Ransomware?

February 23, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

There are very few things that genuinely worry me in cybersecurity. Recovering from ransomware is one of them.

Ransomware is the digital equivalent of someone breaking into your house, while you’re in it, and deliberately destroying everything. There are no other, prevalent, cyber weapons that do that. Ransomware is the only one. It is the cruellest, most violent, and most invasive type of malware on the internet. If someone did it in the physical world they would be imprisoned for a long time.

The catch with ransomware is that it offers you a lifeline. An undo button. A chance to reverse all damage. ‘Pay us and we’ll put it all back the way it was.’ Like it never happened. But it did.

Ransomware is Generally Indiscriminate

Ransomware doesn’t care who you are. The threat of ransomware affects both my personal and professional life. The photographs and videos of my daughter’s entire existence are just as vulnerable as the data and systems of FTSE listed companies.

Wannacry, one of the most famous ransomware variants, originally spread from machine to machine through an unpatched file-sharing service. Once a host becomes infected it encrypts all local files and begins looking for other vulnerable hosts to attack. Whoever owns the host is irrelevant. If you’re on a network connected to a compromised host then you’re going to see infection attempts coming your way. Internet, home network, corporate office, or public Wi-Fi, it makes no difference.

The vulnerable hosts that allowed Wannacry to spread initially have been patched or are already compromised. Now ransomware tends to spread through user interaction. A phishing email or drive-by download is the most likely cause of infection. Some malware variants even request permission to run to as an administrator to ensure no chances to access everything a missed. The recipient doesn’t matter, the outcome is the same.

But Ransomware Criminals Will Discriminate

The only thing that differs between victims is the size of the ransom demand. If an attacker is able to identify the system as belonging to a registered company then the price of the decryption key will be proportionate to the company’s annual returns. The victim’s goal is to recover from the ransomware attack. The attacker’s goal is to receive payment. Therefore, ransomware criminals walk a fine line between ‘I can’t afford to do that’ and ‘I can’t afford to not do that’.

While individuals may struggle to pay more than a few hundred dollars, a big corporation can usually afford to pay a lot more. Many cyber insurance providers will willingly negotiate the value of the ransom demand on behalf of their customer. Paying for the decryption key can be cheaper than recovering everything from backups. It’s not always a certainty though as it’s hard to rely on criminals to honour the terms of an agreement. That said, ransomware criminals rely on the general public consensus of their own compliance in order to make money. Unless the majority of people who pay for a decryption key actually get what they pay for, people will stop paying.

Criminals are Getting Smarter

In the early days of ransomware, criminals would compromise a system then almost immediately trigger the encryption process. This generated a lot of short term profits but reduced the size of overall payouts possible from corporations. For many companies, restoring from backups was a painful but acceptable solution to the problem. For a criminal, this isn’t the outcome that makes money.

Now, ransomware attacks against corporations have evolved. Instead of immediately starting the encryption process, criminals are hanging around, observing, exploring, and waiting for the right moment to strike for maximum effect. If you were watching them you’d find them slowly poisoning backups, corrupting stale data, and monitoring backup software until retention periods have expired. In the style of Mr Robot, criminals are going after production systems and their online and offline backups through corruption and expiration.

This evolution makes it much, much harder to recover from ransomware. If you can’t recover from offline backups your only option is to buy the decryption key. At least that’s the reasoning of the new approach. Another other attack vector is to exfiltrate data before encrypting it locally and using the threat of GDPR fines to coerce payment. By leaking sensitive information to the press bit by bit until payment is made, a stronger case for paying the ransom demand can be built. Especially if someone is trying to keep the breach a secret. (By the way, don’t ever do that. Transparency and honesty are key.)

So How Will I Recover from Ransomware?

Thankfully I haven’t been hit by ransomware, yet. Unfortunately, it’s only a matter of time. No matter how hard you try you will always get hacked in the end. That’s why we apply our focus on response and recovery as much as on the protection against and detection of threats. Just like everyone else, the best way to recover from ransomware is to ensure you have offline backups of everything. Not just the data but full images of servers, installation files, license keys, processes and documentation, your active directory database in a tested, recoverable form… literally everything you could need to rebuild everything from scratch.

As evolved ransomware attacks are targeting offline backups, the solution here is longer retention periods. If you only keep backups for 30 days it is really easy to lose everything. If you keep a combination of daily, weekly, monthly, and yearly backups, you’ll at least have something to work with. It’ll be less than ideal but something is better than nothing. Long retention and early detection are your best defences.

In my personal life, I take the same approach. I use a combination of different online backup solutions with different retention policies. I combine that with offline snapshots of everything important to me on multiple disks. Simply replicating everything to a cloud-based mirror of isn’t enough as ransomware changes to your local files will be replicated offsite just like your regular updates. Even if you use a backup provider that guarantees immutability of your data for a given period of time, all an attacker has to do is observe your password and delete your account before encrypting everything. Offline backups are the only safe option. Just don’t plug them back in again unless you’re sure your machine is safe.

You Can’t Backup Your Reputation

The only thing you can’t backup is your reputation. No matter how well you respond, if you were the one responsible for protecting against a ransomware threat and you ‘failed’, you will be blamed. Even if only by yourself. Just remember, there’s only so much you can do with the time, money, and people available to you. Make sure you have offline backups that can’t be corrupted and at least you’ll be able to recover something in the end. You might not be able to backup your reputation, but with perseverance, you’ll be able to restore it.

Gaining Lateral Movement with SSH Password Sniffing

February 19, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

Sometimes the best way to gain lateral movement during a penetration test is to steal a password. Here’s how to sniff passwords from a running SSH server.

