Category: Security Recommendations

  • How to Pull Off a Mousejacking Attack

    What’s an easy, effective and potentially devastating cyberattack . . . that’s also named for a rodent?

    If you guessed mousejacking, you are a star student today. 

    A mousejacking attack occurs when an attacker scans for the wireless transmissions sent from your wireless mouse to the USB dongle plugged into your computer. These transmissions from a mouse contain data that describes the mouse’s actions. When an attacker is able to scan and find these transmissions, they may also be able to quickly intercept and, with a few quick keystrokes and clicks, impersonate the mouse and begin sending their own malicious commands through the wireless dongle and into the computer. 

    Users may see a brief pop-up screen with code, but things returns to normal quickly, and many times they don’t think it’s significant enough to notify their security team.

    To add a little insult to injury, an attacker doesn’t even have to be in the building or in close proximity to the workstation to pull this off. They can be in your parking lot or maybe that park across the street.

    Now, there are a lot more technical things that go into it, so take a look at the video above to learn the details.

    So how do you prevent a mousejacking attack? Since this attack only can occur on workstations that are open and running, remember (and remind your colleagues) to always lock your station if you are walking away or not actively working on it. Also, let your colleagues in IT security know about anything suspicious you see. Trust me, they want to know.

    Remember it only takes a few minutes for attackers to get into your network and start causing trouble. 

    Please share this blog and video with your team so they know what to look for and how quickly it can happen, and encourage them to report it immediately. 

    With years of penetration testing and general mischief making behind us, we at Raxis have learned that there is always a way in. And we can find it. Our team of experts are ready to help you and your organization find its weaknesses and help you strengthen your security. Talk with our team today.

  • Sudo Privilege Escalation Vulnerability Discovered

    Summary

    Qualys recently discovered a heap-based buffer overflow in the sudo utility, which is in use on almost-all Unix based operating systems.* This vulnerability (CVE-2021-3156) can be exploited by any user, even if they are not in the sudoers file, and has been present since it was introduced in July 2011.

    Affected Versions

    Any operating system using the following sudo versions are vulnerable:

    • All legacy versions from 1.8.2 to 1.8.31p2
    • All stable versions from 1.9.0 to 1.9.5p1

    This includes most major operating systems such as Ubuntu, RHEL, Debian, Fedora, etc. that have these versions of sudo installed. Qualys was able to develop exploits specifically for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2), but any operating system using the vulnerable versions of sudo should be considered vulnerable.

    Testing for the Vulnerability

    In addition to checking the sudo version, Qualys provided a simple way to test if a system is vulnerable or not. To test on an individual system, perform the following steps:

    1. Login to the system as a non-root user.
    2. Run command sudoedit -s /
    3. If the system is vulnerable, it will respond with an error that starts with sudoedit:
    4. If the system is patched, it will respond with an error that starts with usage:
    Remediation

    Raxis recommends patching any affected operating system using the vulnerable sudo versions. A list of advisories with links to patches that remediate the vulnerability from various operating system vendors is below:

    * https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

  • Cisco Patches Critical Security Vulnerabilities

    Affected Products

    The critical and high-severity vulnerabilities that were patched affect many products across Cisco’s product line including:

    • Cisco SD-WAN
    • Cisco DNA Center Command Runner
    • Cisco DNA Center
    • Cisco Smart Software Manager Satellite Web UI
    • Cisco Data Center Network Manager
    • Cisco Finesse OpenSocial Gadget Editor
    • Cisco Secure Web Appliance
    • Cisco Advanced Malware Protection for Endpoints and Immunet for Windows
    • Cisco Umbrella Dashboard

    For a complete list of affected products, check Cisco’s Security Center.

    The Vulnerabilities Addressed

    The patches addressed numerous critical vulnerabilities and exposures (CVEs), including serious threats such as command injections, SQL injections, DLL hijacking, cross-site request forgery attacks, directory traversals, and more. Some of the most critical, such as a buffer overflow in SD-Wan, allow for unauthenticated, remote code execution as the root user and should be patched immediately. Cisco does not believe these were actively being used in the wild, but they should nonetheless be treated seriously and patched immediately. 

