Skip to content

Intro to Windows (Win32) API

Since I talked about how to enumerate Windows-based systems – a step you will have during an engagement, it is only natural to expand more on the topic (Windows, not enumeration, at least for now).

You might have successfully enumerated, exploited, established persistence, and maybe even exfiltrated data… but there’s much more to it, and a lot of stuff comes into play. In the upcoming articles, I will cherry-pick the stuff that is most interesting to me, but I will also try to provide you with a general overview so that you can more easily structure and map out the stuff I’ve been talking about.

This one is geared more towards red team type of activity, as the knowledge of the Windows API can be leveraged when you care about evasion e.g., as a red teamer (of course, it’s not only about evasion…); something a pentester usually doesn’t have to worry about. Just keep that distinction in the back of your mind.

However, in the case of red team engagements, since the emulation of an adversary is essential, you will see stuff that usually doesn’t get included in your pentests or vulnerability assessments. Phishing is permitted (out of scope in most of the pentests) and is usually something red teams will opt for (gotta keep that stuff realistic, right?); evasion is also vital since an adversary will try to stay on your corporate network as long as it is possible for them. It’s also kinda in the name; you are in the role of the red team, and the evasion pertains to throwing the blue team off your tracks. This is quite different and very interesting for us here, as it opens a plethora of new options you will think about and probably use during the engagement.

Terms like living off the land, phishing, bypassing UAC, bypassing AVs, C2, etc. all come into play! And more. Much more. This is terrifyingly fun, and even though the Windows API might not be the most attractive topic of the bunch here, its important to have a firm grasp on the stuff you’re abusing, and I wanted to give you just a brief overview of how one would abuse the system calls for their nefarious purpose.

Red teams will regularly abuse the Windows API to hide and evade the blue team, in the same way, they’ll use shellcode to evade AVs, or use the LOL (living off the land) methodology, and much more (evade runtime detection, logging and monitoring, generally employing tool agnostic approach in this endeavor).

Okay! So that’s a bit more of an intro, but I wanted to level with you here and set some expectations while also (hopefully) making the upcoming articles (as well as this one and the previous one) more sensible in the grand scheme of things.

The Windows (Win32) API

The first distinction to be aware of here is that Windows has two main modes through which it accesses hardware, the kernel, and the user mode. This goes back to the release of the Win32 API which is a library that’s used to interface between the user applications and the kernel.

The API here calls the interfaces and sends the info to the system which is then processed in the kernel mode. These two modes are essential because they determine how much access a driver or an application gets – kernel, memory, or hardware access. Also, note that with some languages and their interaction with the Win32 API, the application can go through the runtime first before going through the API.

The Win32 API breakdown can be briefly described as follows:

  • In/out parameters – these are the values that call structures define

  • API calls -this is the API called that’s used, with addresses to functions that are coming from the pointers

  • Call structures – this is what defines the API call and its parameters

  • DLLs – these are the DLLs for the Win32 API, we have core DLLs – KERNEL32, USER32, ADVAPI32, and other DLLs that are a part of the API like NTDLL, COM, NETAPI32, etc.

  • Headers – these are the libraries that get imported at runtime, they are defined through the header files or imports, function addresses are obtained through pointers

Since every API call of the Win32 library lives in memory and requires a pointer to a memory address the way you get those pointers for the needed functions is obscured because of the Address Space Layout Randomization – ASLR implementations. This is for security reasons as you guessed it. 

If an attacker can discover where a DLL is loaded in any process, the attacker knows where it is loaded in all processes. Which is a quote from Mandiant’s blog post about the ASLR. From the same blog post – A low-privileged account can be used to overcome ASLR as the first step of a privilege escalation exploit.

This is also why Microsoft implemented the Windows Header File.

From Wikipedia:

windows.h is a Windows-specific header file for the C and C++ programming languages which contains declarations for all of the functions in the Windows API, all the common macros used by Windows programmers, and all the data types used by the various functions and subsystems. It defines a very large number of Windows specific functions that can be used in C.

Basically, any Win32 function can be called once you’ve included the windows.h or the Windows Header File.

Another important implementation is the P/Invoke, which allows you to access structs, callbacks, and functions in unmanaged libraries from your managed code. Most of the P/Invoke API is contained in two namespaces: System and System.Runtime.InteropServices. Using these two namespaces gives you the tools to describe how you want to communicate with the native component.

What P/Invoke does is give you a way to do the complete process of calling the Win32 API. You can then invoke the function as a managed method you created even though you’re calling an unmanaged function.

