Wednesday, 17 April 2019

The Power of Social Engineering, Part One: Know Your Enemy

Written by Stuart Peck

On 9th April 2019 in London, ZeroDayLab hosted our Social Engineering Masterclass, where I presented (with a line-up of other ZeroDayLab speakers), the tactics, techniques, and procedures of how attackers deploy social engineering to great effect.

This trilogy of articles looks to build upon that message in greater detail. In part one, we will detail the tactics used by attackers, with an explanation of each of the 6 core principles of social engineering and influence. In the second article we will delve into attacks in operation, looking at case studies where social engineering is most effective, and discuss target profiling and pretexting. The final article will discuss active social engineering defence, designed for both individuals and organisational strategies that can be deployed to reduce the risk of a successful attack.

What is Social Engineering?

"Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information…a type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional ‘con’ in that it is often one of many steps in a more complex fraud scheme.”

It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests." -Wikipedia

In the context of this article we are going to focus on the techniques and tactics of modern social engineering, with examples of phishing, vishing, smishing, and how this supports other attacks such as hacking and physical entry.

Robert Cialdini is famous for identifying and cataloguing the 6 principles of persuasion, the foundations on which most modern-day social engineering is built upon. These include:

  • Reciprocity- people tend to return the favour if they see the value in what has been offered. This is used a lot by intelligence agents and police to coerce their target into cooperation.
  • Commitment- if people commit, orally or in writing, to an idea or goal, they are more likely to honour that commitment because they have stated that that idea or goal fits their self-image. 
  • Social Proof- people will do things that they see other people doing. There have been studies conducted which have successfully convinced people in a group that a red object is blue, for example.
  • Authority- people will tend to obey authority figures, even if they are asked to perform objectionable acts. In the workplace this is driven also by the company culture.
  • Likability- people are easily persuaded by other people whom they like. If you combine this with trust, the effect is compounded. Always be wary of the attacker who comes at you with a smile.
  • Scarcity/Urgency- people are influenced by fear of loss, or negative impacts to missing deadlines. This creates urgency, where human error is likely to be exploited the most, e.g. ransomware.

With these principles in mind, you can see how unsuspecting users can be coerced or influenced into making decisions that are not in their, or their respective employer’s, interest.

For example, one of the biggest threats (and tools for attackers) in recent history is social media, which has desensitised many to the dangers of oversharing, and has led to people sharing:
  • Images of their credit cards
  • Images of boarding passes- which when you scan the barcode contains personal information including passport information
  • Information that be used to work out passwords
  • Information about their employer including images of their badge, maybe business cards
  • Selfies and videos that contain personal information, again that can be used to build a profile.

If you combine this with the wealth of information that can be gathered relatively easily on a company and their employees using open source intelligence (OSINT), this provides an attacker with a dossier of information to build a solid pretext, or in some cases actually access mailboxes where employees have re-used weak passwords or credentials found in publicly available breaches. 

Pretext, or the scenario being presented to the target, is built upon 4 conditions to establish trust. For example, through OSINT the attacker would have gathered some critical information about the target and the organisation- this could be names of direct management, colleagues in another location, project code names, information about systems, or direct impersonation of a trusted third party.

This information builds some form of credibility, which the attacker can pivot to establish some of the following:

 Figure 1: Principles of Trust

The reality is that most phishing emails try to use credibility and some form of authority because it is very difficult to build likability without the proper tone over email, but other attacks such as vishing or in person social engineering will leverage a combination of Likeability, Authority and/or Empathy to great effect. And the reality is that without the proper training, tools, and ongoing awareness to the threats, social engineering is going to continue to be used as part of the attacker’s toolkit.

Who Uses Social Engineering, and Why?

Social engineering is used as part of or as the main attack vector for a range of threat actors. These include:
  • Hackers- social engineering is a valuable part of the toolset for black-hat hackers, usually deploying a range of techniques to gain a foothold on a target’s network.
  • Scammers- highly effective but simple attacks deployed by telephone scammers is costing the global economy billions. Vishing is still a very viable attack vector.
  • Identity Thieves- using stolen information obtained through hacking or purchased on the Dark Web, these social engineers assume the identity of their target to obtain new credit or control of existing accounts, for huge financial gain.
  • Cyber Criminals- these attackers use a full suite of social engineering techniques, but phishing is the weapon of choice, either to deliver malware to gain a foothold on the network or harvesting of Personally Identifiable Information (PII).
  • Governments- state sponsored attackers use social engineering for a range of objectives from IP theft, influencing elections (in other countries), or targeted espionage.
  • Insiders- according to the 2018 Insider report, 90% of organisations feel vulnerable to insider threats. They know your system, data, and can cause maximum damage.