    Remediation

    Cisco recommends patching all affected products as soon as possible as there are no current workarounds to the newly released critical vulnerabilities. A full list of Cisco’s recent security advisories is also available from the company’s security center.

    Does your company have a vulnerability management plan in place? Take a look at this video as Raxis’ CTO Brian Tant explains why you should.

  • Understanding Vulnerability Management

    When an organization gets serious about the security of their environment, I strongly recommend a vulnerability management system as a critical first step. 

    Vulnerability management is a system for continually identifying, prioritizing, remediating, and mitigating software vulnerabilities. It is a must when it comes to your computer and network security. 

    In the video above, I explain what it means to have an effective vulnerability management system in place and why it is so important. 

    Lack of effective vulnerability management is one of the most critical and common findings Raxis uncovers when we perform penetration tests. Without it, companies have no reliable way to make sure that patches are installed and that other security protocols are being followed as a matter of course. 

    If you don’t have a vulnerability management system in place, we can certainly help. We’ll look for the same things we know the bad guys do, and we’ll show you how to implement the security practices that will alert your team to suspicious activity and help stop attacks before they start.

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. The company’s ethical hackers have successfully breached some of the most sophisticated corporate networks in the US. Contact us today: https://raxis.com/contact

  • The Most Important Cybersecurity Lessons of 2020

    At the close of a year that turned our world upside down, it’s more than fair to wonder and worry about what 2021 might bring. Even as we pray for health, prosperity, and peace, cybersecurity professionals understand that these blessings will remain under constant attack by malicious actors for whom every upheaval in our lives is an opportunity to strike. 

    Despite the high-profile breach of SolarWinds and ongoing attacks from state-sponsored actors, I believe the COVID-19 pandemic best illustrates that point in a couple of different ways. Here’s why: In 2020, companies worldwide asked their teams to work remotely all or part of the time. But not all of them had appropriate security protocols in place beforehand, leaving their networks vulnerable to attackers as they made the transition. 

    I’m not suggesting that business owners (or even health professionals) should have predicted the arrival of the novel coronavirus, but there are any number of natural and manmade disasters that can force us out of our offices. We all need to have a continuity plan – and cybersecurity should certainly be one of its guiding principles. 

    For those who did have a plan, now is the time to ask if it was followed correctly and if it worked effectively. I strongly encourage CEOs and business owners to include your infosec teams in these discussions and perhaps have them take the lead. More importantly, listen and act on their recommendations because the new normal will come with new challenges for all of us. 

    Assuming that the US and other nations are able to contain the spread of COVID (as we hope and expect), some companies will ask their workers to return to an office environment, some will make the remote model a permanent feature, and still others will adopt a hybrid approach that features elements of both. Safety and productivity are the factors that will most likely (and appropriately) drive those decisions. But effective cybersecurity measures should be a non-negotiable feature regardless of the workplace model.

    Not to turn this post into a commercial, but Raxis (and some other pen-testing companies) can be of great help in this process. That’s because we understand where attackers are most likely to focus their efforts and thus where your company is most vulnerable. We speak the same language as your infosec team, so we can work with them to come up with a plan that gives you the most flexibility to meet your business needs, but still keeps you and your network safe from attackers.

    My hope is that an enduring lesson from the COVID-19 experience (and other events in 2020) is that more organizations need to take a proactive approach to cybersecurity. Though we can’t predict who will be breached and when, we know for certain that the attacks will continue indefinitely. And while we don’t know when a global or local disaster will disrupt our operations, we should be ready to respond swiftly and securely if it does.

    Here’s to a safe, secure, and prosperous new year for your business. At Raxis, our business is helping you stay that way.

  • SolarWinds Supply Chain Attack – Updated 12/18/2020

    On December 8, 2020, FireEye disclosed that it had been breached by a sophisticated threat actor that had accessed some of its internally developed red team tools. On December 12, FireEye disclosed that this access, and access to many other companies, was accomplished through a supply chain attack against SolarWinds, a monitoring product that is deployed across a myriad of other organizations in the public and private sectors.

