Friday, May 22, 2020

'CyberWar'​ in regards to the tension in Nepal - as portrayed by the media and my take on this.

From my understanding, recent changes in the political tension between the two neighboring sides have been gaining heaps of local and international attention these days. The public is always curious and always will be curious to better understand the next move from both the neighboring counterparts. When it comes down to the 'cyber side' of the tension, I always find it fascinating to explore what's beneath the "talk of the town".

So, there were a couple of web page defacements happening in the background when this political tension is still being decided.

If you have been active in the infosec domain between these regions then the web page getting defaced is not really a new topic. It has been more like a normal routine is what I would say. Every other day, there are hundreds of website and servers getting hacked and defaced (which can be accessed through various public mirrors such as Zone-H and Archive records).

Now, coming back to the view. From what I see, a couple of web pages getting defaced by the southern side and the retaliation by some self-proclaimed cyber wizards (aka. The Script Kiddies) is just another lockdown effect on their tedious cunning cyber mind. "Cyber War" is really a cheap word to use as of now. I would more likely argue and disregard a couple of IT media houses alongside some of the self-proclaimed cyber pro bono journalists with extremely minimum research at their end. To speak out frankly, some of them just want a few spicy toppings on their daily news to generate more views and generate revenue through their AdSense account or so on, and nothing so far has been captivating.

The curiosity now boils down to the question, "Are we ready?". A simple answer is, No.

Let me get this from the top of my head.

Did we ever try to take security seriously and invest? Uh, probably, 'seriously' - doubtable. Did we ever try to invest in the security at the CD pipeline or on the SecDev lifecycle and continue to do so? Uh, pretty rare. Did we ever make a nationwide investment in offensive and defensive capabilities? Uh, maybe. Uh, maybe not! Or, maybe we will do it tomorrow. Alas! the "tomorrow" never came.

One of the old articles published by a Nepalese print media on "Cyberwarfare: How prepared is Nepal?" from 2017 can be found here (https://thehimalayantimes.com/opinion/cyber-warfare-how-prepared-is-nepal/) and is still relatable. There might have been some minor changes, people might have been more aware as of now. But personally, I do not still see any major changes.

The recent attacks on some high profile Internet Service Provider (ISP), attacks on some well know startup-ish organization, attacks on some endpoint of a high profile Class-A commercial bank, citizen's data being found and being made publicly available, and then the consistent data leak of thousands of users! Probably it could be an overly excited skiddo running their automated tools who brought this down, publicly made their laughable statements and yet the cyber branch never opened up in regards to their forensic investigations. You see what I see right?

That's pretty much the answer!

Nepal's VNY2020 Campaign - The Cyber Metaphor.

Nepal is expecting at least "500,000 Chinese tourists", "at least 150,000 British visitors", "target of 2 million tourists" and much more. In Nepal, the year 2020 is marked as a campaign 'Visit Nepal Year (VNY) 2020' as the program/campaign is organized to promote tourism in Nepal. The quoted numbers above are just an example and the visitors are expected from all over the globe. Let's not forget the patterns, facts, and trends of "Hacker Tourism" that have been seen rising remarkably in the previous years.

Let's just take a hypothetical assumption where there will be cyber guys willing to disguise through the border, bypassing the border forces, get inside the soil, and potentially eradicate the Cyber Economy. The assumption could be theoretically proved wrong, however, it couldn't be disregarded either. In fact, there could already be a handful of APT groups planning to proxy their route via Nepal, roll their hax and skedaddle through the foobar into the thin air! There are threats and the threats for the cyber side of VNY2020 are for 'real'.

Let us all keep an eye out for the potential cyber warriors unloading their skillset onto the VNY2020 campaign. Let's not give us a chance to read the "Mega Breach" news titles popping all over the pages and the internet this year. Let's not fall a cyber victim and watch out for potential moves in an amenable way.

Source for italic quotes:

1. https://www.nepalitimes.com/banner/chinese-tourist-influx-to-nepal-in-2020/

2. https://www.nepal24hours.com/visit-nepal-2020-campaign-kicks-off-in-uk/

3. https://www.nepalitimes.com/business/turkish-and-visit-nepal-2020-sign-mou/

(Originally, this article was published on January 6, 2020.)

Saturday, October 5, 2019

The weakest link in the infosec chain - Humans?

