Author: brian

  • Ongoing Cyber Attack Disrupts Car Dealerships

    On June 18th, 2024, thousands of car dealerships across the United States and Canada fell victim to a cyberattack against an upstream cloud service provider, resulting in widespread outages and significant operational degradation. A second attack occurred a day later and caused further damage, exacerbating an already dire situation.

    What happened?

    The attackers targeted CDK Global, a behemoth in the automobile SaaS industry with services extending into nearly all areas of business.

    CDK Global offers SaaS solutions that help dealerships manage various aspects of their business, including vehicle acquisitions, sales, financing, insuring, repairs, and maintenance. Their services are critical for business continuity of their customers. The downstream impacts of the attack affected over 15,000 dealerships across the continental US and Canada. At this time, no direct impact to any vehicles or vehicle-connected systems has been reported.

    In response to the attack, CDK shut down its IT systems, including customer logins and data center operations. At the time of this writing, three days after the initial attack, dealerships remain severely hampered by the ongoing outage, as noted in numerous X feeds:

    While specific impacts vary or have yet to be determined, at the time of this writing, concerns shared amongst the victims include:

    1. Operational Disruption: CDK’s systems were compromised, affecting dealership operations, inventory management, and customer service for an extended period.
    2. Reputation Damage: Public scrutiny of the breach may erode trust in dealerships and manufacturer brands, affecting customer loyalty and sales.
    3. Legal and Regulatory Fallout: Dealerships may face legal actions, fines, and regulatory scrutiny due to data protection violations.
    4. Financial Loss: Remediation costs, legal fees, and potential lawsuits can strain dealership finances.

    Why were Car Dealerships Targeted?

    Car dealerships pose a uniquely attractive target to malicious actors. Often lacking in dedicated security staff and formal risk management processes, they still handle large amounts of money and store vast amounts of customer data, including sensitive PII.

    Also, dealership systems are often interconnected with other external systems for business processing, which may facilitate additional side channel attacks.

    Recent Trends

    A 2023 report by CDK highlighted that 17% of surveyed dealers experienced cyber-attacks within the past year, up from 15% the previous year. Of those dealerships affected, 46% reported negative financial or operational impacts. The scale and impact of this incident is without prescedent and may be felt for months.

    Response and Recovery

    To their credit, CDK Global promptly shut down affected and potentially affected systems as a precautionary measure.

    • Core document management and digital retailing solutions were prioritized and later restored.
    • At the time of this writing, CDK continues to conduct ongoing tests to bring other applications back online without introducing additional risk.

    CDK also issued a warning to customers on its interactive voice line:

    ‘We are aware that bad actors are contacting our customers posing as members or affiliates of CDK trying to obtain system access. CDK associates are not contacting customers for access to their environment or systems.’
    ‘There is currently no known estimated time frame for resolution and therefore our dealer systems will not be available likely for several days.’

    Looking Forward

    It goes without saying that risk management and business continuity are critical for car dealerships. Dealerships now find themselves facing the stark reality that the two are inseparable. How they choose to move forward will shape the viability and perceived trust of the industry.

    Raxis recommends that car dealerships consider the following steps when designing a robust security program:

    1. Data Protection Regulations:
      • Become familiar with data protection laws such as the Gramm-Leach-Bliley Act (GLBA), which outlines obligations to safeguard consumers’ PII, such as names, addresses, and social security numbers.
      • Implement comprehensive data protection measures, including encryption, granular access controls, and effective monitoring.
    2. Secure IT Infrastructure:
      • Ensure dealership IT systems are secure:
        • Encrypt data at rest and in transit.
        • Use multi-factor authentication for identity verification.
        • Regularly update software and maintain firewalls.
        • Educate employees about phishing scams and secure password practices.
    3. Data Integrity and Governance:
      • Establish strong data governance policies and procedures:
        • Conduct regular audits to identify and reconcile anomalies.
        • Apply layered controls and redundancy to critical systems.
    4. Limit Access and Educate Staff:
      • Using the principle of least privileged access, allow access to dealership data to only what’s necessary for specific functions. This applies to personal and interconnected systems.
      • Train employees to recognize security threats and respond appropriately.
      • User strong, complex passwords and change them regularly.
    References:
    1. https://www.usatoday.com/story/money/cars/2024/06/19/cdk-cyber-attack-hits-automotive-dealers/74150427007/
    2. https://www.ibtimes.com/cyber-attack-cripples-thousands-car-dealerships-us-canada-busy-holiday-3734785
    3. https://www.jmagroup.com/resources/operations/tdawa/8-important-dealership-regulations-how-to-protect-yourself-and-your-customers
    4. https://industrialcyber.co/vulnerabilities/check-point-finds-that-info-stealing-malware-targets-german-car-dealerships-auto-manufacturers/
    5. https://securityboulevard.com/2024/02/top-cyber-threats-automotive-dealerships-should-look-out-for/
    6. https://x.com/CarBusinessMan/status/1803722884134719894
  • Password Length: More than Just a Question of Compliance

    Password length is a topic we’re asked about a lot, and that makes sense because it can be quite confusing. There are several different compliance models that organizations use – from PCI to NIST to OWASP and more. Each has its own standards for password strength and password length.

    When it comes to penetration testing, weak password recommendations often are more rigorous than compliance standards, and this leads to a great deal of stress, especially for organizations that have already spent time and effort in implementing password rules that meet the compliance standards they’ve chosen.

    Why So Many Different Standards?

