Posts

Showing posts from 2021

Open Redirect in Oracle BlueKai

Image
Phishing threat actors are continuously seeking new methods to increase the chances of success in their campaigns. Phishing is still one of the main initial access vectors into target networks. One technique that makes phishing emails particularly difficult to block is the use of open redirect vulnerabilities to distribute malicious links.  Although often underestimated and left unaddressed for months or years, open redirect vulnerabilities can present a considerable risk to your users. Open redirect bugs often occur in the form of a parameter inside a query which contains a URL to redirect a user to.  In late 2020, a client of mine was targeted in a spear-phishing campaign that leveraged a universal open redirect vulnerability in the Oracle BlueKai Data Management Platform. The vulnerability was responsibly disclosed to Oracle Security in December 2020. At the time of writing, the vulnerability remains unpatched and has not been assigned a CVE number (despite multiple other open redir

CTI Project: Threats Leveraging Legitimate Services

Image
  Legitimate third-party Platform-as-a-Service (PaaS) providers are becoming increasingly leveraged by threat actors for phishing and malware deployment. PaaS providers such as cloud instances, marketing platforms, content delivery networks (CDN), and dynamic DNS servers have been weaponised for a range of malicious activities. One of the key benefits is that they can be used to  evade detection systems. This is due to the decreased likelihood of these being pre-emptively blocked because of established levels of trust and legitimate usage.  Many of these types of malware and phishing campaigns also combine the use of multiple platforms simultaneously, making these particularly difficult for human analysts and automated systems to identify and malicious activity. The research in this blog details how cybercriminals l everage these systems as credential harvesting pages, payload hosting sites, redirector links, C&C servers, "dead drop resolvers", and for data exfiltration. 

Analysis of the latest PayPal phishing attacks

Image
As far as brands that get impersonated a lot, PayPal has got to be in the Top 5 or Top 3 globally. Between August and October, I personally received 19 PayPal credential phishing page links and my crud email provider (not Gmail or Outlook) didn't block them, so they've been landing in my inbox. So I took a look at them, natch.  I examined various phishing attempts that appear to be sent in a similar manner to my personal email, which has only appeared in one small breach in 2017, according to Have I Been Pwned for the record. One phishing kit stood out and forced my hand into blogging about it. It consisted of 11 parts, including the phishing email itself and the initial landing page; followed by several pages to harvest credit card and billing information, bank account details, and finally the bit that I'd not personally seen before (but I doubt is that new) was that it asked me to "Upload your identity".   The amount of personal data this phishing kit is harvest

Ransomware Decryption Intelligence

Image
Ransomware continues to be the most profitable method of monetising unauthorised access to compromised networks. It is the biggest threat to private and public sector organisations, large and small. In the last three years, we have seen hundreds of hospitals hit by ransomware, as well as other critical infrastructure sector organisations, such as the Colonial Pipeline or JBS foods. Slowing the ransomware epidemic requires a multi-pronged approach. While this includes arrests, action against illicit cryptocurrency transactions, sanctions, or - the topic of this blog - decryption. By reverse engineering the encryption implementation utilised by a ransomware variant, researchers can exploit a cryptographic flaw to decrypt ransomware. This does make it possible to recover files without paying a ransom for the decryption keys. When the ransomware group eventually realises, or learns via public reports, that their ransomware is fundamentally flawed, they often either abandon it, fix the flaw

OSINT blog: Reunion in Scotland

Image
  The Beer Farmers recently issued a geo-location OSINT challenge with a mystery prize for the first person to find them.  Under time pressure, I put my OSINT skills to the test to see how difficult it would be to find them.  Some Saturday fun. Where are @SeanWrightSec and @AppSecBloke in this photo? First to get it right wins something. @netsecfocus knows what it's like to win a prize from us. #HereForYou pic.twitter.com/L5HiKGAF8X — The Beer Farmers (@TheBeerFarmers) September 11, 2021 I examined the image closely, looking for any clues. The first thing I think everyone would have immediately noticed was the large greek-style columns behind Mike and Sean. These would come in handy later when roaming the streets on Google Maps.  The second thing I noticed was a backwards JD Sports logo (a highstreet clothing brand in the UK). Therefore, I realised the image was flipped horizontally, so I flipped it back: The task was then to locate which JD Sports this was going to be. Judgin

How Do You Run A Cybercrime Gang?

Image
Cybercrime has many forms, the most common of which is theft and fraud. Aspiring cybercriminals may begin with off-the-shelf malware or phishing kits and run amateur, but profitable, campaigns. Banking Trojans were the next step up, which intercept and manipulate connections during online banking procedures for exploitation and wire fraud. Several infamous groups that graduated from these campaigns went on to form organised crime syndicates and launch 'big game hunting' ransomware campaigns. Ransomware in particular, has caused mass disruption on a national level and huge financial losses. This blog will explore three top-tier cybercrime syndicates which are tracked by the private cybersecurity industry as EvilCorp, WizardSpider, and FIN7. These threat actors are financially motivated cybercriminals whose campaigns have become a scourge to organisations and society at large. So much so, that they are closely tracked by intelligence agencies and international law enforcement. Fi