The structure of the API calls is well documented by Microsoft but you can also check out the pinvoke.net: the interop wiki! for more information.

Every API call has a pre-defined structure for its input/output parameters. For example the VirtualProtect function – memoryapi.h it looks something like this:

BOOL VirtualProtect(
 
  [in] LPVOID lpAddress,
 
  [in] SIZE_T dwSize,
 
  [in] DWORD flNewProtect,
 
  [out] PDWORD lpflOldProtect
);

For the parameters expected i/o and accepted values, Microsoft has the explanation within the docs.

Lastly, I will list some API calls that are known for their possible malicious use. Also, MalAPI.io tries to document these, so it might be worth checking out.

VirtualProtect – Changes the protection on a region of committed pages in the virtual address space of the calling process.

GetProcAddress – Retrieves the address of an exported function (also known as a procedure) or variable from the specified dynamic-link library (DLL).

GetComputerNameA – Retrieves the NetBIOS name of the local computer. This name is established at system startup, when the system reads it from the registry.

GetModuleFileNameA – Retrieves the fully qualified path for the file that contains the specified module. The module must have been loaded by the current process.

GetAdaptersInfo – The GetAdaptersInfo function retrieves adapter information for the local computer.

RegisterHotKey – Defines a system-wide hot key. Also, MalAPI says: RegisterHotKey is used to create a system wide hotkey. This function is commonly used by spyware or keyloggers to recieve a notification when a certain combination of keys are pressed.

Conclusion (for now)

I’ve just given a very brief overview here since the whole of the Win32 API is much larger. But for our purpose here, it should suffice. The main point I wanted to get across is for you to realize the potential options you might have with this and be aware of how some threat actors might leverage those system functions that are basically inseparable from the system itself.

A fun practice might be to check out what MITRE ATT&CK has documented on Native APIs and check out the Windows API calls known to be used for malicious purposes.

Cover image by Clint Adair

#win32 #API #windows

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

State of the Union’s Infrastructure Security According to CISA

On the heels of a few high-profile cybersecurity breaches in the civilian sector, comes a poignant operational technology/industrial control systems advisory published jointly by CISA and the NSA. Contrasting with the bland title of “Control System Defense: Know the Opponent,” you get the sense that CISA has gotten tired of ringing the control system cybersecurity bell since at least 2009. Though, according to Tom Temin of the Federal News Network, protecting the software we rely upon has been on politician’s minds since the 90’s.

OT/ICS assets that control critical infrastructure from nuclear power plants to the water processing to the air conditioning in government facilities have always been targets. With the merging of IT and OT/ICS over at least the past decade and a half, the attack surfaces of these critical systems have increased exponentially.

It’s also critical that these systems keep running “despite the fact that many systems are decades old and use insecure protocols and architectures” requiring nonstandard interface and protocol support, while the vendors that made the equipment could no longer exist.

It isn’t any secret that much of the United States’ critical-for-society-to-function infrastructure is out of date. Nor is it a secret that well-funded malicious actors are more than capable when it comes to disrupting critical sectors. We’ve seen the Russian attack on Ukraine’s electric grid and the 2017 NotPetya attack on Maersk that resulted in Los Angeles’ busiest port shutting down for two weeks.

Furthermore, design and device information are publicly available or easily attained through job listings and interviews that specify certifications and equipment knowledge. Open Source operational intelligence (OSINT) also makes it simple to track down emails, names, software in use, or remote access points. Shodan is a fun tool.

Thankfully, CISA’s advisory doesn’t just point at the problem and say “hey, doesn’t that look terrible?” It also lays out the tactics, techniques, and procedures that many cyber actors use along with mitigations. If anyone remembers David Bianco’s Pyramid of Pain,  he explains that one of the most effective ways to thwart attackers is to disrupt their gameplan. Make their tools and information useless so they’re back to square one.

But what’s the use of an advisory, if the recommended strategies therein aren’t enforced? Well, according to a Federal News Network article, Eric Goldstein, the Executive Assistant Director for Cybersecurity for CISA, stated that CISA has plans to “release performance goals starting in October that will address individual risks of the various sectors.” It seems that there might be some muscle to back up the advisory.