Vendor Email Compromise (VEC), Business Email compromise (BEC), Phishing attacks, Whaling attacks - you name it. Everything eventually points back to humans and we are all targeted in one way or another. This is a well-known adage in the information security domain that 'humans are the weakest link'. Our thoughts, emotions, innocence - can be easily manipulated by an external entity the way they want. However, the manipulations would/could totally depend on various factors and on any given situation. Nonetheless, this does not necessarily mean we can do nothing about humans and rather invest in the implementations of fancy gadgets - firewalls, heavy/hardcore devices, spam protections/filters, endpoint protections, HIDS/HIPS, and anything as such. Defense in depth is a good strategy, however, doing this does not mean that you are 'free from risk', it simply means that you are trying to 'shift the risk'. Yet, at some point in time, the risk would have the likelihood of getting exploited.

Say, for instance, you implemented all the fancy and hardcore devices, endpoint protection mechanisms, everything in place - to prevent/combat such attacks/issues and then think that you are now protected, everything is in place, everything is now sorted - right? I would highly argue, that you are still not in the state of maturity to combat other evolving threats. The threats to Bring your own device (BYOD), bring your own phone (BYOP), bring your own personal computer (BYOPC) - which still does exist and is, in fact, growing rapidly. Making sure that people understand the technology they are working with and they work on the defined procedure is the least any organization can do.

The attack vectors might differ - a phishing link on the email, an attachment with an embedded backdoor, a malicious app for cell phones, and/or a QR code embedded with malicious link/attachment, drive-by download attacks, vishing, smishing - the list goes on. An attacker with malice intent would always find a cunning way to make you perform the act that might not be of your best interest. Therefore, being aware of the evolving threats, training the people on different attack vectors, and most important - understanding the security culture/practice is definitely a good start.

Humanity still does exist. People still do care about others, they care about things, they care about their priorities, they care for the things that matter to them the most and eventually get kind enough to fall for a lured trap that they might not be well aware of. Let us take it this way - at some point in time, you might fall for it, you might become the weakest link. What does actually matter is, let us all stop stating that "There is no cure for the human's stupidity". Let us all focus on the fact that "stupidity" only exists because of "Ignorance" / "Illiteracy - on the subject matter". Therefore, do not train your employees to not click on the link. Train them on how to spot them, how to spot the difference, how malicious people operate and will try to manipulate the thoughts - so that they can develop the awareness required to spot the difference with maturity - on any given instances.

Attackers do not operate on a 9-5 office hour schedule, 5 days of work and then take days off. If you are training your employees to just not click on the link and you want to protect your business - let me please remind you that you are probably playing it wrong. Do not train your employees to keep your business safe - train them to act safe and spot the differences and they will eventually keep your business safer, even outside the business hours.

PS: Thanks for taking the time to go through this post. Any thoughts on suggestions/criticisms/appreciations are highly appreciated.

Sunday, December 2, 2018

How vulnerable could the internet be - From BGP perspective

The internet that we know of is an interconnection of networks. The networks - managed by organizations, giant corporate, internet service providers (ISP), network service providers (NSP), cross countries internet exchange points (IXP) and various Regional Internet Registry (RIRs). The network traffic that flows across inside, through those various organizations, providers and points are generally managed, delivered and/or received and is generally handled through the protocol - a set of rules, usually known to the world as the Border Gateway Protocol (BGP). If someone with a malicious intent would try to break and/or manipulate this specific protocol (BGP) then that malicious attacker/party can possibly manipulate the traffic flowing in the internet as a whole.

BGP is basically used to interconnect, exchange routes and sharing reach ability information as a standardized exterior gateway routing protocol. Each entity is uniquely identified by it’s Autonomous System (AS) number. Technically, BGP works based on the best path selection algorithm to select the exact match although there are various different criteria such as weight, local preferences, neighbor count etc. For example let’s say Google is using 172.168.0.0/20 to announce the world that it is their network and on the other hand Someone is using 172.168.0.0/24 to announce the world that it is their network. So now, the traffic destined for 172.16.15.14 would go to Someone instead of Google if the information sent by Someone is accepted by the neighboring network and also if the information is further propagated across the internet. When the communication between different AS is either misconfigured or at cases hijacked, this specific chaotic scenario is then known to the world as Prefix hijacking and/or can be interpreted as BGP hijacking. The above example simply is not just a hypothetical scenario, these types of threats do exist in the internet. The case of AS 7007 incident in 1997, Pakistan hijacking the entire YouTube network in 2008, Chinese ISP hijacking the entire internet in 2010, Canadian ISP hijacked to heist Bitcoin and other cryptocurrency in 2014, Russian telecommunication companies hijacking the network of US tech giant companies multiple times including the MasterCard and Visa card network in 2017 and lately the incident of Google Cloud’s traffic being routed to Russia by the Nigerian ISP. A simple misconfiguration and/or a malicious intent in just a single protocol can create a chaos in the internet. According to some sources various state sponsored hackers, government agencies and private organizations have been found to have been doing so (traffic hijacking) for performing large scale man in the middle attack, traffic monitoring and/or for censorship.