    First, speaking from experience, penetration testers see firsthand how weak and reused passwords are often a key part of achieving access over an entire domain (i.e. having administrative powers to view, add, edit, and delete users, files, and sensitive data, including passwords, for an organization’s Active Directory environment). While this is the type of success that pentesters strive to achieve, the true goal of a penetration test is to show organizations weaknesses so that they can close exploitation paths before malicious attackers find them.

    For this reason, Raxis penetration tests recommend passwords of at least 12-16 characters for users and at least 20 characters for service accounts. Of course, we recommend more than length (see below for some tips), but Raxis password cracking servers have cracked weak passwords in minutes or even seconds on internal network penetration tests and red team tests several times this year already. We don’t want our customers to experience that outside of a pentest.

    Post-It Notes With Passwords on a Monitor

    On the other hand, compliance frameworks are just that – frameworks. While their aim is to guide organizations to be secure, they do not endeavor to force organizations out of compliance with a stringent set of rules that may not be necessary for all systems and applications. For example, a banking website should require stronger credentials and login rules than a store website that simply allows customers to keep track of the plants they’ve bought without storing financial or personal information.

    If you read the small print, compliance frameworks nearly always recommend passwords longer than they require. It’s unlikely, though, that many people read the recommendations when working on a long compliance checklist when they have several more items to complete.

    Times are Changing

    Of course, time goes on, and even compliance frameworks usually recommend at least ten-character passwords now. The PCI (Payment Card Industry) standards that are required for organizations that process credit cards now require 12 character passwords unless the system cannot accept more than eight characters. PCI DSS v4.0 requirement 8.3.6 does have some exceptions including still allowing PCI DSS v3.2.1’s seven-character minimum length that is grandfathered in until the end of March 2025.

    This is a good example of PCI giving companies time to change. It’s been well known for years that someone who has taken the time and expertise to build a powerful password-cracking system can crack a seven-character password hash in minutes. This leaves any organization that still allows seven-character passwords with a strong threat of accounts becoming compromised if the hash is leaked.

    OWASP (the Open Web Application Security Project), which provides authoritative guidance for web and mobile application security practices, accepts 10 characters as the recommended minimum in their Authentication Cheat Sheet. OWASP states that they base this on the NIST SP 800-132 standard, which was published in 2010 and is currently in the process of being revised by NIST. Keep in mind that OWASP also recommends that the maximum password length not be set to low, and they recommend 128 characters as the max.

    The Center for Internet Security, on the other hand, has added MFA to their password length requirements. In their CIS Password Policy Guide published in 2021, CIS requires 14 character passwords for password-only accounts and eight character passwords for accounts that require MFA.

    Other Factors

    This brings up a good point. There is more to a strong password than just length.  

    Digital screen showing a key

    MFA (multi-factor authentication) allows a second layer of protection such as a smartphone app or a hardware token. Someone discovered or cracked your password? Well, they have one more step before they have access. Keep in mind that some apps allow bypassing MFA for a time on trusted machines (which leaves you vulnerable if a malicious insider is at work or if someone found a way into your offices).

    Also keep in mind that busy people sometimes accept alerts on their phones without reading them carefully. For this reason, Raxis has a service – MFA Phishy – that sends MFA requests to employees and alerts them (and reports to management) if they accept the false MFA requests.

    MFA is a great security tool, but it still relies on the user to be vigilant.

    Raxis’ Recommendations

    In the end, there are a myriad of ways that hackers can gain access to accounts. Raxis recommends setting the highest security possible for each layer of controls in order to encourage attackers to move on to an easier target.

    We recommend the following rules for passwords along with requiring MFA for all accounts that access sensitive data or services:

    1. Require a 12-character minimum password length.
    2. Include uppercase and lowercase letters as well as numbers and at least once special character. Extra points for the number and special character being anywhere but the beginning or end of the password!
    3. Do not include common mnemonic phrases such as 1234567890, abcdefghijkl, your company name, or other easily guessable words. Don’t be on NordPass’s list!
    4. Do not reuse passwords across accounts, which could allow a hacker who gains access to one password to gain access to multiple accounts.

    There are two easy ways to follow these rules without causing yourself a major headache:

    1. Use a password manager (such as NordPass above, BitWarden, Keeper, or 1Password amongst others). Nowadays these tools integrate for all of your devices and browsers, so you can truly remember one (very long and complex) password in order to easily access all of your passwords
      • These tools often provide password generators that quickly create & save random passwords for your accounts.
      • They usually use Face ID and fingerprint technology to make using them even easier.
      • And they also allow MFA, which we recommend using to keep your accounts secure.
    2. Use passphrases. Phrases allow you to easily remember long passwords while making them difficult for an attacker to crack or guess. Just be sure to use phrases that YOU will remember but others won’t guess.

    And I’ll leave you with one last recommendation. On Raxis penetration tests, our team often provides a list of the most common passwords we cracked during the engagement in our report to the customer. Don’t be the person with Ihatethiscompany! or Ihatemyb0ss as your password!

  • Red Teams, Blue Teams, and Purple Teams, Oh My!

    Red Teams, Blue Teams, and Purple Teams are terms used in cybersecurity to describe different approaches to testing and improving security measures within an organization. Red Teams and Blue Teams – and working together, Purple Teams – each play a key role in the cybersecurity process, and, when used effectively, they can help identify and mitigate vulnerabilities and improve an organization’s overall security posture.

    What They Are

    Red Teams

    Red Teams are offensive security teams that simulate cyberattacks against an organization. They act as adversaries, attempting to breach an organization’s defenses using the same tools, techniques, and procedures as real attackers in order to identify vulnerabilities and weaknesses in an organization’s security posture before real attackers can exploit them. Red Teams use techniques such as penetration testing and social engineering to assess the organization’s security.