#CISA #ICS

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

CISAnalysis – September 23, 2022

And that’s a wrap for another week in cybersec! Phew! How did we make it through this one….first the Uber hack, then the Rockstar Games hack and now two vulns added to the ‘log amidst all the Mudge/Musk drama at Twitter! Another popcorn here! 🍿

Zoho RCE

First up is a remote code execution vulnerability in ManageEnginePAM360, Password Manager Pro, and Access Manager Plus. An attacker can obtain system level privileges with a successful exploit. You know what that means? Dun, dun, dunnnnnn 💀

As we know from last week’s additions, this vulnerability poses a significant amount of risk, given the nature of the resources available to system users. The vulnerability is currently being exploited in the wild and there is PoC publicly available. Zoho is one of the largest technology companies in the world with over 80 million users, so security engineers should not throw caution to the wind if they have products with the affected versions. The fix was released back in June, so it’s likely this has already been exploited. As is typical, the recommended action forward is to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus stat.

Sophos code injection

The other vuln is a code injection vulnerability in the User Portal and Webadmin of Sophos Firewall. Although this is basic perimeter defense, the fact that remote code execution is possible means you can Frankenstein the situation from afar. Who wouldn’t want to execute random scripts from the comfort of their basement? Hotfixes have been published for version v19.0 MR1 and older. If you’re not rocking those, make sure you are not exposed to the WAN and get that VPN up and running before sunset.

#cisa #cisanalysis #zoho #sophos #rce #vulnerabilities

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Unearthing Meta’s Quarterly Adversarial Threat Report (Q2 2022)

Summary 

  • The report offers a comprehensive view of Meta’s risks across multiple policy violations like Coordinated Inauthentic Behavior (CIB), inauthentic behavior, cyber espionage, and other emerging threats, like mass reporting.

  • The report discusses various actions Meta’s security team took against two ongoing cyber espionage operations in South Asia.

  • As part of its campaign against new and emerging threats, the report discusses how Meta removed a mass reporting network in Indonesia, a brigading network in India, and coordinated violating networks (CVNs) in Greece, India, and South Africa.

  • Under its Inauthentic Behavior policy targeting artificially inflating distribution, the report says Meta took down numerous accounts, Pages, and Groups worldwide.

  • The report also discusses how Meta removed three networks engaged in CIB operations in Israel, Malaysia, and Russia.

Introduction

All of us are active Social Media users, which is exerting a greater influence on our lives in today’s technological age. But as the number of active users increases, so does the sophistication of threat actors, who continue to devise newer ways to compromise accounts, steal credentials, dictate their agenda, etc. For example, there are groups of people trying to flood comment streams and attack the post owner and other users to push forward their agenda and intimidate users with dissenting views. The evolving threat landscape compels social media giants like Meta to define robust security policies and take proactive steps to protect their communities. The Quarterly Adversarial Threat Report Q2 dives deeper into Meta’s actions against malicious activities.

Cyber Espionage Networks

Cyber espionage actors target internet users to collect intelligence, manipulate them to reveal sensitive information and compromise their accounts and devices. Some of them deploy advanced malware that incorporates exploits, while others use basic low-cost tools that require lesser technical expertise to deploy. Thus Meta believes, as per the report, it democratizes access to surveillance and hacking capabilities since the barrier to threat actors’ entry becomes lower. Furthermore, it allows the threat groups to gain plausible deniability and hide in the “noise” when security researchers scrutinize them.

Steps Meta Took:

Meta took down accounts, notified users targeted by malicious groups, and blocked the groups’ domain infrastructure from getting shared on Meta’s services. Furthermore, they shared findings with security researchers and industry peers to help them stay vigilant about the activity. 

Bitter APT (Advanced Persistent Threat) Group

Meta took action against a hacker group called Bitter APT, which operated from South Asia and targeted users in New Zealand, the United Kingdom, India, and Pakistan. While the group’s activity was low in operational security and sophistication, it was well-resourced and persistent. Bitter deployed various malicious tactics to target users with social engineering and injected malware into their devices. They used a mix of malicious domains, link-shortening services, third-party hosting providers, and compromised websites to distribute their malware. Security researchers at Meta discovered that their platform was used as an element of a wider cross-platform cyber espionage campaign. They found the following noteworthy TTPs (tactics, techniques, and procedures) used by the threat actors:

  1. Social engineering: Bitter threat actors created fictitious personas and posed as young women, activists, or journalists across the internet. They tried to build trust with users to trick them into visiting malicious links or downloading malware.

  1. iOS application: Meta’s recent investigation discovered Bitter deploying an iOS chat application for users, who could download it through Apple’s Testflight service for developers, ensuring that it will help beta-test their new applications.

