FBI: Ransomware gangs hack casinos via 3rd party gaming vendors – The Federal Bureau of Investigation is warning that ransomware threat actors are targeting casino servers and use legitimate system management tools to increase their permissions on the network.
Two Russian Nationals Charged For Conspiring To Hack The Taxi Dispatch System At JFK Airport – “…these four defendants conspired to hack into the taxi dispatch system at JFK airport. Cyber hacking can pose grave threats to infrastructure systems that we rely on every day, and our Office is dedicated to pursuing criminal hackers, whether they be in Russia or here in New York.”
Tri-City Medical Center in Oceanside hit by cybersecurity attack – Tri-City Medical Center is diverting ambulance traffic to other hospitals Thursday as it copes with a cybersecurity attack that has forced it to declare “an internal disaster” as workers scramble to contain the damage and protect patient records.
Smishing, a portmanteau of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services, is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.
I received this lately and I wanted to share it so you see a real-life example. I’ve blocked out the link for safety.
I did not go to this website, but you can bet they copied the look of USPS’s website along with a login page. This login page will not work for you to login, because this is a fake site. What it will do is capture you’re password and email.
So what, right? No harm done. Well here is another term to learn. Credential stuffing.
What is Credential Stuffing?
Credential stuffing is the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.
Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.
Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.
This is exactly what these bad guys or hackers will do. They might also sell the list that they get to other hackers. which will then in turn try the same thing. So use a password manager and don’t use the same password on more than one site. Don’t click on anything you are not expecting. If you’re unsure, contact the source directly. In this case, I am not expecting anything from USPS, and I see so many red flags on this I know it is smishing.
Those red flags are:
I’m not expecting it.
The senders address – It is not usps.gov which is what I would expect instead it is ups.gidaew24lw@usps.tw. What the heck is that?!
The URL didn’t make sense either. I would expect usps.gov, but it is a .com and it wasn’t usps.com either. So strange, right?
Happy Halloween! It’s already the end of the year! Time files when you are learning cybersecurity!
Videos
What Hiring Mangers Really Think
Insider Threat
Articles
British Library knocked offline by weekend cyberattack – The British Library has been hit by a major IT outage affecting its website and many of its services following a “cyber incident” that impacted its systems on Saturday, October 28.
Massive cybercrime URL shortening service uncovered via DNS data – An actor that security researchers call Prolific Puma has been providing link shortening services to cybercriminals for at least four years while keeping a sufficiently low profile to operate undetected.
Canada bans WeChat and Kaspersky products on govt devices – Canada has banned the use of Kaspersky security products and Tencent’s WeChat app on mobile devices used by government employees, citing network and national security concerns.
LastPass breach linked to theft of $4.4 million in crypto – Hackers have stolen $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases, according to research by crypto fraud researchers who have been researching similar incidents.
Hackers Accessed 632,000 Email Addresses at US Justice, Defense Departments – A Russian-speaking hacking group obtained access to the email addresses of about 632,000 US federal employees at the departments of Defense and Justice as part of the sprawling MOVEit hack last summer, according to a report on the wide-ranging attack obtained through a Freedom of Information Act request.
Then launch Chrome and click on the short cut under the search bar called Velociraptor
If you get the warning about your connection not being private, click the advanced button, then proceed to 127.0.0.1
Enter the sign-in information given in task 3 instructions.
Once it comes up click on the magnifying glass next to the search bar:
Then this loads…
Boom! Hostname.
Answer:
thm-velociraptor.eu-west-1.compute.internal
Question 2: What is listed as the agent version?
From our last step go ahead and click on that Client ID link. It opens up a page with Agent Version on it.
Answer:
2021-04-11T22:11:10Z
Question 3: In the Collected tab, what was the VQL command to query the client user accounts?
Click the collected button at the top of the page. Then click on the requests tab in the bottom frame. The VQL statement we are looking for is the fourth one down:
Answer:
LET Generic_Client_Info_Users_0_0=SELECT Name, Description, Mtime AS LastLogin FROM Artifact.Windows.Sys.Users()
Question 4: In the Collected tab, check the results for the PowerShell whoami command you executed previously. What is the column header that shows the output of the command?