    Blue Teams

    Blue Teams are defensive security teams that are responsible for maintaining and improving the organization’s security posture. They work to detect, respond to, and prevent cyberattacks and security incidents. Blue Teams are often responsible for implementing and managing security tools and technologies, monitoring network traffic for signs of malicious activity, and responding to security incidents when they occur. They may also work closely with Red Teams to understand and address vulnerabilities identified during testing.

    Purple Teams

    Purple Teams combine elements of both Red Teams and Blue Teams. They focus on collaboration and communication between the offensive and defensive teams to improve overall security. Purple Teams often work together to develop and test security controls, identify and prioritize vulnerabilities, and improve incident response processes. By working together, Red and Blue Teams can better understand each other’s perspectives and improve an organization’s security posture.

    Red Team Blue Team Purple Team

    How They Can Help You

    These teams are useful because they provide a structured and systematic approach to testing and improving security. By simulating real-world attacks, organizations can identify and address vulnerabilities before they are exploited by real attackers.

    Additionally, by working together in a Purple Team, Red Teams and Blue Teams can improve communication and collaboration, leading to more effective security measures. Overall, these teams help organizations identify and mitigate security risks, protect sensitive data, and maintain the trust of their customers and stakeholders.

    What It’s Like to Take Part in a Red Team

    All cybersecurity companies are different, so we’ll focus on the Raxis Red Team. First, you scope the Red Team. While a full scope of all of your physical locations, employees, applications, and networks is most like a malicious hacker’s landscape, Raxis works with you to make necessary exclusions, such as critical medical devices or sensitive locations.

    With the scope in mind, the Raxis Red Team gets started. Much like a crime drama, the early stages of the test are slow. The team carefully researches the target company for possible weaknesses and entry points, from physical information (locked doors, badge readers, cameras, etc.) to network infrastructure (websites, VPNs, operating systems, etc.).

    Using employee lists found on sites such as social media, company websites, and tools that scour the internet for employee information, the Red Team often begins the attack with small spear phishing campaigns. Unlike large phishing tests to train your employees, these are aimed to stay below the radar and to get results. Often spear phishing emails encourage the target to call Red Team members in order to build trust before attempting to discover sensitive information. In other cases, our team has sent emails that lead employee targets to open phishing webpages immediately and enter usernames and passwords.

    During a Red Team, testers are standing by to receive and use that information. Even if an employee gets suspicious and changes their password, a Red Team may already be inside the network. If that same password was reused for multiple systems, the Red Team may have further access unless the employee remembers to change the password on each system. All of this can be accomplished remotely using external network systems that the Red Team discovers.

    Phishing Email

    Once credentials are in hand, the Red Team moves to the next level. From sitting in a parking lot with a powerful antenna accessing the organization’s wireless network to entering a building and installing a device on the internal network, the credentials acquired above take on new urgency as they have the potential to be used on any system on the internal or wireless networks as well as the external network.

    Why Take Part in a Red Team?

    The power of a Red Team is that almost everything is in play. As malicious attackers use anything they can find to piece together an attack, so can your Red Team. These tests are less about reporting on every issue you should fix and more about showing your organization what an attacker could accomplish against your systems.

    Past Raxis Red Team engagements have discovered vulnerabilities that may look small on their own but, together, give Raxis full and persistent access to organizations’ networks and buildings. Our teams have tailgated into buildings, casually walked past or talked their way past security guards, cloned badges (even for data centers) to gain unquestioned access, planted devices that allow remote access to internal systems, sent phishing emails to employees as employees, gained domain administrator access via wireless networks, and more.

    Red Teams Benefit You

    Often a first impression while thinking about performing a Red Team test is that your organization will fail or that it will be a painful experience. We encourage you to think about it more positively. A Red Team, whether through Raxis or another reputable firm, gives your team information to strengthen your physical and network security controls and also gives you real-world examples that show your employees the importance of keeping security at top of mind.

    Red Team Electronic Social Engineering

    One last story. In one Red Team engagement, Raxis initially gained access via a successful spear phish that provided a username and password that worked on the organization’s internal production wireless network. While this employee fell for the phish initially, he contacted IT within a day to say that he had seen strange activity in his account. IT blew him off and said it was fine. How do we know? Because our Red Team was monitoring his emails.

    It took Raxis more than one day to use those credentials to gain persistent access to the network. If IT has listened to the employee and reset his password, our team would have been back at square one. That is a powerful message commending the employee for alerting IT and helping IT recognize that it’s always best to be safe rather than sorry.

    Purple Teams Provide Even More Insight

    For a Purple Team engagement, Raxis team members work both offense and defense. While the Red Team performs as usual, another Raxis team member also works with your Blue Team to both watch and assess and, sometimes, to guide. In the end, a Purple Team report includes (in addition to a full Red Team report) an evaluation of your Blue Team’s activities as well as advice on how to strengthen them for the future.

    If your organization has an internal Red Team or has performed external Red Team tests in the past, a Purple Team engagement can be the next step to strengthen your Blue Team. The Raxis team member working with your Blue Team is kept apprised of what the Red Team is doing. If your Blue Team catches the Red Team, great! If not, the Raxis team member will evaluate your Blue Team’s actions and may – depending on your scope – guide them on key points.

  • CIS vs. NIST: Understanding Cybersecurity Standards and Frameworks

    The nature of cybersecurity is that threats evolve rapidly, and hackers often strike unpredictably. Despite the dynamic nature of the field, however, there are security frameworks in place to guide the development of effective cyber defenses. The ones used most frequently by security professionals are the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure, also known as the NIST Cybersecurity Framework (NIST CSF), and the Center for Internet Security’s 18 CIS Critical Security Controls (CIS 18).