    What we know: SolarWinds’ Orion Platform versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020, were affected by the supply chain attack. At present, we believe other versions are not affected.

    Who was affected: In addition to FireEye, anyone running these SolarWinds versions should assume they have been compromised and should take immediate action to mitigate this exposure.

    What to do:
    • Power down any SolarWinds Orion products that are running or have run versions 2019.4 HF 5 through 2020.2.1.
    • Upgrade to the SolarWinds Orion Platform version 2020.2.1 HF 1 immediately.
    • On Tuesday December 15, 2020, upgrade to SolarWinds Orion Platform version 2020.2.1 HF 2. This is a critical release that addresses the exposure.
    • If your company has used the affected versions, assume that the network has been breached and implement applicable incident response processes.
    • This was a far-reaching attack perpetrated by highly skilled threat actors. Evidence of the attack may be hard to detect, and Indications of Compromise (IOCs) may change over time as more information becomes available.
    How did this happen:

    SolarWinds was the victim of a sophisticated supply chain attack. Supply chain attacks target components that are trusted by their users in order to gain a foothold within an organization, product, or other target. This can happen to in-house software components, third-party libraries, or even in the manufacturing of devices. How the attack was deployed via the SolarWinds platform remains unclear, but multiple payloads were delivered via digitally signed updates from SolarWinds from March to May 2020 through the SolarWinds.Orion.Core.BusinessLayer.dll.

    Technical Details:
    • The trojan placed on the system lays dormant for up to two weeks before making a DNS request to avsvmcloud[.]com to get the details of a Command and Control (C2) server.
    • Further communications with the C2 server masquerade as SolarWinds API traffic.
    • The trojan downloads multiple types of payloads, including a memory-only dropper that FireEye has named, “TEARDROP.” A Cobalt Strike Beacon payload has also been detected.
    • After gaining a foothold, the attacker used remote access and conducted lateral movement using legitimate account credentials to establish persistence and levy ongoing attacks.
    • The attack prioritizes stealth and persistence, only using hostnames enumerated within the target environment and restricting traffic to mostly IP addresses from the target’s country.
    • The attacker modifies files and scheduled tasks to drive remote execution and later reverts them back to their original contents in order to evade detection.

    FireEye has released countermeasures for these threats, including Snort and Yara rules. For more specific details on the delivered malware, how it avoided detection, and other threat signatures, see the FireEye blog post detailing the attack.

    Updates

    December 18, 2020

    Who was affected:

    In addition to FireEye, Microsoft confirmed their systems were affected by the SolarWinds breach and have helped identify an additional 40+ customers of their own that have been affected. [1]

    Additionally, RedDrip7 and Bambenek have put forth research into DNS records and other Indicators of Compromise to help people determine whether they have been compromised. [2]

    However, anyone running these SolarWinds versions should still assume they have been compromised and should take immediate action to mitigate this exposure.

    [1] https://www.bleepingcomputer.com/news/security/microsoft-identifies-40-plus-victims-of-solarwinds-hack-80-percent-from-us/

    [2] https://github.com/bambenek/research/tree/main/sunburst

  • So, I Hacked a Tesla . . .

    Tesla deserves great credit for bringing electric vehicles into the mainstream. Say what you will about Elon Musk, his vision is proving wildly successful in a space where many others have failed.

    Even so, if the two of us could have a conversation, I’d probably recommend that the company invest more time and resources in cybersecurity for its vehicles. 

    Here’s why:

    Recently I decided to see how easy it would be for my personal Tesla to be hacked — and stolen. As you will see in the video below, with some commonly used tactics, it was relatively quick and easy. 

    The attack demonstrated in the video relies on phishing to get the victim’s credentials. At that point, the hacker has complete control and can do pretty much whatever they wish — including unlocking the car and driving away. 

    The video demonstrates why, if you’re not careful, your Tesla could be compromised and stolen without a lot of effort from the attacker. 

