I received this email this morning and I thought it would be a great example to point out the issues in the email that flag it as a phishing email.
Alright, here we have Jr. emailing us regarding an invoice. Two things off the bat, I’m not expecting anything from someone named Jr. and I have no idea what invoice I should be expecting. The last name Hade is not familiar to me. Next this attacker used Hello and Dear right after each other. This isn’t done. Then instead of using Jason to address me he uses my email address. Next looking at the attached PDF file name, which you should never open or download, the file name is just gibberish. The attacker didn’t even go to the bother of naming it “invoice” or anything that would make more sense. If we keep looking we see that their email is gibberish too and its from a gmail domain, who does legit business with a gmail address and not a real domain like bestbuy.com or something are slim.
Okay, so I know this is a phishing attempt, but what do I do with it? I could just delete it, but that doesn’t flag as something that gmail can research and prevent other users from getting this message. I could report spam, but it’s worse than just an unsolicited marketing email. This thing is malicious, so let’s see what gmail suggest.
Okay so I click on The three dots near reply and I can submit a phishing attempt.
After clicking on the message we get a pop-up that says…
And the email is removed from my inbox. We’re done. Great job and keep vigilant, Always be suspicious!
Ransomware gang files SEC complaint over victim’s undisclosed breach – The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.
FBI knows identities of some U.S. members of “Scattered Spider,” but no arrests so far? – For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.
Biden Campaign Looking for CISO – The Biden for President campaign is looking for a cybersecurity chief to “define the organization’s risk appetite” and manage its cybersecurity and IT initiatives.
Long Beach, California turns off IT systems after cyberattack – The Californian City of Long Beach is warning that they suffered a cyberattack on Tuesday that has led them to shut down portions of their IT network to prevent the attack’s spread.
FBI: Ransomware gangs hack casinos via 3rd party gaming vendors – The Federal Bureau of Investigation is warning that ransomware threat actors are targeting casino servers and use legitimate system management tools to increase their permissions on the network.
Two Russian Nationals Charged For Conspiring To Hack The Taxi Dispatch System At JFK Airport – “…these four defendants conspired to hack into the taxi dispatch system at JFK airport. Cyber hacking can pose grave threats to infrastructure systems that we rely on every day, and our Office is dedicated to pursuing criminal hackers, whether they be in Russia or here in New York.”
Tri-City Medical Center in Oceanside hit by cybersecurity attack – Tri-City Medical Center is diverting ambulance traffic to other hospitals Thursday as it copes with a cybersecurity attack that has forced it to declare “an internal disaster” as workers scramble to contain the damage and protect patient records.
Smishing, a portmanteau of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services, is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.
I received this lately and I wanted to share it so you see a real-life example. I’ve blocked out the link for safety.
I did not go to this website, but you can bet they copied the look of USPS’s website along with a login page. This login page will not work for you to login, because this is a fake site. What it will do is capture you’re password and email.
So what, right? No harm done. Well here is another term to learn. Credential stuffing.
What is Credential Stuffing?
Credential stuffing is the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.
Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.
Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.
This is exactly what these bad guys or hackers will do. They might also sell the list that they get to other hackers. which will then in turn try the same thing. So use a password manager and don’t use the same password on more than one site. Don’t click on anything you are not expecting. If you’re unsure, contact the source directly. In this case, I am not expecting anything from USPS, and I see so many red flags on this I know it is smishing.
Those red flags are:
I’m not expecting it.
The senders address – It is not usps.gov which is what I would expect instead it is ups.gidaew24lw@usps.tw. What the heck is that?!
The URL didn’t make sense either. I would expect usps.gov, but it is a .com and it wasn’t usps.com either. So strange, right?
Happy Halloween! It’s already the end of the year! Time files when you are learning cybersecurity!
Videos
What Hiring Mangers Really Think
Insider Threat
Articles
British Library knocked offline by weekend cyberattack – The British Library has been hit by a major IT outage affecting its website and many of its services following a “cyber incident” that impacted its systems on Saturday, October 28.
Massive cybercrime URL shortening service uncovered via DNS data – An actor that security researchers call Prolific Puma has been providing link shortening services to cybercriminals for at least four years while keeping a sufficiently low profile to operate undetected.
Canada bans WeChat and Kaspersky products on govt devices – Canada has banned the use of Kaspersky security products and Tencent’s WeChat app on mobile devices used by government employees, citing network and national security concerns.
LastPass breach linked to theft of $4.4 million in crypto – Hackers have stolen $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases, according to research by crypto fraud researchers who have been researching similar incidents.
Hackers Accessed 632,000 Email Addresses at US Justice, Defense Departments – A Russian-speaking hacking group obtained access to the email addresses of about 632,000 US federal employees at the departments of Defense and Justice as part of the sprawling MOVEit hack last summer, according to a report on the wide-ranging attack obtained through a Freedom of Information Act request.