    Depending on their industry and/or company size, Raxis customers are sometimes required to assess the maturity of their cybersecurity using these tools. Other times, they simply want to have a better internal understanding of their overall security posture and gaps. Regardless of the reason, the question we get most often is which standard is best for the company. Our team has vast experience with both CIS 18 (formerly SANS Top 20 or CIS 20) and NIST CSF v1.1 requirements, and we can develop a scope of work based on either.

    That said, it’s important to understand exactly what these frameworks are and how they help improve your cybersecurity posture. Let’s start with CIS 18 as we’re asked about that one most often.

    CIS 18

    As the name suggests, the CIS 18 is a list of 18 primary security controls organized by activity. It is designed to measure an organization’s level of maturity as compared to a set of recommended standards.

    The 18 CIS controls each include three categories of sub-controls, called implementation groups, that increase in complexity based on the maturity of the organization’s cyber defenses.

    • IG1 includes the base-level security controls every enterprise-level organization should have in place. Think of this as the minimum standard, designed to help companies with limited cybersecurity expertise thwart general, non-targeted attacks. There are 56 additional safeguards in this group.
    • IG2 is designed to help organizations that manage multiple IT departments, with varying degrees of risk, cope with increased operational complexity. It includes 74 additional safeguards.
    • IG3 is aimed at organizations that employ IT security experts and is designed to help them secure sensitive data and lessen the impact of cyberattacks. There are 23 additional safeguards included in IG3.

    For customers who need a detailed analysis of each control, Raxis recommends our Enterprise CIS 18 Analysis. This includes an extensive interview and documentation process that will yield a detailed gap analysis and roadmap for hardening your defenses in accordance with the CIS controls.

    NIST

    The NIST CSF Version 1.0 was created in 2014 in response to the US government’s call for a voluntary framework to establish a “prioritized, flexible, repeatable, performance-based and cost-effective approach to managing cyberthreats.” Version 1.1 was released in 2018 and includes additional guidance and clarification.

    NIST CSF v1.1 (Image courtesy of N. Hanacek/NIST)

    Unlike CIS, the NIST framework is intended as a gap-analysis tool based on the organization’s target operational state. It includes a core set of five cybersecurity functions that present industry standards and guidelines for all levels of an organization. These are broken out as follows:

    • Identify: Develop an organizational understanding to manage cybersecurity risk to

      systems, people, assets, data, and capabilities.

      Protect: Develop and implement appropriate safeguards to ensure delivery of critical

      services.

    • Detect: Develop and implement appropriate activities to identify the occurrence of a

      cybersecurity event.

      Respond: Develop and implement appropriate activities to act regarding a

      detected cybersecurity incident.

      Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

    Within each function are categories which are groups of cybersecurity outcomes closely tied to needs and activities. An example would be “Data Protection.” Within each category are sub-categories which identify specific outcomes or operational states. For the preceding example, sub-categories include: “data is protected at rest” and “data is protected in transit.”

    Another difference between CIS 18 and NIST CSF is that the latter also includes informative references, which map the CSF’s applicability to other frameworks, such as COBIT, ISO, ISA, CIS, and others.

    For customers needing detailed reviews of each of the 108 NIST CSF sub-categories, Raxis recommends our Enterprise NIST Analysis. Like the Enterprise CIS 18 Analysis, this includes an extensive interview and documentation process that will yield a detailed gap analysis and roadmap for hardening your defenses, but this time in accordance with the NIST controls.

    Security Framework Analysis (SFA)

    For organizations that don’t have to meet regulatory compliance standards, it may still make sense to evaluate your security against a meaningful framework. This approach will look at groupings of controls versus individual controls and provide a gap analysis with road mapping based on your organization’s needs. Toward that end, Raxis offers security framework analysis (SFA) engagements that are based on the CIS 18 or the NIST CSF (as well as customized engagements for other frameworks that may fit your industry best).

    Similar in purpose to our enterprise analyses, but reduced in scale, the Raxis SFA is designed for small and midsized businesses that want peace of mind knowing that they are addressing the broader security standards, but that don’t need the intensive, granular focus of the enterprise analyses.

    Conclusion

    Whether your goal is to satisfy a legal or industry requirement, to gain a better understanding of your security posture, or both, Raxis has the experience and expertise to guide you to the service that matches your needs. Our goal is to help you reach the highest level of security possible to protect your data, your customers, and your reputation.

    The best place to start is a conversation with our experts. Just give us your contact information and we’ll be in touch. 

    References:
  • Meet the Team: Brian Tant, VP of Engineering

    I’m Brian Tant, and I serve as Raxis’ VP of Engineering. This week, I’m the subject of our in-house infosec inquisition where I’ll be asked all manner of probing questions intended to give you, the reader, some insight into the machinations of a troubled mind. Normally, I avoid this type thing, but, after a series of increasingly dire threats from our COO, Bonnie Smyre, I relented.

    Jim: When did you first get into security?

    Brian: Do you want the professional answer or the seedy underground one?

    The professional version is that I started in IT at the ripe age of 17. I lied about my age to get on with a tech staffing company. They made me do a series of placement tests, although back in the day we used paper.

    Jim: [shudders]

    Brian: I know, right? Anyways, I had been doing computer stuff for a while and the tests were pretty basic. I did well enough that I bubbled up to the top of the roster for a big brand company looking for a tech. They brought me in and made me a field technician day one. It was the typical firehose-sippy-cup experience that comes with jumping up a level.