  1. Android malware: The researchers discovered Bitter using a custom Android malware family they named Dracarys. It used accessibility services, the Android operating system feature, to assist users with disabilities, allowing them to automatically click and grant the application certain permissions.

  1. Adversarial adaptation: This Bitter group aggressively responded to Meta’s detection and blocking of its domain infrastructure and activity.

APT36

Meta discovered another threat group whose activity was low in sophistication, but it persistently targeted many services over the internet – from social media and email providers to file-hosting services. APT36 deployed various malicious tactics to target users with social engineering and injected malware into their devices. They used malicious and camouflaged links and fake Android and Windows-run apps to distribute their malware. Meta’s security team took action against the APT36 threat actors active in Afghanistan, Pakistan, UAE, India, and Saudi Arabia. They targeted government officials, military personnel, students, and employees of non-profit and human rights organizations. Furthermore, the report suggests that Meta’s investigation linked the activity to state-linked actors in Pakistan. They discovered the following noteworthy TTPs used by the threat actors:

  1. Social engineering: APT36 threat actors created fictitious personas and posed as recruiters for fake and legitimate organizations, military personnel, or women looking for romantic connections. 

  2. Real and spoofed websites: The report suggests that the APT36 threat actors used various tactics, including using custom infrastructure to inject their malware. Some domains masqueraded as generic app stores or photo-sharing websites, while others were spoofed domains of applications like Microsoft’s OneDrive, Google Play Store, and Google Drive.

  3. Camouflaged links: The group utilized link-shortening services and disguised malicious URLs. Furthermore, they used preview sites and social cards (the online marketing tools to customize the displayed image when a particular URL gets shared on social media) to mask the ownership and redirection of domains APT36 controlled.

  4. Android malware: APT36 did not directly share malware on Meta platforms but used the above tactics to share links to spoofed websites.

The “Emerging Harms” Networks

The report states that Meta’s threat disruption began by tackling inauthentic operations where users hide who’s behind them and advanced to authentic actors engaging in harmful and adversarial behaviors on its platform. This section of Meta’s report discusses how it is taking proactive steps to stay ahead in this adversarial space. 

Steps Meta Took:

Meta deployed control levers to enforce against networks having broadly varying aims and behaviors like:

  1. Groups that coordinated women’s harassment

  2. Decentralized movements that collaborate a call for violence against government officials and medical professionals

  3. An anti-immigrant group inciting harassment and hate

  4. An activity cluster focused primarily on spreading misinformation

Mass Reporting

Under its Inauthentic Behavior policies, Meta removes activity when it finds adversarial networks coordinating an abuse against its reporting systems to get content or accounts incorrectly taken down from the platform. Threat actors do it intentionally to silence others. In Q2 of 2022, the report states that Meta removed a network of 2,800 accounts, Pages, and Groups in Indonesia. They coordinated to report users for violations like impersonation, terrorism, hate speech, and bullying to get them wrongfully removed from Facebook. Meta researchers found that the reports mainly focused on Indonesian users, particularly the Wahhabi Muslim community. Factors considered while investigating Mass Reporting:

  1. Coordination Signals

  2. High Report volume

  3. Misleading and abusive nature of reports.

Brigading

Under its Bullying and Harassment policies, Meta removes activity when it discovers adversarial networks engaging in repetitive behavior, for mass-commenting on their target’s posts or sending them direct messages. The report suggests that the behavior intends to harass, overwhelm or silence the target. 

In Q2 of 2022, Meta took down a brigading network of 300 Facebook and Instagram accounts in India that collaborated to mass-harass people, including actors, activists, comedians, and other influencers. The network actively posted across the internet, including Instagram, Facebook, Twitter, YouTube, and Telegram. Factors considered while investigating Brigading:

  1. Repetitive targeting to silence or harass people, with unsolicited comments or messages

  2. Coordination Signals

  3. A high volume of activity

  4. Efforts to evade enforcement

Coordinated Violating Networks

Meta’s Account Integrity policies remove coordinated violating networks (CVNs) when it finds people (with authentic or fake accounts) coordinating to violate or evade its Community Standards. Hence, Meta removed two clusters of Pages and accounts on Facebook and Instagram in Greece that collaborated to repeatedly violate its policies against hate speech, misinformation, and incitement to overthrow the government violently. Factors considered while investigating Coordinated Violating Networks.