    Until the company itself adds more protection, it’s up to you to take some basic precautions. By the way, it’s wise to follow these practices no matter if it’s your Tesla, your bank account, your Twitter feed, or any online account.

    • Stay vigilant and question any WiFi network that asks you to connect.
    • Never give account information, credentials, or access tokens to a third party unless it is absolutely necessary.
    • Every account you create should have a unique and strong password. Every. Single. Account.
    • If your account is compromised, immediately reset your password and let the company or companies know.

    Here at Raxis, we offer a broad range of services to help find security vulnerabilities within your organization. And though a typical penetration test would not uncover this type of vulnerability, a Raxis red team assessment could. 

    Our red team assessments tests your organization’s security from top to bottom and end to end to uncover any way your network can be compromised by a skilled and determined attacker. If you are ready to take control of your company’s security, contact us and let us see how we can help. 

  • Five Red Flags for Black Friday

    ‘Tis the shopping season!  First up, Black Friday, followed by Shop Local Saturday, Cyber Monday, and all the shopping days that follow. 

    Did you wake up early to stretch out your “add to cart” fingers so you can snag that hard-to-find, hot item of the season at a discounted price? Planning on heading out to that cute little boutique next to your office during lunch? 

    Before you do, there are a few things you need to remember. Most important is that cybergrinches are out there year-round, just waiting for the perfect opportunity to steal your holiday joy. The holiday season is big business for them, and they are waiting for you to drop your guard. (And, no, they don’t care if it lands them on the naughty list.)

    In the video above, I detail five red flags you should look out for on Black Friday — and all the other shopping days of the year. I’m hopeful these tips will help keep you and your company’s network secure this holiday season.

    Let’s review, if you are going to be holiday shopping in the coming weeks, it is imperative you take the proper precautions to keep yourself and your company secure. 

    • Don’t click on links within emails, and be very suspicious of any emails that discuss your credit cards or bank accounts.
    • Be wary of phone calls seeking donations to various charities. Be vigilant, and do your research on the charity. Even then, donate directly, not from the email.
    • If you are out shopping on your lunch break or after work, make sure your work badge is in a protective sleeve to help prevent cloning.
    • Strangers are still strangers in the holiday season. Make sure everyone in your building and anyone trying to get in has the proper credentials to be there – or that they have an escort.
    • Stay vigilant with your security practices, even when your office is short-staffed. When we get busy, it’s easy to skip locking computers and returning sensitive documents to a secure location. Take the extra few seconds to do cybersecurity right.

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. We can help you pinpoint security threats and find ways to remediate them leaving your company far more secure and giving you additional peace of mind.  

    Ready to find out how secure your network really is? Reach out to us, and let’s discuss your needs and how we can help.

  • Why you should turn off Cisco Smart Install now

    In this video, I explain how Cisco Smart Install can leave you and your company vulnerable if it is left on. (Helpful hint: Cisco Smart Install is often on by default, so watch this and then go check your network).

    Network admins are surely familiar with Cisco Smart Install – the handy plug-and-play configuration and management feature that offers zero-touch deployments. 

    And though Cisco is known for security, and the Smart Install feature has some great benefits – such as allowing you to easily deploy network switches in a Cisco environment with no assistance from a network admin – it also can be a security risk if you leave it turned on.  Whether by design or default, I find a lot of cases where it’s left on, but none where it’s actually in use at that time. For a penetration tester, that’s a key finding.

    Have you checked your network to see if Cisco Smart Install is on. It was, wasn’t it? And, you did turn it off, right?

    If so, you closed off a simple but often effective door for hackers. 

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. We can help you pinpoint security threats and find ways to remediate them leaving your company more secure than we found it.  

    Ready to find out how secure your network really is? Reach out to us and let’s discuss your needs and how we can help.

  • A Herring Haunting at Curriculaville Next Wednesday

    To me, the scariest movies are ones where the ghost/monster/alien turns out to be someone we’ve come to know and trust. The same thing is often true with cyberthreats – the people who can do the most damage to your organization, whether intentionally or not, are your own employees. During Raxis red team engagements, company employees are one of the most reliable ways we have to gain access to the corporate network.