    Fast forward several cubes later.  At some point, I found I had a knack for Terminal Server and Citrix and did that for several years. My last deployment was one of the largest Citrix farms in the world at the time: 1000+ servers and 30k concurrent users across the globe.

    Jim: And then?

    Brian: I got bored. How many times a day can you hear the phrase, “I can’t print” before you start questioning some fundamental life choices. I loved the tech, but the users. Oi.

    Jim: So where does security come into the picture?

    Brian: Ah. For that we have to re-visit the the dark seedy part I mentioned earlier. Back in the 90s, the hacker scene was mostly to do with phones and usenet groups. Networks were mostly flat, and email was a cool idea that would never take off. My taste for mischief found a home in that community. Twenty-some- odd years later I decided to re-kindle that and found that there was a whole sector of talented folks that shared a passion for devious tinkering.

    Jim: And the rest of the story?

    Brian: As a Raxis Paul Harvey would say…

    Jim: Wow.

    Brian: Yep. I am that dork. Mark (our esteemed CEO) took a chance and brought me onboard Raxis early on. We were tiny, but eventually found our voice. Since then, we’ve grown, and I’ve been privileged to be a part of building something special. What we have here is a real sense of family. I can’t imagine being anywhere else.

    Brian doing literally what he’s often suspected of doing figuratively.

    Jim: Switching gears. If there is one thing I’ve learned working with Raxis it’s that you guys roll hammer down all day. The pace is frenzied, and things are always changing. How do you unplug?

    Brian: As my wife will tell you, I have a problem with hobbies.

    Jim: Oh?

    Brian: Most of them tend to connect with farming or agriculture in some way. We have a small homestead where we keep bees, goats, worms, chickens and an indeterminate number of dogs and cats at any given time. I sit on the board of directors for the local farm bureau and chair the bee keeping club.

    Jim: No shortage of fur-babies then.

    Brian: I also make wine, mead, soaps, preserves, and have been known to run a still now and again. For a while I even made a podcast that gained a modest following. I do a lot of backpacking and am a master diver.

    Brian spending quality time with his six-legged livestock.

    Jim: Back up; a still as in moon-

    Brian: As in alternative fuel for small engines.

    Jim: [cough] Moving on, if you had to pick a favorite thing about working at Raxis, what would it be?

    Brian: Easy. It’s the people. The people are the heart of this company. Raxis is an ego-free zone. We’re all passionate about what we do, but, unlike most shops, Raxis is built on empowerment. We’re only the best if our people are at their best, and that means we take care of each other. The same holds true with our customers. Our success comes from helping them succeed.

  • Why Our Team is Excited about the Purchase of Boscloner

    If you haven’t heard the news yet, Raxis has purchased the industry-dominant Boscloner electronic access badge-cloning technology from our friend and frequent colleague, Phillip Bosco.

    For the benefit of those outside the pentesting world, Boscloner is basically the iPhone of physical hacking technology – except with fewer real competitors.

    WARNING: If advanced technology worries you, this next part might be terrifying.

    Our CEO, Mark Puckett, calls the Boscloner technology a “master key to corporate offices and server rooms.” That’s because it enables a penetration tester, often on a red team engagement, to read someone’s security badge data, copy it, and then make a duplicate with all the same permissions.

    While that’s impressive by itself, Boscloner can do it without ever touching the badge and from six feet away. Even better (or worse, depending on your perspective), Boscloner eliminates the need for a badge entirely in some situations and can use captured data from one badge to employ ‘smart brute force’ to hack and duplicate others with greater privileges.

    If you have a chance, visit Boscloner and check out its capabilities. When you do, you’ll be very glad that Phillip Bosco is a former Marine who truly is on the side of good and right.

    You’ll also see why our own team is pumped that we’ve brought this technology in house. In fact, we did an informal survey just to get everyone’s reactions and here’s what they said:

    • Bonnie Smyre, Chief Operating Officer: “Raxis has used the original Boscloner on social engineering and red team engagements for years. I’m incredibly excited to now include Boscloner in the list of products and services we offer to our customers. Nothing beats experience… and the experience of witnessing unauthorized access to your premises using Boscloner technology is an experience that motivates our customers to upgrade their badge technology to be more secure.”
    • Scott Sailors, Vice President of Security Consulting: “I am a huge fan of the first generation Boscloner. The ease of use on a high-pressure Red Team can make a big difference. The mobile apps are a game changer. Phil Bosco did an amazing job and the next generation Boscloner is even better. I’m excited to see Raxis take over the project and build on what Phil created.”
    • Brad Herring, Vice President of Business Development: “I’m excited about the Raxis acquisition of Boscloner. I’ve used several versions of badge replicators on SE jobs, and this is by far the best one out there. It matches the excellence that customer expect from the Raxis brand and is going to be a great tool for anyone wanting to test their electronic locks and physical security systems.” 
    • Tim Semchenko, Senior Manager of Operations: “As we return to normalcy, I have been looking forward to the team having the opportunity to conduct more physical social engineering tests. With the addition of the Boscloner to their respective utility belts, Raxis now has a HUGE differentiator over the competition.”
    • Adam Fernandez, Lead Developer: “Boscloner opens up a world of opportunities for Raxis as part of our physical social engineering engagements. It’s already an amazing tool for helping our customers secure physical access to their premises, and I’m looking forward to where Raxis will be able to take the product in the coming years.”
    • Scottie Cole, Lead Penetration Tester: “It is great to be working with Boscloner. Is it an extremely powerful tool to help us show customers how their physical security can be breached very quickly if they aren’t prepared.”
    • Matt Dunn, Lead Penetration Tester: “The acquisition of Boscloner is another great example of Raxis identifying top tier security tech and utilizing it to help our customers. Staying on top of current threats is paramount in penetration testing, and the Boscloner will continue to allow Raxis to do just that.”
    • Sean Brown, Senior Penetration Tester, “I enjoy working for a company that is always on the hunt for new and innovative tools that will help provide the most comprehensive security test on the market. The Boscloner is the most recent example of Raxis’ investment in new and cutting-edge security technology. As a security consultant for Raxis, I am looking forward to using the Boscloner on my Red Team engagements, as it outperforms any other RFID cloner available on the market.” 