The main reason why social engineering is the most widely used in the attacker’s toolkit, is that there is literally very little infrastructure or cost of the attack, yet it yields amongst the highest in returns for the attackers.

To fully understand the effectiveness of social engineering, we have to deep dive into case studies, tactics and why they work, and what companies and individuals can do to detect and protect themselves, which will be covered in part 2 and 3.

Monday, 4 March 2019

Supply and Demand, Risk and Severity – Defining the Damage


Written by Will Lambert

Suppliers- we all have them, we all need them. Some are essential to our day-to-day business activities, whether they provide website hosting, supply power, provide heating or air con systems and maintenance, payroll software, CCTV, education services, physical or information security, the list goes on. With this almost never-ending list of suppliers, each poses an individual risk to our organisations. You should already have a good understanding of how suppliers interact with your workplace, how important they are, and which ones are most important. This can be described as a rank of criticality. If a supplier is high on this rank of criticality, we also need to understand what risks they present to our organisations

Let’s revisit defining risk. A risk is defined by ascertaining a threat (anything that can harm an asset) multiplied by vulnerability (a lack of safeguard). The initial identification of risk is no easy task but what is usually misunderstood is assigning a severity to a risk. So, for example, if we have a supplier who handles all our customer data (asset), the risk is that they become breached (through lack of safeguard), so what is the severity of the risk being realised upon our business?

Severity can be defined by using a quantitative guide called a likelihood / impact matrix; for this blog, this is what we will be using. For each organisation, impact and likelihood metrics will be different but let’s use the following as a brief example.

Likelihood can be defined using the following matrix;

The following can be used to help define impact for an organisation.

Using the above matrices, each individual asset that a supplier is providing must be assessed to gauge the severity of risk each supplier presents. Likelihood values can be ascertained by using a qualitative assessment, which is a subjective or personal view in gauging how likely a supplier is to fall victim to a cyber-attack – essentially, it’s a gut feeling. However, we can also use Supplier Evaluation Risk Management (SERM) which provides a much more accurate picture of how resilient your supplier is to a cyber-attack and any incident response preparation actions they may have taken in order to return to a BAU state.

Before we look at likelihood, let’s have a quick review of impact. Impact is a bit trickier; it’s all about considering the effect it would have on your organisation. Impacts would include consideration of any regulatory fines imposed by governing bodies, such as the ICO (EU GDPR and DPA18), PCI DSS, and if you are an Operator of Essential Services (OES) whomever your Competent Authority (CA) is. Impact would also consider items like reputational damage and remediation activities such as credit monitoring for all your customers like Equifax did after their 2018 breach.

Asset Value (AV), Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE) metrics can (and in the case of mature organisations should) be used to help guide the assessment of impact but this process can be a convoluted one, especially when you consider the fines and remediation activities, and is therefore a different blog post entirely!

Circling back to identifying likelihood values, essentially, we are asking ourselves, how likely is it that this supplier will become compromised. The SERM approach allows us to ask how seriously our suppliers take information security and gauge their responses. This is more than just a simple gut feeling, this is using industry best practices, applicable standards and almost anything else you feel is relevant to your business, incorporated into a questionnaire format and sent to your suppliers.

Depending on the rank of criticality we described earlier, matched with your organisation’s statement of information risk appetite, and even consideration of possible impact levels, suppliers can be sent a real in-depth Supplier Validation Questionnaire (SVQ). Supplier responses will be reviewed by your information security team upon return, and then followed up with prompts for evidence of policies, processes or even (where required) a visit to your suppliers’ premises to ratify responses. As you move down the rank of criticality, a lighter touch of questionnaire should be used. For instance, you wouldn’t want a stationery supplier being sent a 200 question SVQ unless you had a sufficient business requirement to do so.

