Ghosts in the Bank
October 27, 2016, John Skipper, Associate Security Consultant, Coalfire Labs
It was a dark night. A car pulled up in the parking space next to me and quickly extinguished his lights. I looked out the my window and saw the driver. He gave me a quick nod and we exited our cars. Opening the trunk I pulled out my tools for the night. A backpack full of trash bags, a flash light, gloves, a tarp and oily rags taken from the garage. We walked in the warm summer air up a hill and to the street corner where the target was finally in view. There was the bank. Tonight was just recon, getting a lay of the land and some dumpster diving. We approached the bank and made a quick walk around the block identifying windows, entries and exits and connecting the dots of what I found on Google Maps. By the cover of trees we started down an embankment towards the dumpster, but we spotted a police car. Trying not to cause any suspicion, we quickly made our way back to the sidewalk and walked away from the bank. My heart was racing. I didn't want to fail even before we started.
To [Hell] Shell and Back
October 27, 2016, Justin Berry, Security Consultant, Coalfire Labs
My initial thought was it has to be the firewall keeping my reverse shell from getting out of their environment. So, leveraging the command execution vulnerability, I started testing outbound internet access from the vulnerable server to my server on the internet, only to find that the port I had been using all along in the initial Metasploit attempt was allowed out. This left me with a sense of disappointed optimism because the firewall isn’t blocking it, but for some reason it isn’t working. “Maybe it’s getting caught by Anti-Virus”, I thought. I used the command execution to generate and execute an FTP script that would download a payload from my server. The logs on my server showed an active download from the target companies network. “.. Excellent..”, I mischievously muttered to myself in my best Mr. Burns impression.
How Twitter, Amazon, and others were impacted by last Friday's DDOS attack - and what you might want to do about it.
October 25, 2016, Kennet Westby, President and COO
Our partner, Chertoff Group issued the following advisory. Client Advisory: October 21 distributed denial of service (DDoS) attack. A major distributed denial of service (DDoS) attack recently (10/21/16) disrupted Internet communications throughout parts of the United States in several waves, and there is growing concern over a number of increasingly disruptive DDoS events that have occurred over the past several months. While facts are still unfolding, the Chertoff Group offers the following situational awareness on recent events and selected mitigation measures to consider.
What does the FBI have to say about ransomware
October 03, 2016, Tom Glaser, Healthcare Solutions Architect, Coalfire
The FBI provided guidance on ransomware at a recent FBI/US Secret Service/ISAC event. They defined ransomware as a type of malware that is commonly transmitted through malicious email, which is disguised to look normal. Once the email link has been clicked on, or an email attachment has been opened, the malware installs on the computer. After installation is completed, files on the computer become locked using encryption and cannot be opened without the key. A ransom message is then displayed with information on how to pay the ransom.