Then launch Chrome and click on the short cut under the search bar called Velociraptor
If you get the warning about your connection not being private, click the advanced button, then proceed to 127.0.0.1
Enter the sign-in information given in task 3 instructions.
Once it comes up click on the magnifying glass next to the search bar:
Then this loads…
Boom! Hostname.
Answer:
thm-velociraptor.eu-west-1.compute.internal
Question 2: What is listed as the agent version?
From our last step go ahead and click on that Client ID link. It opens up a page with Agent Version on it.
Answer:
2021-04-11T22:11:10Z
Question 3: In the Collected tab, what was the VQL command to query the client user accounts?
Click the collected button at the top of the page. Then click on the requests tab in the bottom frame. The VQL statement we are looking for is the fourth one down:
Answer:
LET Generic_Client_Info_Users_0_0=SELECT Name, Description, Mtime AS LastLogin FROM Artifact.Windows.Sys.Users()
Question 4: In the Collected tab, check the results for the PowerShell whoami command you executed previously. What is the column header that shows the output of the command?
If you didn’t run the whoami command while running through the instructions, do that now. Click on magnifying glass then the Client ID and then on the right upper of the screen you will see the “>_ Shell” button click that run whoami. Then you will see this in the results tab here:
In the screenshot above you can see the column header name is Stdout.
Answer: Stdout
Question 5: In the Shell, run the following PowerShell command Get-Date. What was the PowerShell command executed with VQL to retrieve the result?
This is not the same as pulling the VQL from the previous answer. For this one we have to go to the Log tab after we run the command. There we find the VQL command that was run in the second line. Copy that out starting at the [powershell…
Question 1: Earlier you created a new artifact collection for Windows.KapeFiles.Targets. You configured the parameters to include Ubuntu artifacts. Review the parameter description for this setting. What is this parameter specifically looking for?
The answer for this is in the screenshots for the instructions:
Answer: Ubuntu on Windows Subsystem for Linux
Question 2: Review the output. How many files were uploaded?
I hope you did the exercise otherwise, you won’t find the answer. Take the time go back and do the exercise, then you can find the answer after the process completes:
I’m pretty sure I didn’t do anything wrong here. I see 19 files uploaded and saw other walk-through’s getting the same answer. But the answer TryHackMe wants is 20.
Answer: 20
Task 5
Question 1: Which accessor can access hidden NTFS files and Alternate Data Streams? (format: xyz accessor)
The answer to this is in the documentation. Read the paragraph under VFS accessors.
Answer: ntfs accessor
Question 2: Which accessor provides file-like access to the registry? (format: xyz accessor)
This answer is also in the documentation same section.
Answer: registry accessor
Question 3: What is the name of the file in $Recycle.Bin?
Ok, time to get real. Dive back into Velociraptor and click the little file folder on the left navigation, it’s called virtual file system in the nav. Click File > C: > $Recycle.Bin ? S-1….. file folder under recyclebin. There is your file.
Answer: desktop.ini
Question 4: There is hidden text in a file located in the Admin’s Documents folder. What is the flag?
Alright, Click C: again followed by Users > Administrator > Documents.
The file we want is called flag.txt and we will need to collect it from the host, in order to get the Textview tab to be clickable.
Answer: THM{VkVMT0NJUkFQVE9S}
Task 6
Question 1: What is followed after the SELECT keyword in a standard VQL query?
The answer to this question is found in the documentation. Read the Whitespace section.
Answer: Column Selectors
Question 2: What goes after the FROM keyword?
Keep reading same sentence to get the next anwser.
Answer: VQL Plugin
Question 3: What is followed by the WHERE keyword?
Just keep reading.. Just keep reading… next sentence has the next answer.
Answer: filter expression
Question marked by a “?”. This is also in the documentation, but you will need to navigate to notebooks. Look in number 5 for…
After clicking the Edit Cell button, you can type VQL directory into the cell. As you type, the GUI offers context sensitive suggestions about what possible completions can appear at the cursor. Typing “?” will show all suggestions possible.
Answer: ?
Question: What plugin would you use to run PowerShell code from Velociraptor?
Back to the documentation. Read the section about “Extending Artifacts – PowerShell” to find…
Answer: execve()
Task 7
Question 1: What are the arguments for parse_mft()?
It’s in the documentation. Look under time analysis for…
Question 2: Per the above instructions, what is your Select clause? (no spaces after commas)
Replace the **** per the instructions.
Answer:
SELECT “C:/” + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file=”C:/” + FullPath) AS PE
Question 3: What is the name of the DLL that was placed by the attacker?
We have to create a notebook and plugin some VQL that we build using the previous answer as a template:
SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE
FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
WHERE NOT IsDir AND FullPath =~ "Windows/System32/spool/drivers" AND PE
29 rows later, we see a oddly named DLL as the last row…
Answer: nightmare.dll
Question 4: What is the PDB entry?
Once you have the above, just look at the PDB line.