As an example, Stan’s Stationery supplies your business with pens, paper, etc. Let’s give this particular supplier an impact rating of 1. As this supplier can inflict only a small amount of damage, we send Stan’s Stationery a light SVQ. The response from this supplier states that they have no information security measures in place, they have no policies or protection measures or even the slightest interest in information security. Therefore, the likelihood of their breach is almost certain - 5. We feed the impact and likelihood into the risk matrix and we get an overall risk rating of 5. See the Risk Matrix below.

This is a low impact, high probability of breach, but because we have validated the supplier, we know this for sure.

It is important to realise that incorporation of other business processes may be required- a Data Protection Impact Assessment (DPIA) springs to mind. If your SVQ response from Stan’s Stationery showed that they provide a lot more for your organisation than you first realised, in fact, it hosts your website, or processes payments as brief examples. In this case, they process high amounts of personal data and so if breached, would mean you may face the ICO and subsequently receive the fines – dependant on your contracts in place and situation surrounding the breach. You will need to carry out a DPIA on this supplier if not already done. As a result of this new information, the impact level has also changed from 1 to 4 (depending on your organisation’s information risk appetite) in this example, and a subsequent risk score of 20 (See Fig 4 – Updated Risk Matrix) – a big change up from the original score of 5. A greater understanding of their information security practices will be required, and a deeper SVQ will need to be sent and validated.

Of course, Stan’s Stationery can be replaced by any supplier- this is a high-level overview of how SERM can be used. Depending on your quantity of suppliers this may need the automating of this process, or at least employing a managed service to manage your supply chain risk. Following on from a suppliers’ response, your organisation will need to identify what actions you will take to either help them improve their information security practices and defences, or simply cease the relationship with them. This is a cost / benefit analysis and business decision of which SERM will help you best understand the real cost behind each supplier.

For further information regarding supplier risk management, more blog posts can be found here:

  1. The Domino Effect
  2. Automating SERM

Wednesday, 19 December 2018

Top-5 Predictions for 2019: Cyber Threats and How to Protect

Written by: Stuart Peck, Director of Cyber Security Strategy, ZeroDayLab 

2018 has been an eventful year, especially with the introduction of GDPR and the California Consumer Privacy Act, a never-ending barrage of high-profile breaches, sophisticated malware and crypto jacking campaigns, and a ramp up in criminal and fraudulent activities. Reviewing the events from the last 12 months, it’s clear that although there has been a significant increase of attacks, the attack vectors remain vastly the same as they have always been: human error, configuration issues, weaknesses in the supply chain and, unsurprisingly, patching problems!

So, without dampening the Christmas Spirit (too much), what does 2019 potentially have in store for us? What can organisations do pre-emptively to reduce the likelihood and impact of a cyber-attack? Here are my top 5 predictions for 2019;

1.     More Third Party Applications / Code Libraries will be targeted.

Organisations focus on protecting their own critical assets with significant investments in resources and technologies, but then either give access (or share critical data) with third parties who are not as mature. In 2018, we've seen some examples where Open-Source or third-party integrations have been abused by attackers, with Magecart’s JavaScript injection being a primary example. With API abuse to steal authentication tokens also on the rise, the impact of this attack can be significant, not only exposing client / customer data, but potentially the entire supply chain, similar to the recent Facebook breach. In 2019, I predict that this will be the vector of choice for a few reasons;

1) Many organisations don't conduct regular security reviews on their supply chain, let alone review the impact of using third-party code libraries and integrations.
2) These attacks are easy to scale and are therefore cost effective for attackers.
3) The yields and likelihood of selling off or sharing the techniques to other groups is also very high, again making this a profitable exercise.

2.       Business Email Compromise attacks will evolve.

In 2018, ZeroDayLab saw a significant increase in not only the intensity of business email compromise campaigns, but the sophistication used by attackers. In the last Quarter of 2018, attackers were using more advanced techniques to compromise supply chain mailboxes to harvest invoices and other information, usually to craft highly convincing phishing emails that either deliver malware aim to defraud their target out of funds. These attacks, although not new, have adapted as awareness of Whaling (CEO Scamming), has matured, but the techniques witnessed in Q4 2018 will proliferate in 2019, and catch unsuspecting organisations off guard.