    There’s one other reaction that’s worth sharing as well. This one from Phillip Bosco himself. As I said earlier, Phil is a friend, and we enjoy working with him frequently. Here’s what he had to say about the sale of his company to Raxis:

    “As a penetration tester, the Boscloner was built out of necessity to render physical security assessments easier and more streamlined. With the industry leading talents and vision that Raxis brings to the brand, the Boscloner now has a more exciting future than ever before. There is no other group of individuals that I would rather trust with a project that has been as close to my heart as this than the folks at Raxis. I am blessed and grateful for my ongoing personal and professional relationship with this team that has spanned many years. I cannot wait to see the Boscloner grow and transform as it continues on under the direction and leadership of team Raxis.”

    Phil Bosco

    Red teams are Raxis’ flagship offering, and Boscloner is a force multiplier in that space. Acquiring Boscloner allows us to continue Phil Bosco’s innovative vision of bringing next generation RFID attacks to market.  It’s a chance for us to raise the bar for the industry overall and really transform how organizations look at premises security.

    Security is an exciting place to be, and as the team’s enthusiasm demonstrates, we can’t wait to up the ante.

     

  • A High-Tech Take on an Old-Time Scam

    “There’s not much chance your customers are going to search for you and land on an Albanian copycat site.”

    Raxis VP of Engineering, Brian Tant

    If you get an email warning you that another (usually overseas) company is vying for your brand’s domain name with various country extensions – cn, .hk, .af, etc. – be assured it’s not someone aiming to help. Instead, they’re most likely scammers trying to convince you to send them money in order to secure your hold on yourbrand.nz before some evil corporation in Uzbekistan snatches it right out from under you.

    As you might expect, people do fall for it and spend hundreds and even thousands of dollars only to discover that a) there is an exhaustive list of domain extensions out there and b) the people they’ve paid won’t really secure any of them. Fortunately, that last part is mostly a nonissue. 

    The truth is, very few US-based companies have a need to own foreign domain extensions unless they have a physical presence in the country. Even then, it may not be necessary unless a competing brand is actively trying to damage your business, in which case most countries have laws in place to prevent such malicious activity.

    Search engines are sophisticated enough now to distinguish between legitimate, established domains and pop-up imitators, so there’s not much chance your customers are going to search for you and land on an Albanian copycat site. 

    Still, the emails can sound very convincing, and, believe it or not, they are really a modern update to a scam that flourished in the late ‘90s and early 2000s. That one involved the Yellow Pages and was made possible because AT&T never trademarked the name or the iconic walking fingers logo. 

    Here’s how it worked: Just days after a new company incorporated or applied for its licenses, an official-looking invoice would arrive from The Yellow Pages. No business wanted to be left out or forced to wait a year to be included, so many quickly filled out their information and sent a check. 

    Weeks later, unfortunate business owners would get another Yellow Pages invoice, this time the local version – the one people actually used. When they called the phone company to complain, they would learn that their first checks had gone to a group that published a perfectly useless national version of the yellow pages. It listed only those businesses that had fallen for the scam and was distributed only to them.

    Word about the faux yellow pages eventually got around and made it much harder to sell. We can only hope the same will be true of the domain name scam. Of course, the great irony here is that the internet has all but made the yellow pages irrelevant to modern businesses. At the same time, it has made possible a high-tech, international version of its most annoying racket

  • Why Companies Shouldn’t Overlook Mobile Application Testing

    There are apps sold to the general public and ones that are made available by businesses to their customers, as well as proprietary apps used only within organizations. What all of these apps have in common is that, without proper security, they are all vulnerable to attack. And each of those 200 billion downloads represents an ever-expanding pool of potential hackers and victims.

    That’s why conducting penetration tests on mobile applications is one of the most important services we offer here at Raxis. We’ve tested apps for Apple, Android, and Windows phones, using up-to-date devices, jailbroken iPhones, and rooted Android devices, as well as emulators that allow further testing.

    Here are some of the most common issues we find:

    Jailbroken or Rooted Devices

    Ideally, apps should be setup so that they won’t even run on devices that are jailbroken or rooted. People often do that to their devices to have more control than the vendor intended, allowing them to download unauthorized apps from stores such as Cydia. The danger is that such apps that may allow nefarious activities or steal users’ data.

    Phones that have been jailbroken or rooted are also open to attacks on the operating system itself, possibly giving an attacker control of the device as well as control of legitimate applications. Our strong recommendation to developers is to build into apps the ability to recognize a device that has been compromised and to block its access until the device is updated correctly.

    No SSL Certificate Pinning

    We also find many mobile apps that don’t use SSL certificate pinning. SSL certificate pinning validates the authenticity of an SSL certificate. When an application fails to verify the certificate, it opens the door for a man-in-the-middle (MitM) attack, in which the attacker can insert himself into the encrypted traffic between the app and the server. This can be accomplished through name resolution poisoning, adding a proxy server, or a number of other ways.