Although security experts argue that BGP is never secure, instead a new protocol should somehow be introduced. Nevertheless, there are techniques like using RPKI (Resource Public Key Infrastructure) to sign the AS numbers with a cryptographic signatures, using Resource Origination Authorization (ROA) to associate the address prefix to the AS numbers and various others. As long as the technologies are not used and tuned properly, placing fancy technologies in place and not making use of them would never guarantee security and would always break the Confidentiality, Integrity and Availability of the system and/or Authenticity of the traffics across the network as a whole.

Sunday, November 18, 2018

A lazy night CTF party - Vulnhub - (box Matrix: 1)

Okay so, I had downloaded this (Matrix 1) box a week back or so but due to some random busy-ness I just could not start to give it a shot. Also the thing is that, I usually don't engage myself more into CTF's but when I feel extremely bored - like super bored then I just try to give myself a chance to engage into something interesting and learn new techniques. Anyways, let the story begin.

It all started with a virtual boot up of the recently downloaded virtual machine's OVA file.

As described in the release information for this box, it said "Matrix is a medium level boot2root challenge." Furthermore, "Difficulty: Intermediate" and "Your Goal is to get root and read /root/flag.txt". Intermediate level - Sounds good to me, lets continue.

A quick SYN scan of my network with 'nmap -Pn -sS 192.168.1.0/24 -v' gave me  an information of the host running on port 22, 80 and 31337. Looking further down those port with '-sV' option gave me more detailed information on the services running on those ports. So, it seemed like an OpenSSH and Python SimpleHTTPServer was running.

Opened the browser, on the host IP on the web (HTTP - port 80) - showed me a simple looking web page with not much information but with some fancy looking Matrix message that said "Follow the White Rabbit" "Welcome to the real world, Neo. I'm glad you're here." I thought for a while, Okay! So, where's my White Rabbit? A Quick CTRL + U and I got to see something like '<div class="service"><img src="assets/img/p0rt_31337.png"/ width="15">'
This information here seemed interesting! I knew earlier that the port eleet was open, should be something related! For a couple of minutes I thought that this PNG here could have some hidden information (maybe something to do with steganography?) But no, my conscience was wrong.

I followed the White Rabbit for now and jumped to the port 31337 from my browser. Now, I see a new page with some other fancy looking message. Just by looking at the heading 'Cypher' I had in mind that this could now have something to do with deciphering the message or so. I then performed a quick CTRL + U and now there's that! '<!--p class="service__text">ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=</p-->' My instincts were right! "A long fancy looking text that ended on an equal to (=) sign could be a base64 encoding or so." - I said to myself. It indeed was a base64 encoding. The message was "echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix"

This made me feel like, "something is echoed into Cypher.matrix" and then I sent a GET request to /Cypher.matrix and yes, something was there. I was indeed following down the rabbit hole.


Inside the Cyher.matrix was a complete chaos, a disaster, all the operators, operands, brackets and signs were floating around in-front of my eyes. A quick search on regarding the use of these characters "+, -, <, >, [, ], (, )" took me down to information leading to Brainfuck. Sorry, did I said something inappropriate? No, let's continue.

So, it was basically an Esoteric programming language. After getting an insight of this information. I decoded the message that said "You can enter into matrix as guest, with password k1ll0rXXNote: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password." Okay so, seems like we are now getting deeper inside the rabbit hole! But we still don't have the full password to the system.

So, I used the command as "cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 2 > char-file" that would generate 2 characters long alphanumeric characters and output the list of all those characters inside the char-file. And from that file, I created a dictionary file for my bruteforce since we already knew that the SSH port was open.

"awk '{print "k1ll0r"$0}' char-file > password-list" would now create a password file that would be helpful for bruteforce.