3.       Crime-as-a-service will be a driving factor behind many attacks.

After high profile Global Ransomware attacks such as NotPetya and Wannacry, it seems in 2018, Ransomware attacks have dropped off the face of the earth, mainly due to awareness, volatility in crypto currencies, and increased attention from law enforcement. However, bucking the downward trend is ransomware-as-a-service offerings such as “GandCrab”, which have both seen an upturn in infections, and maturity of the offering to their criminal consumers, with reported ill-gotten gains in the millions. 

Crime-as-a-service has all but removed the barrier to entry to cyber-crime, with hacking-as-a-service, malware / ransomware-as-a-service and now phishing-as-a-service featuring highly on the Dark Web and Telegram; these platforms provide even the most novice of criminals the ability to target relatively mature organisations with some level of success. This trend is only going to rise in 2019.

4.       Lack of visibility will be punished

There are a few things that the recent Marriot breach has taught us: blind spots can be punishing, attackers are constantly looking for ways to compromise assets that organisations have no visibility of, or even worse, are not in an asset register and therefore have no idea of its existence. The rise of Shadow IT, where solutions and technology are purchased without the knowledge of IT / Information Security, provides attackers a target where in most cases there is no protection or monitoring for unauthorised access. This opportunity allows the attacker to potentially pivot on to a more critical system, or in worst case scenarios, actual access to personal information.

In both cases, these are an easy attack surface with significant oversight. Attackers constantly use tools like Shodan and Censys to discover public facing assets with default / weak passwords, weak encryption, or any of the critical risks found within the OWASP Top Ten; these are quick wins for attackers and deal a devastating blow to organisations with a huge impact to reputation, and usually catch the information security team off guard.

5.       Cloud Security Misconfiguration

Although great strides have been made to improve the security of critical assets in the cloud, organisations still haven’t fully embraced the protection available, or worse, have misconfigured environments allowing attackers to capitalise on this. There have been many incidents in 2018 that highlighted this: open S3 buckets with vast amounts of customer data unencrypted and available to anyone, weak admin credentials with no MFA, private keys posted in GitHub repositories, the list goes on. Human error is a factor that the cloud sadly won’t fix, only expedite, with significant consequences for organisations that don’t embrace the Sec in ‘DevSecOps’! With increased Governance around the protection of the Privacy and Security of PII (Personal Identifiable Information), those fully adopting the benefits of the cloud also need to fully enforce the security controls.

There is some good news, however; there are many things organisations can do to reduce the impact of the aforementioned security risks;

  1. Ensure Asset registers are fully up to date and include any cloud-based applications and systems within these. In addition, ensure they are patched to the latest version, or highlight the risk for those that cannot be, with the relevant justifications and mitigation. This seems simple, but the volume of organisations that don’t have a fully up to date and relevant register is significant.
  2. Conduct regular Ethical Hacking Assessments on your risky assets, especially those that are public facing. Check cloud and internal networks for misconfiguration - the quickest win to prevent abuse from attackers. Also test those integrations; understand how and where you are exposed.
  3. Train Developers and Operational teams (DevOps) on secure coding and deployment principles. Ensure these are documented through a defined set of procedures and policies. Also ensure developers are using secure coding frameworks, and not using risky third party libraries, or untested open-source object.
  4. Conduct regular BIA (Business Impact Assessments), to help define critical assets, and ensure they have the relevant controls in place - essentially find your blind spots and fix them!
  5. Conduct Supplier Evaluation Risk Assessments regularly, understand the security maturity of your critical suppliers, and act to address those that expose you to unnecessary risk.

By conducting the above activities in 2019, you’ll not only reduce the risk to your critical assets, but also have the appropriate intelligence to develop a strategy moving forward.

Monday, 17 September 2018

ZeroDayLab Discovers EE Local Privilege Escalation Vulnerability CVE-2018-14327

EE forms part of BT Group, the largest digital communications company in UK, and boasts of serving more than 31 million connections across its mobile, fixed and wholesale networks. But it was a flaw in EE’s 4G Mini WiFi modem that caught the eye of ZeroDayLab Security Consultants, and that when installed weakened the customers defenses. As a result of the vulnerability cyber criminals would be able to bypass access permissions and gain full administrative/system rights by escalating privileges, once they have gained access to the EE customer’s Laptop or PC. This means the cyber criminal is able to perform any number of malicious actions, such as planting Malware, Rootkits, Log key strokes or stealing personal information.