If you didn’t run the whoami command while running through the instructions, do that now. Click on magnifying glass then the Client ID and then on the right upper of the screen you will see the “>_ Shell” button click that run whoami. Then you will see this in the results tab here:
In the screenshot above you can see the column header name is Stdout.
Answer: Stdout
Question 5: In the Shell, run the following PowerShell command Get-Date. What was the PowerShell command executed with VQL to retrieve the result?
This is not the same as pulling the VQL from the previous answer. For this one we have to go to the Log tab after we run the command. There we find the VQL command that was run in the second line. Copy that out starting at the [powershell…
Question 1: Earlier you created a new artifact collection for Windows.KapeFiles.Targets. You configured the parameters to include Ubuntu artifacts. Review the parameter description for this setting. What is this parameter specifically looking for?
The answer for this is in the screenshots for the instructions:
Answer: Ubuntu on Windows Subsystem for Linux
Question 2: Review the output. How many files were uploaded?
I hope you did the exercise otherwise, you won’t find the answer. Take the time go back and do the exercise, then you can find the answer after the process completes:
I’m pretty sure I didn’t do anything wrong here. I see 19 files uploaded and saw other walk-through’s getting the same answer. But the answer TryHackMe wants is 20.
Answer: 20
Task 5
Question 1: Which accessor can access hidden NTFS files and Alternate Data Streams? (format: xyz accessor)
The answer to this is in the documentation. Read the paragraph under VFS accessors.
Answer: ntfs accessor
Question 2: Which accessor provides file-like access to the registry? (format: xyz accessor)
This answer is also in the documentation same section.
Answer: registry accessor
Question 3: What is the name of the file in $Recycle.Bin?
Ok, time to get real. Dive back into Velociraptor and click the little file folder on the left navigation, it’s called virtual file system in the nav. Click File > C: > $Recycle.Bin ? S-1….. file folder under recyclebin. There is your file.
Answer: desktop.ini
Question 4: There is hidden text in a file located in the Admin’s Documents folder. What is the flag?
Alright, Click C: again followed by Users > Administrator > Documents.
The file we want is called flag.txt and we will need to collect it from the host, in order to get the Textview tab to be clickable.
Answer: THM{VkVMT0NJUkFQVE9S}
Task 6
Question 1: What is followed after the SELECT keyword in a standard VQL query?
The answer to this question is found in the documentation. Read the Whitespace section.
Answer: Column Selectors
Question 2: What goes after the FROM keyword?
Keep reading same sentence to get the next anwser.
Answer: VQL Plugin
Question 3: What is followed by the WHERE keyword?
Just keep reading.. Just keep reading… next sentence has the next answer.
Answer: filter expression
Question marked by a “?”. This is also in the documentation, but you will need to navigate to notebooks. Look in number 5 for…
After clicking the Edit Cell button, you can type VQL directory into the cell. As you type, the GUI offers context sensitive suggestions about what possible completions can appear at the cursor. Typing “?” will show all suggestions possible.
Answer: ?
Question: What plugin would you use to run PowerShell code from Velociraptor?
Back to the documentation. Read the section about “Extending Artifacts – PowerShell” to find…
Answer: execve()
Task 7
Question 1: What are the arguments for parse_mft()?
It’s in the documentation. Look under time analysis for…
Question 2: Per the above instructions, what is your Select clause? (no spaces after commas)
Replace the **** per the instructions.
Answer:
SELECT “C:/” + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file=”C:/” + FullPath) AS PE
Question 3: What is the name of the DLL that was placed by the attacker?
We have to create a notebook and plugin some VQL that we build using the previous answer as a template:
SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE
FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
WHERE NOT IsDir AND FullPath =~ "Windows/System32/spool/drivers" AND PE
29 rows later, we see a oddly named DLL as the last row…
Answer: nightmare.dll
Question 4: What is the PDB entry?
Once you have the above, just look at the PDB line.