  1. Coordination signals showed an organized group directly working under centralized directions.

  2. Systematic violation of Meta’s community standards.

  3. Efforts to evade enforcement

Inauthentic Behavior

Meta defines Inauthentic behavior (IB) in its Community Standards as something that misleads the platform and the users about the popularity of the content, the people’s identity behind it, or the purpose of a community (i.e., Events, Groups, Pages). The report suggests that the behavior is centered around increasing and amplifying content distribution and is mostly (not exclusively) financially motivated. IB operators mainly focus on the quantity and not the quality of engagement. For example, they use many low-sophistication fake accounts for mass-posting or liking their content — commercial, social or political. 

Steps Meta Took:

In focus: Philippines

  1. Manual investigations and disruptions:

Ahead of the Philippines election, Meta’s investigative teams took down over 10,000 accounts for violating its IB policy. The accounts used IB tactics to increase the distribution of content like election-related posts, including others using politics as a spam lure when people showed interest in following these topics. The report states that Meta used threat intelligence and continued working on identifying repetitive behavior patterns showing characteristics of IB clusters in the region.

  1. Automated detection at scale:

Working on the actionable insights, Meta automated the detection of IB patterns and complemented the manual investigations. Consequently, the security teams consulted experts to identify numerous IB clusters in the Philippines and enforced quick action against 15,000 accounts. Meta researchers concluded that most IB clusters were not more than six months old when they got disabled. 

  1. Automated enforcement:

Complimenting automated detection and manual disruptions, Meta focused on automating enforcement against these IB patterns, relying on its rigorous election preparation in the Philippines. Hence, the security teams could tackle specific repetitive and high-confidence inauthentic behavior (IB) in the Philippines and worldwide.

Coordinated Inauthentic Behavior (CIB)

Meta views CIB as a coordinated effort to manipulate the public discourse for a strategic goal, having fake accounts at the center of the operation. The report says that in these cases, people coordinate and use fake accounts to mislead others about what they do and who they are. 

Steps Meta Took:

Meta’s security team investigated and removed the CIB operations by focusing on behavior rather than content. According to the report,  it did not matter who was behind them, what they posted, or whether they were foreign or domestic. 

Malaysia

Meta removed 596 Facebook accounts, 72 Instagram accounts, 180 Pages, and 11 Groups for violating their policy on coordinated inauthentic behavior. The network originated in Malaysia, targeting its domestic audiences.

Israel

Meta removed 259 Facebook accounts, 107 Instagram accounts, 42 Pages, and 9 Groups for violating its policy on coordinated inauthentic behavior. The network originated in Israel, targeting Nigeria, Angola, and the Gaza region in Palestine.

Russia

The report has a detailed sub-section on how the security researchers investigated the CIB in Russia. Meta took down an Instagram account network operated by a troll farm in Russia’s St. Petersburg that targeted global public discourse regarding the Ukraine war. The report underlines that the campaign was a poorly executed attempt and that threat actors publicly coordinated through a Telegram channel. They wanted to create a grassroots online support perception for Russia’s invasion and used fake accounts to upload pro-Russia comments on influencers and media content. The researchers linked the activity to a self-proclaimed entity, “Cyber Front Z,” and individuals associated with the Internet Research Agency (IRA). Meta has banned Cyber Front Z from its platforms. 

Conclusion

The Meta Quarterly Adversarial Threat Report Q2 offers insight into the risks Meta sees globally and across multiple policy violations. It covers Meta’s expanded threat reporting areas like cyber espionage, inauthentic amplification, mass reporting, brigading, and other malicious behaviors. Furthermore, It alerts people who Meta believes were targeted by these campaigns. Thus, it is a reliable guide for tech companies, governments, law enforcement, and security researchers in helping them understand the social media threat landscape and preventive measures that can be taken to limit the damage caused by malicious actors.

Reference

Ben Nimmo, David Agranovich, Margarita Franklin, Mike Dvilyanski, Nathaniel Gleicher. (2022, September 8). Quarterly Adversarial Threat Report. About.fb.com. Retrieved September 8, 2022, from  

https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf

Photo by Dima Solomin on Unsplash

#meta #facebook #adversary #CIB #threats #security #espionage

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Back Windows Enumeration

You have gotten a shell but you are not yet a privileged user, and now you want to enumerate the system to try and find a way to escalate those privileges so that you can become a system level user.

System Enumeration

With a quick findstring – findstr, and a couple of other commands we can issue a command like this:

You can easily see what system and version you run, architecture, etc. Remember! You want to find adequate exploits for the system in question, you might run into an x86 architecture, or a Windows Enterprise system, so you don’t want to bombard it with random exploits. That’s why enumeration is key – so you can extract information that you can use. As we all know there are five stages to the process – but enumeration is usually the vital part! Enumerate, enumerate, enumerate!!

