Security

Phishing Attacks using Office 365 and SharePoint

The bad guys have a new way of stealing your login credentials. They target you by sending you an invite via email to open a SharePoint document. The link takes you to an actual SharePoint page where you will see a OneDrive prompt. The prompt will have an “Access Document” link in it – don’t click this link!

This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don’t be tricked.

Whenever you’re submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you.
Remember, Think Before You Click.

Here’s how the Phish / Scam attack works

  • You the Friendly Office 365 user receives the malicious email –Often the use of URGENT or ACTION REQUIRED to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.
  • The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLs, which adds credibility and legitimacy to the email and link since the user is being directed to a known-good hosting site.
  • You are then shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an “Access Document” hyperlink that is actually a malicious URL, as shown below.
  • You are then presented with an Office 365 login screen – Here is where the scam takes place. Using a very authentic-looking login page where the cybercriminals harvest the user’s credentials.

Here are is an example of a phishing email:

Just some advice – Jermal

 

How to search for Open Amazon S3 Buckets and their contents

How to search for Open Amazon s3 Buckets and their contents — https://buckets.grayhatwarfare.com

GrayHatWarfare created https://buckets.grayhatwarfare.com/ a free tool that lists open s3 buckets and helps you search for interesting files.

For an intro on what Amazon open buckets are, please read the following: https://blog.rapid7.com/2013/03/27/open-s3-buckets/

In essence, many files are publicly accessible, some by design. These files sometimes include very sensitive data. https://github.com/nagwww/s3-leaks has a list of the biggest leaks recorded.

Another reason why application owners who provide backups solutions and cloud storage should be encrypting their data before placing it on S3.  Anything less is negligence on their part.

Since this was exposed, many projects have been created that can enumerate s3 buckets:

All these tools/projects have some common problems:

  • The real problem is where to find the list to brute-force for buckets,  and not actually doing the brute-force.
  • All tools/projects only scan the first page for results.
  • thebuckhacker.com includes uninteresting files and useful results tend to be lost in the noise. Also, the first 1000 results of each bucket are fairly limited.
  • The process is slow and not productive. It’s not very useful for pen-testers to run a tool to run for days, save the exports somewhere and then grep them whenever they want to search for something. What is better is a useful tool in front of a large database.

 

Now there is  http://buckets.grayhatwarfare.com/.  Which took the ideas of the many projects and tools previously mentioned above.

The project’s features are:

  • It is a searchable database of open buckets.
  • Includes millions of results within buckets (In the future might be more).
  • Cleaned up and removed uninteresting files like images. Most images names are auto-generated.
  • Currently has ~180.000.000 files. Included are all images that number would go up to a few billion, which is a completely different system.
  • As of today, 70 000 and growing buckets are listed (not all of them have “interesting” files)
  • Full-text search with binary logic (can search for keywords and also stopwords)
  • List of the buckets.
  • The user can browse the contents of the bucket.
  • Excluded a lot of other things that are not interesting like cloud-watch logs.
  • Found a solution to the problem on how to generate possible names for buckets. The process reviles some hundreds of new buckets per day.
  • Automated the process.

The project is currently free and running on servers paid by me. There are some limitations in place to protect resources, but otherwise pentesters can use this on their daily tasks.

Whats to come in grayhatwarfare.com

Lots of cool things:

  • Subdomains pointing to expired buckets which can lead to something like this: https://www.reddit.com/r/netsec/comments/8t0pb2/how_i_hacked_applecom/
  • Huge lists of exposed version control (.git) which can expose the website’s repository (Source, password files, log files etc).
  • Exposed cameras/IOT devices.
  • Huge resources like extremely large (actual) cracked password lists.

 

Ref Source

Privacy & Google Search Alternatives

When it comes to privacy, using Google search is not the best of ideas. When you use their search engine, Google is recording your IP address, search terms, user agent, and often a unique identifier, which is stored in cookies.

Here are a few Google search alternatives

 

DuckDuckGo is a US-based search engine that was started by Gabriel Weinberg in 2008. It generates search results from over 400 sources including Wikipedia, Bing, Yandex, and Yahoo. DuckDuckGo has a close partnership with Yahoo, which helps it to better filter search results. This is a great privacy-friendly Google alternative that doesn’t utilize tracking or targeted ads.

Searx is a very privacy-friendly and versatile open source metasearch engine that gathers results from other search engines while also respecting user privacy. One unique aspect with Searx is that you can run your own instance

Qwant – is a private search engine that is based in France and was started in 2013. Being based in Europe, the data privacy protections are much stricter, as compared to the United States.

Metager – is a private search engine based in Germany, implementation of free access to knowledge and digital democracy. Ref: https://metager.de/en/about

StartPage – StartPage gives you Google search results, but without the tracking.
Ref: https://classic.startpage.com/eng/protect-privacy.html#hmb

 

Set up the Default Domain for vCenter Single Sign-On | Tech-Short

vCenter Single Sign by default requires the user to specify the domain during authentication with vCenter.
Example: JERMSMIT\admin or admin@JERMSMIT.LAB.

You can eliminate the need to insert the domain in the username by following the following steps.

 

  1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

  2. Browse to Administration > Single Sign-On > Configuration.
  3. Under the Administration, configuration locate the Identity Sources tab
  4. On the Identity Sources tab, select an identity source and click the Set as Default Domain icon.
  5. In the domain display, the default domain shows (default) in the Domain column. Set the domain of choice as your new default.

The next time when you attempt to login into vCenter, you can omit the DOMAIN from your username.

Full ref located here
Full Link: https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-11E651EF-4503-43BC-91F1-15502D586DE2.html

 

CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability

Description

A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker could exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process.

The vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016.

Download patches here

To address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

“Mitigation consists of installing the update on all client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible,” Microsoft says.

I have noticed that this patch has been disruptive to system owners who use remote desktop to access and manage servers.  Installing the patch on a client host w/o having it installed on the remote endpoint will end in an error preventing you from accessing them.

 

Its best to upgrade endpoints (servers) before client systems

Ref: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886