    Believe me, after thousands of penetration tests over the years, Raxis has lots of stories – and I intend to tell some.

    Next Wednesday, our friends at Curricula, an Atlanta-based cybersecurity training company, will launch their first annual “Curriculaville” remote cybersecurity summit. The free, one-day event starts at 11 AM and will feature a number of experts from the information security space. I’m proud to represent the Raxis team as part of a panel discussion entitled, “Scary Security Stories” that will begin at 1 PM. 

    This is the time of year for tales that send chills up your spine and raise goosebumps on your skin. If you haven’t trained your employees properly and put effective cyber defenses in place, well . . . let’s just say you might be in for a quite a fright. 

    The good news is that Raxis stories usually have happy endings. We might steal some passwords and take over your domain, but 99% of the time, we leave your soul intact. And, we’ll show you how to avoid the real bad guys who will take that and more if they can.

    Please check out the link and sign up for this informative, educational event at Curriculaville. After all, hearing our scary stories might just keep you from living one of your own.

  • Why Network Segmentation is a Best Security Practice

    Let’s talk network segmentation. In this brief video, I’ll explain network segmentation from a hacker’s point of view and show you more ways it can protect your company. The bottom line is that separating your cattle, horses, and pigs makes it much easier to keep the wolves away.

    At a very basic level, network segmentation is like keeping your cattle in the pasture, your horses in the stable, and your pigs in the pen. In this case, the various animals might represent different business groups, geographic areas, and/or device types. 

    The idea is that you’re slicing your network into smaller, more manageable groups of users and/or devices. And there are lots of good reasons why you should: Network segmentation can be used to optimize network traffic or improve network performance. Properly implemented, it also can facilitate effective monitoring, inform compliance requirements, and better contain network issues when they arise.

    But one of the most important reasons, in my view, is that a segmented network can be far more secure.

    As an example, IP telephony systems often use standard network protocols. Comparatively speaking, it’s easier to gain access to a phone than it is a network jack. If the phone network isn’t properly segmented from the production network, a hacker might use it as a bridgehead to access more sensitive network resources. Security concerns aside, IP telephony is also sensitive to latency. Having it segmented from high-traffic systems minimizes congestion and increases its reliability. 

    Improper or non-existent network segmentation is just one of the most common vulnerabilities our team has seen regularly over the course of thousands of penetration tests. For some other frequent missteps we find, check out these videos and subscribe to our channel.

    Ready to find out how secure your network really is? Reach out to us and let’s discuss your needs and how we can help.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • AttackTek: How to Launch a Broadcast Resolution Poisoning and SMB Relay Attack

    Welcome to our first AttackTek installment, where we’ll go deeper into the tech side of our penetration testing. We’re going to start with a couple of the easiest and most consistent ways we’ve found to get inside corporate networks and gain domain admin rights – sometimes before we finish our coffee on Day 1.

    The first is broadcast name resolution poisoning, known more simply as the broadcast poisoning attack. The second, which we often use in tandem, is the SMB relay attack. 

    For those unfamiliar with these attacks, a broadcast poisoning attack targets users’ credentials as a means to further access corporate networks and data. An SMB relay attack is basically a man-in-the-middle attack in which the malicious actor tries to make the target machine believe that it is the authenticating server.

    These two attack methods work really well together and can be put into motion in a matter of minutes. 

    In this video, I will walk you through an entire attack chain and break down both of these attacks as I’m conducting them.

    Just a friendly heads-up: A lot of the ‘action’ in this video is code on a screen. If you’re a pen tester or a defender, you’ll probably find it very interesting. But if you’re a non-techie and you clicked here after watching your favorite surf video, well . . . enjoy!

    At Raxis, we offer a variety of penetration tests to help you and your company identify vulnerabilities and close the gaps before a cybercriminal finds them. During these tests our team of experienced, professional hackers use every trick in the book – plus some they make up on the fly – to get past your security. 

    If you are ready to explore more penetration testing and assessment options with Raxis, be sure to visit our contact page.