I knew that metasploit is helpful in this case and fired up a shell and used msfconsole and used 'auxiliary/scanner/ssh/ssh_login' module. Username guest,  my dictionary file and a wait for couple of minutes and bang! We now have a matching password and a session opened for us. An interaction with the session we just established as 'sessions -i 1'. A python spawn shell and we're in! We now have a working shell in the box!


I then listed the present working directory from the shell and saw that there's one unusual directory prog. 'Prog is a short for Programs, it probably should have an executable program and maybe I can reverse that program and spawn a root. Or maybe the executable has misconfigured access permission or something as such' is what I thought at the moment after noticing the Prog directory.


Excuse me, did I just saw a vi? 'vi is a text editor, it has always helped people to get down a root shell, am I getting luckier? or is the white rabbit calling me?' is what I thought again. I then opened a vi editor. ":/bin/bash -i" and bam! I then get a full fledged guest shell on the box from my python spawn shell.


Our goal is to root the box, collect the flag and move on. So looking for the allowed sudoers command with 'sudo -l' showed something like "(ALL) ALL". How cool is that? "sudo /bin/bash" - enter the guest password that we previously found and bingo! We're now root and officially pwn the box.


Cat the flag and we've got it!


Anyways, Matrix1 was interesting. I hope to follow the white rabbit more deeper down the path in the upcoming days. Thanks unknowndevice64 for building the matrix!


'I know what you're thinking, 'cause right now I'm thinking the same thing. Actually, I've been thinking it ever since I got here: Why oh why didn't I take the BLUE pill?' or 'Perhaps we are asking the wrong questions.'

Thursday, June 28, 2018

Our information in this era is in a perilous state! - (PageUp Security Breach)

We have heard a lot of gossip about the latest security breach suffered by companies like PageUP and Flightradar24 last month. The cyber havoc suffered by the human resource management company or so as to say ‘Cloud based Software-as-Service’ provider pageup is now on a limelight.

As mentioned in the official page of 'PageUp', "PageUp delivers HR software that helps your employees reach their full potential, anywhere in the world." So, various industrial sectors including corporate organizations, financial organizations, universities, healthcare group and other such organizations which included Reserve Bank of Australia, Commonwealth Bank, National Australia Bank(NAB), Australia Post, Australian Broadcasting Corporation (ABC), Medibank, Australian Red Cross, Bupa, University of new south wales (USNW), Australia National University(ANU), Macquarie University, Charles Sturt  University (CSU), Lindt, Australian Gas Light (AGL), Tatts group, Aldi, Wesfarmers group’s acquisition including Coles, Kmart, Target, Officeworks and various other such organizations were dependent on the HR management service provided by the PageUP and were a part of the security incident that occured on May.

The immense use of online internet based systems has made our work easier and time saver at most of the cases. These types of online based systems have gave us many opportunities and made our work efficient, however they have always lacked something or the other and in this case, it was ‘Security’. The ‘Trust’ that the users have on these type of online based system is tremendously high. People feel safe and share their private informations with some third party thinking that their information is in the right hands and these companies would safeguard their information. Nevertheless, this has not been the case. Private and crucial information including email id, passwords, date of birth, phone number, physical home address, nationality, passport numbers, driving license numbers, card details, bank details, tax file number, superannuation details, past and present employment history and others such information could have been exposed to the cyber criminals in the recent breach.

Any information that we hold and share about us is very critical either it be our date of birth, home address, phone number, email id, personally identifiable information(PII) including citizenship id number, passport number, license number, tax file numbers, bank account details and others such information could be used against us to cause a harm either physically or virtually.

So, what would cyber criminals do with my personal information?
This could be the curious question that most of us might have in mind. Well, the cyber crooks are surely to generate huge sum of money from such compromised personal information. Phishing, vishing or smishing scamers are mostly likely willing to get such information for various fraudulent activities. Advertising companies might want to get such information to target their advertisement to a specific group of people living on certain locality or such. Criminals might use such financial information to extract money online or physically. Cyber crooks might sell such data to criminal gangs and create identity theft and cause severe catastrophe on an individual's life. If such similar evilness would happen then, sky's the limit for those crooks.

Technically speaking, such critical personal information of an individual on the dark web is worth nothing more than five dollars, and yes there are peoples who are interested in buying these informations.

People might be able to change their usernames, passwords, email id, people might change their bank card details but information like date of birth, mothers maiden name, their working history(resume informations) these are like the biometrics - fingerprints; nothing can be done neither can be changed, once it is gone is gone forever. Until and unless we do not create a cyber aware netizens, make use of proper technologies in a proper manner, these sort of activities would never stop from happening.

