Indictment of Chinese Hackers Underscores Need for Stronger Cybersecurity

According to a newly unsealed indictment, two Chinese nationals working with the Chinese ministry of state security have been charged with hacking a number of U.S. government agencies and corporations. The court filing indicates that Zhu Hua and Zhang Jianguo, members of Advanced Persistent Threat 10 (APT10), used phishing techniques in order to steal intellectual property, confidential business data, and technological information between 2006 and 2018.  

Flaws and Vulnerabilities and Exploits – Oh My!

With the slew of terms that exist in the world of application security, it can be difficult to keep them all straight. “Flaws,” “vulnerabilities,” and “exploits” are just a few that are likely on your radar, but what do they mean? If you’ve used these words interchangeably in the past, you’re not alone. They’re easy to confuse with one another, likely because there’s a relationship between all of these terms, however, their distinction is real.

Cybersecurity and human rights

More posts by this contributor

A cyberattack has the power to paralyze cellular communications; alter or erase information in computerized systems; prevent access to computer servers; and directly harm a country’s economy and security by attacking its electricity networks or banking system.

Feds Charge Three in Mass Seizure of Attack-for-hire Services

Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different “booter” or “stresser” sites — attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.

“Hunting with OSSEC” at BruCON Spring Training

My training submission has been accepted at the BruCON Spring Training session in April 2019. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour.

The challenges of adopting a consistent cybersecurity framework in the insurance industry

As hacking events have increased in number and severity, we in the cybersecurity community have united around common strategies that all organizations can implement to reduce their risk. Universal best practices provide organizations with many useful tools to protect their businesses. But what often gets overlooked in these discussions are the unique security challenges that each industry faces, and the tailored solutions required to address those issues. This is an area of interest to me, and lately I’ve been fascinated by the path that the insurance industry is carving out when it comes to cybersecurity. Today, I’ll discuss recent activity by the U.S. insurance industry and the ramifications and impact of these initiatives. In future weeks, I’ll offer my insights into how other industries are confronting rising security and compliance risks.

Windows Defender ATP has protections for USB and removable devices

Meet Jimmy. Jimmy is an employee in your company. He Does Things With Computers (official title).

Last Wednesday, as Jimmy got out of his car after parking in the company-owned parking lot, he saw something on the ground.

That “something” is a 512GB USB flash drive!

Jimmy picks up the drive, whistling along to himself as he enters the office and settles down in his cubicle. At which point he plugs in his new, free USB flash drive. Without knowing it, Jimmy has just allowed a targeted malware into your company’s network.

Next up, we have Zee, who has been working on an important new account. She has a presentation coming up after the holidays and wants to make a final few tweaks while she’s away from the office on vacation. On the Friday before she leaves, she plugs in her corporate-approved USB flash drive and copies over the presentation files, including the client’s information about their yet-to-be-registered patent ideas.

On Saturday at the airport, as she’s digging around in her bag for her plane tickets, she accidentally drops the USB drive with the Peterson account’s files. She doesn’t tell you – she doesn’t even realize she’s lost the drive.

A less-than-honest person swoops by and picks up the drive.

On Tuesday, you hear from the Peterson account – they’ve decided to go with another company that hasn’t had their files stolen and sold across the dark web.

These are pretty scary scenarios – but they are possible. So, how do you protect against these and similar attacks?

Windows Defender ATP to the rescue

Knowing that removable device usage is a concern for enterprise customers in both of these types of scenarios we’ve worked on how removable devices can be protected with Windows Defender Advanced Threat Protection (Windows Defender ATP):

We recommend a layered approach for device control security, which incorporates multiple avenues of protection, including each of the above. In future blogs we’ll also talk about recent malware infections that use USB drives to spread, and dive deeper into how data loss prevention should be a part of your device control strategy.

Prevent users from using removable devices (partially/fully)

We know, unfortunately, that people will plug in devices with unknown history (and that there are also attackers out there who directly attempt to control devices without relying on social engineering). These devices could be the source of malware infections that use USB and other removable devices to get initial access to a system or network.

This vector of attack falls under social engineering – in this case, appealing to our weakness for “shiny things”: when we see a “free” item we’re inclined to take it, even if we don’t need it – it becomes shiny and exciting and precioussssess and we wantssesss it.

To help protect against these attacks, you can prevent any removable device from being seen and interacted with by blocking users from using any removable device on the machine.

To help refine how you can use this feature, with Windows Defender ATP you can block only certain, defined external devices from being used on certain machines or by certain users.

You can use device hardware IDs to lock out (or enable) specific device types and device manufacturers. You’ll need to do some manual configuration with a DeviceInstallation policy that uses the IDs you specify, which you can read about at our documentation site. This way you can be more targeted, without blocking employees that need to use USB drives.