    The attacker then can use his own certificate to impersonate the API server and decrypt the application traffic, read or manipulate it, re-encrypt it, and forward it onto the intended destination without detection. This type of attack not only allows an attacker to decrypt both incoming and outgoing traffic (such as credit card numbers and passwords), but also allows the attacker to change it. Using a typical bank transaction as an example, the hacker could transfer the funds to his account instead of yours.

    Shared Vulnerabilities

    Not all vulnerabilities are exclusive to mobile applications. We also find many, such as SQL injection (SQLi) attacks, that can be weak points within web applications as well. That’s why it’s important to test mobile apps separately from web apps. Even though they may use the same APIs and databases, and the user experience may feel nearly identical, the platform code and environment are different. Testing each one ensures that a hacker can’t exploit the app simply by changing platforms.

    Internal Apps

    Raxis has tested apps that are made available for customers as well as proprietary apps that are used within organizations, such as on flights for meal service. We’ve worked with companies that were less concerned with internal apps and proprietary devices because they were only available to employees. In those cases, we explain that personal and proprietary devices could fall into the wrong hands. If an internal mobile device or app runs on a production network, an attacker that gains access to the device is one step closer to accessing company data that may be on that network.

    What You Can Do

    Many of the companies that come to Raxis for mobile tests use that as a marketing tool. They are proud to show potential customers that they have a strong focus on securing their data. So, take a look at the apps on your mobile device. Do you know if they’ve been tested by a company like ours? It’s always a good idea to read the security and privacy data before you download.

    And remember, if you’re not sure, you can always ask – in public forums or user groups, or even directly to the app developers themselves. If they don’t currently conduct routine penetration testing, your questions might convince them they should.

    *SOURCE: Statista c. 2020

  • Understanding Vulnerability Management

    When an organization gets serious about the security of their environment, I strongly recommend a vulnerability management system as a critical first step. 

    Vulnerability management is a system for continually identifying, prioritizing, remediating, and mitigating software vulnerabilities. It is a must when it comes to your computer and network security. 

    In the video above, I explain what it means to have an effective vulnerability management system in place and why it is so important. 

    Lack of effective vulnerability management is one of the most critical and common findings Raxis uncovers when we perform penetration tests. Without it, companies have no reliable way to make sure that patches are installed and that other security protocols are being followed as a matter of course. 

    If you don’t have a vulnerability management system in place, we can certainly help. We’ll look for the same things we know the bad guys do, and we’ll show you how to implement the security practices that will alert your team to suspicious activity and help stop attacks before they start.

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. The company’s ethical hackers have successfully breached some of the most sophisticated corporate networks in the US. Contact us today: https://raxis.com/contact

  • Imminent Threat for US Hospitals and Clinics, RYUK RansomwareAlert (AA20-302A) – Updated 11/2/2020

    Earlier this week rumblings were detected of a RYUK attack against US based hospitals and clinics. As the week has progressed, we have started to see this attack unfold.

    On October 29, 2020 a confidential source on the attack described this as “Increased and Imminent Cybercrime Threat”.

    What we know:

    This appears to be an RYUK ransomware attack being delivered through phishing attacks. Raxis recommends that heightened vigilance be  applied across all attack vectors and instrumentation.

    Who:

    The attack appears to be targeted at U.S. based hospitals, clinics, and other health care facilities. All health care operations should be on heightened alert for anomalous behavior or other Indications of Compromise (IOCs).

    When:

    Imminent. As of the time of this writing several US hospitals are already under attack.

    What to do:  
    • Immediately disseminate threat awareness notifications to all users and establish an update cadence to keep them aware of the threat as it continues to evolve.
    • Isolate critical systems where possible.
    • Review Incident Response (IR) plans and confirm accuracy of the plans to the extent possible.
    • Verify systems are patched and up to date.
    • Adjust instrumentation to detect known ransomware IOCs.
    • Use Multi-Factor Authentication (MFA) wherever possible. Consider temporarily enforcing MFA in instances where users have the option of bypassing it.
    • Enforce cybersecurity hygiene including: Audit user accounts with admin privileges and close all unnecessary ports.
    • Backup all critical data and verify restoration capabilities.
    • Verify endpoint protection measures are up to date and functioning properly.
    Technical details of the attack:
    • The initial insertion point is through a phishing campaign.
    • Typically, RYUK has been deployed as a payload from Trojans such as Trickbot.
    • RYUK actors use common tools to steal credentials. These tools allow the actors to dump cleartext passwords as well as password hashes that can be brute forced offline.
    • Payloads may establish persistence based on DLL injection or other common techniques.
    • RYUK has been known to use scheduled tasks and service creation to maintain persistence.
    • RYUK actors will conduct network reconnaissance using native tools such as Windows Net commands, nslookup, and ping to locate mapped network shares, domain controllers, and Active Directory resources.
    • RYUK actors also use tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (MS-RDP) for lateral movement through the network. IT personnel should be on alert for any suspicious traffic on the network.
    • RYUK uses AES-256 to encrypt files and an RSA public key to encrypt the AES key.
    • Actors will attempt to disable or remove security applications on victim systems that might prevent the ransomware from executing. Secondary monitoring on these processes may enhance detection fidelity.
    Updates
    November 2, 2020

    New information has been released specifically around Indicators of Compromise (IOC). Latest information indicates threat actors are targeting the HPH Sector with TrickBot and BazarLoader malware. This malware often leads to ransomware, data theft, and disruption of services. These are often loaded through malicious links and/or attachments via phishing.

    TrickBot IOC:
    TrickBot often installs an achor toolset identified as anchor_dns that creates a backdoor for sending and receiving data from compromised machines using Domain Name Systems (DNS) tunneling. Anchor_dns uses a single-byte X0R cipher to encrypt communications which have been observed using key 0xB9. This decrypted traffic can be found in DNS request traffic.