In conclusion, PageUP was just another example. There could be thousands of such similar organizations that provide such services and hold critical personal information of millions of people. Still, hundreds of them could be vulnerable to similar hack. Lets not forget that, Ashley madison, Equifax, Cambridge Analytica and others such breach were once a history. If even after all these years of lessons we have learned and cannot safeguard the information of individuals who completely trust and provide their details to such companies, and in the end
their trust gets exploited into the blue then all of our presence in this virtual world of computer networks could be doomed.

Are other such companies, private and government organization working hard to protect their netizens private data?

Finally, the question is that “Is our information in this era, in a perilous state?”

Monday, April 30, 2018

Cyber kill chain - Oh what a fancy thing it is!

Lets say, I manage a network. My system was publicly accessible and someone has managed to exploit the vulnerability in the system using a MS17-010 (EternalBlue) exploit. I, as a network manager, I can see some egress traffic on my SMB port and now found that my system is communicating with an external IP address (possibly someones Command and Control server).

The question is, What do i do now?
Should I call the Incident response team that does not even exist? Should I shut down the whole network? Should I start to read my organizational policy so as to figure out what am I supposed to do or Should I  start to cry since the attacker could be planning to inject WannaCry or so into the network?

That's exactly when you would require a Cyber Kill chain.

So, What exactly is it?

Cyber kill chain is basically a framework that is part of the intelligence driven defense model for identifying and preventing the cyber intrusion activity. It is also commonly refered to as a cyber attack lifecycle that would help identify and prevent the intrusion. The actual model, the Cyber Kill Chain framework, was developed by Lockheed Martin and is commonly used for identification and prevention of cyber intrusions.

Should I even care about the Cyber kill chain?
If you are an organization/individual that maintains and manages the in and out flow of the data... In short, ya; sorta!

Lets get back to the thrill, the Insight of an attack:

Usually, every attack starts with passive recon, active recon and then the real attack happens then after, the attacker then expands the attack surface, exploits, starts the post exploitation phase, creates backdoor, exfiltrates the data and clears the track. Lockheed martin defines these phases as Reconnaissance, Weaponize, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.

Source: Lockheed Martin

As said earlier, in the imaginary network that I manage, as the successive events the attacker then creates a new backdoor, and is now scanning the internal network for their lateral movement. The attacker gets access to my internal database server or so, exfiltrates the data, tries cleaning the trace and run away fulfilling their need for now since they already have backdoor which they can now access at anytime they want.

This is just a simple idea of what could happen here, there could be hundreds or maybe thousands of possibilities on what the attacker might be doing or wanting to do depending on what information the organization/individual hold and as per the motive of an attacker.

At some cases, sophisticated attackers as in APT attacks, the attackers do not follow these steps, they sometime skip the steps or add their own steps making the real attack just a diversion and finding the real attacker information would be like a needle in a haystack. For example, a ddos attack could be used by attackers as a diversionary manoeuvre for creating immense amount of events in the log making the actual event harder to find.

The cyber kill chain helps to prevent and suggest preventive measures depending on these different stages. To break the chain, if there is an event or if there is anything that seems suspicious, start digging onto it. If you feel that it is a genuine attack that is happening then triage the incident. Figure out how the attacker got inside the system or maybe how the attacker is trying to get inside the system. To stop the possible future damage, gather the forensics investigation / incident report and try figuring out the way to stop these type of future attacks. There are certain technologies that help in killing the attack chain like antispam, web filtering, intrusion prevention and detection, antivirus, SIEM, DBAM, next generation firewalls, data loss prevention technologies and others such.

Again, my question to you; Should you care about the kill chain?
You may say: I do not own any information, I do not have any data as such, or I do not have anything at all. So, why should I care!

For example at most of the cases, the attackers might not be interested in a large scale data or high profile servers or anything as such. These small compromised resources can be used to commit advertisement fraud, spread misleading information/news or send out spam, extort the company for ransom or sell the data that they have acquired on the black market, or even rent out hijacked infrastructure to other criminals as in sell these servers for providing ransomware as service, DDOS as service or others such.

The goal here is not just to know the 'Cyber kill chain'. You know it, great! What are you waiting for? Implement it.. follow the kill chain model and gotta catch them all!

PS: To stop an attack, you need to think like an attacker.

A little bird once told, "Know the enemy and know yourself."