D.C. Board of Elections: Hackers may have breached entire voter roll – The District of Columbia Board of Elections (DCBOE) says that a threat actor who breached a web server operated by the DataNet Systems hosting provider in early October may have obtained access to the personal information of all registered voters.
City of Philadelphia discloses data breach after five months – The City of Philadelphia is investigating a data breach after attackers “may have gained access” to City email accounts containing personal and protected health information five months ago, in May.
Microsoft announces Security Copilot early access program – Security Copilot, Redmond’s AI-driven security analysis tool, makes it faster for security teams to counter threats using Microsoft’s global threat intelligence expertise and the latest large language models.
Microsoft Warns as Scattered Spider Expands from SIM Swaps to Ransomware – The prolific threat actor known as Scattered Spider has been observed impersonating newly hired employees in targeted firms as a ploy to blend into normal on-hire processes and takeover accounts and breach organizations across the world.
Jessica Barker is the co-CEO of Cygenta and a leader in cybersecurity awareness who is very active on social media.
The book acts as a primer for those interested in cyber security but don’t have a foundation in it.
I think the sub-title is misleading as the book spends 95% of its content teaching the basics of cyber security, which isn’t bad in itself, but it doesn’t go deep on ‘how to get started in cyber security and futureproof your career’.
Impressions
As I said in point 3 above, the book spent all its content educating on the basics of cyber and did not dive deep into getting into the field or futureproofing your career in cyber. This is all contained in 1 chapter second to last in the book. This is not a bad book, but it doesn’t accomplish the goal on the cover. I was looking for something deeper about securing a future in a cyber career.
Who Should Read It?
Anyone interested in cybersecurity that does not already have a foundation in it. Those with a basic understanding will find, like me, 90% of the book covers the basics they already know.
How the Book Changed Me
I wouldn’t say this book had a huge impact on me. I got a couple of book and website recommendations and further solidified my cyber security understanding. Other than that, I learned maybe to abandon a book a little earlier in the future.
Question 11: What is the parent process of PID 740 in Case 002?
See screenshot above with PIDs listed. You can see that the executable before PID 740 is…
Answer: tasksche.exe
Question 12: What is the suspicious parent process PID connected to the decryptor in Case 002?
This is in the same screenshot. Basically this is asking what the PID for tasksche.exe is…
Answer: 1940
Question 13: From our current information, what malware is present on the system in Case 002?
This is kinda self-explanatory, so let’s take a wild guess..
Answer: WannaCry
Question 14: What DLL is loaded by the decryptor used for socket creation in Case 002?
PID 740 has a lot of DLLs listed. We could try each one in the answer box, but it did say socket in the question. WS stands for WinSock as in Winsock DLLs.
Answer: WS2_32.dll
Question 15: What mutex can be found that is a known indicator of the malware in question in Case 002?
We are going to use handles on this one and look for PID 1940
Russia and China-backed hackers are exploiting WinRAR zero-day bug – Google security researchers say they have found evidence that government-backed hackers linked to Russia and China are exploiting a since-patched vulnerability in WinRAR, the popular shareware archiving tool for Windows.
Fake Corsair job offers on LinkedIn push DarkGate malware – A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine.
D-Link confirms data breach after employee phishing attack – Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month.
23AndMe Hacker Leaks New Tranche of Stolen Data – Two weeks after the first data leak from the DNA ancestry service, the threat actor produces an additional 4 million user records they purportedly stole.
Cybersecurity Talent in America: Bridging the Gap – It’s past time to reimagine how to best nurture talent and expand recruiting and training to alleviate the shortage of trained cybersecurity staff. We need a diverse talent pool trained for tomorrow’s challenges.
NSA and CISA reveal top 10 cybersecurity misconfigurations – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed today the top ten most common cybersecurity misconfigurations discovered by their red and blue teams in the networks of large organizations.
Cyberwire – Ep 1925 | 10.12.23 – Hacktivism, auxiliaries, and the cyber phases of two hybrid wars. Challenges of content moderation. Cyberespionage in the supply chain. Don’t buy all the hype, but do fix your Linux libraries.