    TrickBot copies itself as an executable file with a 12-character randomly generated name and places this file in one of the following directories:

    • C:\Windows
    • C:\Windows\SysWOW64
    • C:\Users\[Username]\AppData\Roaming

    Once the executable is running, it downloads hardware-specific modules from the Command and Control server (C2s). These files are placed in the infected host’s %APPDATA% or %PROGRAMDATA% directory.

    The malware uses a scheduled task running every 15 minutes to maintain persistence with the host machine. Reports indicate the tasks typically use the following naming conventions:

    [random_folder_name_in_%APPDATA%_excluding_Microsoft]
    autoupdate#[5_random_numbers] 

    After successful execution, anchor_dns deploys malicious batch scripts using PowerShell commands: 

    cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
    cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"

    The following domains have been associated with anchor_dns:

    • Kostunivo.com
    • chishir.com    
    • mangoclone.com
    • onixcellent.com

    This malware has been known to use the following legitimate domains to test internet connectivity:

    • Api.ipify.org
    • Checkip.amazonaws.com
    • Icanhazip.com
    • Ident.me
    • Ip.anysrc.net
    • Ipecho.net
    • Ipinfo.io
    • Myexternalip.com
    • Wtfismyip.com

    There is also an open-source tracker for TrickBot C2 servers located at https://feodotracker.abuse.ch/browse/trickbot/

     Anchor_dns historically used the following C2 Servers:

    • 23.95.97.59
    • 51.254.25.115
    • 87.98.175.85
    • 91.217.137.37
    • 193.183.98.66

     BazarLoader/BazarBackdoor IOC:

    Typically deployed through phishing and contain the following:

    • Typically deployed in a PDF attachment through an actor controlled online hosting solution
    • Often references a failure to create a preview of the document and contains a link to a URL that is hosting a malware payload
    • Emails are often routine in appearance and often employ a business pretext
    • Typical social engineering tactics are in use with email content 

    The following filenames have been identified for installing BazarLoader:

    • Document_Print.exe
    • Report10-13.exe
    • Report-Review26-10.exe
    • Review_Report15-10.exe
    • Text_Report.exe 

    Bazar activity can be detected by searching system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key:

     %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk 

    The following C2 servers are known to be associated with this malicious activity:

    •  5.2.78.118
    • 31.131.21.184
    • 36.89.106.69
    • 36.91.87.227
    • 37.187.3.176
    • 45.148.10.92
    • 45.89.127.92
    • 46.28.64.8
    • 51.81.113.25
    • 62.108.35.103
    • 74.222.14.27
    • 86.104.194.30
    • 91.200.103.242
    • 96.9.73.73
    • 96.9.77.142
    • 103.76.169.213
    • 103.84.238.3
    • 104.161.32.111
    • 105.163.17.83
    • 107.172.140.171
    • 131.153.22.148
    • 170.238.117.187
    • 177.74.232.124
    • 185.117.73.163
    • 185.68.93.17
    • 185.90.61.62
    • 185.90.61.69
    • 195.123.240.219
    • 195.123.242.119
    • 195.123.242.120
    • 203.176.135.102
  • Why Network Segmentation is a Best Security Practice

    Let’s talk network segmentation. In this brief video, I’ll explain network segmentation from a hacker’s point of view and show you more ways it can protect your company. The bottom line is that separating your cattle, horses, and pigs makes it much easier to keep the wolves away.

    At a very basic level, network segmentation is like keeping your cattle in the pasture, your horses in the stable, and your pigs in the pen. In this case, the various animals might represent different business groups, geographic areas, and/or device types. 

    The idea is that you’re slicing your network into smaller, more manageable groups of users and/or devices. And there are lots of good reasons why you should: Network segmentation can be used to optimize network traffic or improve network performance. Properly implemented, it also can facilitate effective monitoring, inform compliance requirements, and better contain network issues when they arise.

    But one of the most important reasons, in my view, is that a segmented network can be far more secure.

    As an example, IP telephony systems often use standard network protocols. Comparatively speaking, it’s easier to gain access to a phone than it is a network jack. If the phone network isn’t properly segmented from the production network, a hacker might use it as a bridgehead to access more sensitive network resources. Security concerns aside, IP telephony is also sensitive to latency. Having it segmented from high-traffic systems minimizes congestion and increases its reliability. 

    Improper or non-existent network segmentation is just one of the most common vulnerabilities our team has seen regularly over the course of thousands of penetration tests. For some other frequent missteps we find, check out these videos and subscribe to our channel.

    Ready to find out how secure your network really is? Reach out to us and let’s discuss your needs and how we can help.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • Monitor. Detect. Alert. It’s worth the effort.

    Let’s talk about monitoring and alerting. 

    First – what is it? Simply put, monitoring and alerting is the ability to detect a suspicious incident and notify the appropriate team members who can decide what type and level of response is necessary.

    However, your monitoring and alerting system isn’t a set-it-and-forget-it component of your overall cybersecurity posture. It’s not quick and easy, but it is essential. Without properly tuned filters and someone who knows how to digest the information and react appropriately, malicious actors can slip inside your network without your knowledge. 

    As Brian discusses, monitoring and alerting take time, experience, and ongoing testing to get right. 

    At Raxis, our penetration testing not only tests for vulnerabilities, but we also test a company’s ability to detect an attack or exploit attempt. When we test, we do so in an escalating manner that allows us to determine at what threshold detection occurs. This in turns allows our clients to see how effective (or not) their monitoring is and modify their protocols accordingly.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.