OpenSSH Password Sniffing — Photo by Clint McKoy on Unsplash

If you’ve managed to gain a remote shell onto a Linux server and elevated your privileges to root (congrats!), the next step is to maintain your access and gain lateral movement around the network. If you’ve been unable to find anything on the compromised server that would indicate a password for any system, including the compromised server, you can always try to sniff SSH passwords straight out of OpenSSH. You can even be doing this while attacking password hashes offline. I always prefer multiple options that race each other to the correct answer.

The Reality of SSH Passwords

Lateral movement through OpenSSH password sniffing is a very viable concept because:

People use the same username and password combinations on multiple systems
Passwords often follow a common pattern which can be used to predict other passwords on the estate
People type valid passwords into the wrong servers.
Given enough time, someone will always login

There are exceptions to the above but unfortunately, most organisations are not that mature.

3 Ways to Sniff SSH Passwords on a Compromised Server

[Read more…]

How To Prevent Cloud Cost-Skimming Fraud

February 16, 2020 By Craig Hays Leave a Comment

Reading Time: 4 minutes

Rogue employees running your cloud infrastructure can skim money off your monthly bill. Here’s what you can do to prevent this fraud and unnecessary cost.

How Cloud Cost-Skimming Fraud Works

Cloud compute services like Microsoft Azure and Amazon Web Services (AWS) allow developers to publish their own virtual machine (VM) templates to their global marketplace so that others can consume them. This lets legitimate software vendors create easy-to-deploy, cloud-ready installations of their software. Customers get easy access to useful software and vendors get paid for their product. Not all marketplace templates or images have an additional charge for using them, but many do.

Premium Virtual Machines

Cloud providers offer a set of base templates or images that are billed based on usage of the underlying hardware and any operating system licensing costs. These generally come in a variety of Windows and Linux flavours. Developers who release their own premium virtual machines can add an additional charge on top of the Azure/AWS standard charge. With a pay-as-you-go, usage-based model, this can be anything from one penny ($0.01) per hour upwards. A percentage of any additional costs billed to consumers is paid to the developer who published the image.

The following table taken from the Microsoft Azure Marketplace documentation explains to developers how much they will get paid. A similar guide is available for the Amazon AWS Marketplace.

Azure Marketplace Pricing Model Explained

How Employees Can Use This to Defraud You

We must trust our employees in order for them to work effectively. In truth, most employees are trustworthy individuals who would never consider defrauding their employer. That doesn’t mean we shouldn’t define boundaries for our people to work within. Nor should we abstain from an appropriate level of due diligence. Setting clear boundaries allows people to work autonomously towards their goals. Technical controls and monitoring can protect us from dishonest actions by the minority. So what is it that we’re watching for?

Instead of using the standard, no additional charge images provided by Azure and AWS, employees can:

register as developers on the AWS and Azure Marketplaces
create exact copies of the base images they should be using
then charge an additional fee for using them. This could be anywhere from $0.01 per hour to something a lot more significant.

If you’re only running a single virtual machine, an additional $7.44 in costs isn’t going to make much difference to your overall spending. If you’re running tens, hundreds, or even thousands of VMs, spending an additional $0.01 per hour per virtual machine will be a substantial but difficult to detect overpayment by you, and a nice pay rise for the fraudster.

How Can This Fraud Go Undetected?

With more and more reliance on automation tools for the creation, management, and destruction of virtual machines, it’s easy for an attacker to change a base image from the standard offering to a machine of their own. When your deployment process is fully automated, the fraudster only needs to make one change to a configuration management tool to cash in on every VM created from that point onwards.

Cloud compute costs are very variable. The natural variance in a flexible usage model will always create peaks and troughs in your monthly bill. With careful execution, the implementation of such a scheme could be eased in slowly to avoid an immediate rise and deliver a gradual rise over several months.

As anyone can register a company, register for the Azure and AWS marketplaces, and start creating custom, premium images, the trail of evidence leading back to a known individual may not be obvious. If you’re already using premium images in other places, one more vendor isn’t going to raise much suspicion, especially if the costs are almost identical to what you were expecting.

How to Prevent Cloud Cost-Skimming

The methods you use will vary from one cloud provider to another. For some, the only option you have is to manually review detailed usage logs during or at the end of a billing period. Thankfully, for Azure AWS we have other options.

Preventing Unauthorised Purchases on the Microsoft Azure Marketplace

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies… For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance.
– Microsoft: What is Azure Policy

As Azure administrators, we can use Azure Policy to prevent our employees from launching services by unapproved publishers on the Azure Marketplace. We create a whitelist of known good publishers, people such as Microsoft, RHEL, Canonical, etc., then set a ‘deny’ control for anyone not in that list. As long as our employees don’t have access to change the Azure Policy configuration, Microsoft will not allow anyone to launch their own Marketplace VMs with unexpected charges.

This GitHub repository has several examples of restricting publishers through Azure Policy and this guide does an excellent job of explaining how and why it works.

Preventing Unauthorised Purchases on the Amazon AWS Marketplace

AWS offers a similar solution to Azure. In order to launch premium products, you must first subscribe and agree to the product’s EULA. Identity and Access Management (IAM) policies can be created to prevent all your AWS users from subscribing to new products on the Marketplace, except for a specific group such as enterprise administrators or your purchasing team. With these policies in place, you can create additional groups who can launch specific images which have already been approved by the management team.

As long as you’re AWS and Azure implementations adhere to the principle of least privilege, you can prevent cloud cost-skimming by applying technical controls. For other providers, check their documentation for similar policy-based controls. Failing that, a manual audit of monthly usage statements may be our only option.