In this article we take you through the vulnerability found by ZeroDayLab and the action EE customers need to take to apply the patch to fix this vulnerability.

EE customers have been going about their business up and down the country, connecting to the web while on the move oblivious to the potential danger that their latest gadget has been exposing them to. ZeroDayLab’s Chief Technical Officer Paul Brereton said “by installing the EE modem, users have been unwittingly significantly weakening the security of their operating environment (Windows), allowing a local attacker, malicious application or targeted malware to gain full unrestricted administrative access to the operating environment and bypassing the protections in place.”

The vulnerability discovered by ZeroDayLab is exploitable with relatively little effort from a potential cyber criminal – the level of sophistication and effort required to execute this attack is minimal, making this a significant vulnerability.

ZeroDayLab took the decision not to disclose this vulnerability without first working with EE to find a suitable patch. This vulnerability was discovered by one of ZeroDayLab’s Security Consultants, Osanda Malith Jayathissa (@OsandaMalith). Here Osanda talks you through the details of the vulnerability and the resulting patch from EE below.

The Vulnerability
The EE 4G WiFi Modem installs a service called Alcatel OSPREY3_MINI Modem Device Helper (The modem is manufactured by Alcatel). It’s here that we found the unquoted service path vulnerability.

C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Alcatel OSPREY3_MINI Modem Device Helper
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

You can’t directly write files because of folder permissions, which at first sight would suggest this issue isn’t worthy of being reported. If however you look at the folder permissions of the “EE40” folder and low and behold, these had been set to “Everyone:(OI)(CI)(F)”. The result being that any user can read, write, execute, create, delete or do any number or malicious actions inside that folder and its subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.

C:\Program Files (x86)\Web Connecton>icacls EE40
EE40 Everyone:(OI)(CI)(F)
     NT SERVICE\TrustedInstaller:(I)(F)
     NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>
C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService
EE40\BackgroundService Everyone:(OI)(CI)(F)
                       NT SERVICE\TrustedInstaller:(I)(F)
                       NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                       NT AUTHORITY\SYSTEM:(I)(F)
                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

Since “ServiceManager.exe” executable is a Windows service, by planting a malicious program with the same name “ServiceManager.exe” would result in executing the binary as “NT AUTHORITY\SYSTEM” giving highest privileges in a Windows operating system. This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as “NT AUTHORITY\SYSTEM” by giving the attacker full system access to the remote PC.

And now for the fix.

Updating to the Patched Version

The vulnerable software version is “EE40_00_02.00_44”

After reporting the vulnerability to EE, they have released a patch to update the modem. Follow these steps to update your modem to the latest patch update.

1.       Go to your router’s default gateway:       
2.    Click on the “Check for Update” text to update your firmware.

After updating, the patched software version is “EE40_00_02.00_45” and remove the previously installed software from your computer.

Disclosure Timeline

05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter
05-07-2018: Reported to Alcatel via email.
12-07-2018: Osanda Malith Jayathissa contacted MITRE.
16-07-2018: CVE assigned CVE-2018-14327.
25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.
26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.
26-07-2018: EE confirms that patch will go live within one week.
03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.
10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.
23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.
03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.

About ZeroDayLab

ZeroDayLab is a CREST accredited IT Security consultancy whose sole purpose is to help reduce the risk of cyber-attack and data breaches in your business. In doing so, we help to protect your business from loss of revenue, reputational damage, regulatory fines and disruption to operations.

Our success has meant we now work with some of the biggest and most influential global organisations, across almost every industry, including Financial Services, E-business, Retail, Telco, Travel & Leisure, Pharmaceuticals, Defense and Transport.

Many of our clients say that they choose us because of our unique approach to Total Security Management, that enables us to cater for all your Ethical Hacking, Governance, Risk, and Compliance, Education & Training, and Managed Service needs. We do this in a way that is appropriate, proportionate and right for the level of risk in your business. On time, every-time, and always in budget.

We deliver these services together with a dedicated team, made up of the very best industry talent, who consistently deliver the highest level of service to our clients. Our approach will provide you with detailed reporting and the actionable insights you need to prioritise and reduce risk at the fastest possible rate.