If allowing removable devices in your organization, it is recommended that you whitelist known good devices. For example if your company buys only from a handful of device manufactures, you can whitelist or allow only these device manufactures.

Protect against malware infections that use USB devices to spread

After reducing which removable devices can be used in your company, you can also make sure that allowable removable storage drives that are connected are protected by Windows Defender Antivirus.

First, ensure that real-time scanning for USB devices is enabled, and then make sure to enable the exploit guard attack surface reduction rule that can block untrusted and unsigned files on the removable device as soon as it’s connected.

If the device has direct memory access (DMA) capability (typically Thunderbolt devices) it can potentially be allowed to bypass the login and lockscreen.

You can prevent this situation by blocking devices from having DMA until a user logs on.

This can be done in Intune by creating a Device Restrictions policy and setting the Direct Memory Access toggle to Block under the General settings category (as in the following screenshot), or with the DmaGuard MDM CSP policy.

View the device control support documentation for other Windows Defender scanning option (including scheduled scans and starting scans after a removable device is mounted) as well as other DMA protections.

Control how users can use removable devices (DLP)

Another angle that can be used within this range of defenses is data loss prevention (DLP). DLP seeks to prevent unintentional (and intentional) loss or theft of sensitive, company information. A DLP solution should include a holistic approach across multiple vectors or places where information can be improperly shared. Some of the DLP solutions we offer are:The two parts of DLP that are most relevant to removable devices is the use of BitLocker (in particular, BitLocker to-go) and Windows Information Protection.

We’ll be publishing a blog in the new year that talks more about DLP solutions, but in this blog we’re going to focus on BitLocker and WIP as potential protections against the scenarios we started with.

You can require that files written to removable media is Bitlocker protected through Intune configuration settings.

When you attempt to plug in a device that has been encrypted with BitLocker, any files added to the device are automatically encrypted. If someone then tries to access those files on that removable drive by plugging it into another, untrusted computer, they will be prompted to decrypt the removable drive. They won’t be able to do this without a recovery key, password, or smart card, which only company employees have.

With Windows Information Protection, users are prevented from copying sensitive information, and from running files that belong to unknown or untrusted apps. This means users that try to copy sensitive or confidential-marked materials will be prevented from doing so, and will be notified depending on the level of enforcement.

Use advanced hunting queries to view and identify suspicious removable device activity

On the flipside, however, it can be hard to know which actual devices you should block, and when and what users to prevent using removable devices, so you can deploy the protections above in specific Active Directory or Intune groups to restrict the controls to certain groups.

For example, you may have employees that should never need to use removable devices because their work is sensitive and shouldn’t be shared. However, you don’t want to prevent your creative, sales, and marketing teams from being able to easily share content briefs with external groups.

Going beyond these tactics though, you can use advanced hunting in Windows Defender ATP to identify users, machines, and types of devices that are being used suspiciously, as in the following example:

MiscEvents | where ActionType == "PnpDeviceConnected" | extend ParsedFields=parse_json(AdditionalFields) | project ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription), DeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), MachineId, ComputerName, EventTime | where ClassName contains "drive" or ClassName contains "usb"

Internet Explorer Zero Day Exploited in Attacks

556k

Subscribers

341

Online

A subreddit dedicated to hacking and hackers. What we are about: constructive collaboration and learning about exploits, industry standards, grey and white hat hacking, new hardware and software hacking technology, sharing ideas and suggestions for small business and personal security.

Webinar Series: Fundamentals of Post-Exploitation with Carlos Perez

Join us for this webinar series starting on Wednesday January 16th at 1:00 EST

Learn the basics of post-exploitation from advanced infosec professionals

Join Carlos Perez (@darkoperator) as he shares some of the post-exploitation methodology used by TrustedSec security consultants performed during actual attack simulations. Each of the four individual webinars will focus on specific aspects that will build upon each other to give a complete picture of the post-exploitation process. New tools will also be released during each individual webinar.

3 Reasons Osquery Should Be On Every Incident Responders Christmas List

2018 marks the first full year in which Uptycs, the company created to bring Facebook’s open source osquery agent to widespread commercial adoption, has had its turnkey security analytics platform in the market. As can be expected of any startup that launches a new ground-breaking product, it has been an exciting year, full of anticipation, unprecedented interest, and challenging work as we tweaked and tuned the product to optimize it for what our customers needed it to do.

Most People Will Quit Facebook for $1,000

Nothing in life is truly free. If you’re not paying to use a social platform in dollars, then you’re almost definitely paying for it with your personal data—a truism that’s never been more clear than this year, as damning reports around Facebook’s data sharing practices revealed how the platform abused its privacy privileges.