To check for patches and other stuff that’s installed on the target Windows computer, you might use a command like this:

wmic qfe

Wmic is the Windows Management Instrumentation (WMI – sysadmins/engineers and our support guys knows what this is about) and the WMIC is a command-line interface for the WMI.

QFE in the command above will look for recently installed patches. Very useful when trying to discover what type of exploit the computer will be vulnerable to. QFE stands for Quick Fix Engineering. After running the command on my system, you can observe the following:

As you can notice, you will see the related KB – knowledge base, type of update (security, etc.), who installed it, the HotFix ID, as well as the date it was installed on. Further, if you only want specific stuff, like the Caption, HotFixD and Installed on, you can run something like this:

wmic qfe get Caption,HotFixID,InstalledOn

To enumerate drives, you can issue a command like this:

wmic logicaldisk

This will give a messy output, though, so you can use the same methodology as the above and for example say get Caption:

wmic logicaldisk get Caption

And quickly check if there are any drives other than the C: drive on the computer. (In my case there’s not, but if there are, this command will find them, and you might want to look around those drives in search for something interesting…)

Of course, you can also use the good ol’ hostname and whoami to check the name of the computer you’re currently within, and to check the domain/username of that same computer, respectively.

Network Enumeration

I will just do a few of the commands here, just so you can get a basic idea of what you might end up doing upon entering the system. You would probably start with the basic ipconfig command or the ipconfig /all command to see the information about stuff like the default gateway, DNS server, etc. If you’re on a domain, you might see a DC as a DNS server.

Another one is arp -a which can tell you about the stuff that’s communicating with your box. A quick look at the route tables, with a route print you can also see where your machine is communicating too. This is cool as it will show you the NICs on the machine, telling you if you need to elevate or if you can just pivot of that other NIC.

A very important command here to do is netstat! You want to do the netstat -ano and check what services are listening and where. You can gather a lot of information here, and in conjunction with the commands above with all this stuff you might also glean a bit on the architecture of the said network/systems. Of course, the mileage may vary. If you’re a seasoned pro, even though you might be using the same commands, you would immediately understand what’s happening, but regardless, it is a place to start no matter the experience.

User Enumeration

Here you can do something like:

whoami /priv

To check for the privileges you have.

whoami /groups

To see which groups you belong to.

Further, you would want to do a net user command to see what user you are… remember, if you just gained a foothold on a box, you might not necessarily be a user, you could also land on a service. In that case, you will probably want to find more users so you can escalate to them, or just immediately escalate to an administrator user.

You can also do net user <username> or net user administrator – to see what groups they belong to. To see the administrator group members you would do net localgroup administrators.

These are some basic quick and dirty commands to check stuff about your users, groups, and their privileges.

 

Remarks

All of the above can be done, and probably will if you’re doing this professionally, with tools that can automate the process. But, in order to better understand those tools and what they’re doing in the background, I created this short intro, cause ultimately it will be some variation or a more complex version of the stuff above with some more stuff tacked onto it.

Lastly, those tools just might not work, or something else along those lines. Be aware of those caveats, as for example, WinPEAS is a very, very, good tool but it requires a version of .NET that’s greater than 4 which will obviously be useless if your Windows box that you got a hold of doesn’t have and you are a user that can’t install it, or you don’t want to set off the alarms.

The main idea here is to understand the context, which is also why all the pentesting tutorials and other resources almost exclusively emphasize the importance of having rock solid understanding of the basics.

Tooling

Some of the tools you might end up using:

You might want to try these in your lab environment to familiarize yourself first. There’s also probably way more of these tools out there, but these are some of the ‘main’ ones, as they’re tried and tested.

Conclusion

Before concluding, I’d just like to emphasize again how important it is to know the context you’re in. Also, sometimes less truly is more and even though the tooling can be a tremendous time-saver, you first need to understand its nuts and bolts, otherwise you’re basically doing what script kiddies do. Take your time, and it will pay off.

Finally, enumerate, enumerate, enumerate!

Stay tuned.

Cover image by Omar Flores

#windows #enumeration

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

OWASP Top 10 – Cryptographic failures

OWASP stands for Open Web Application Security Project. It is a non-profit organization whose mission is to improve software security. It is based on an “open community model,” thus, anyone can participate. 

The OWASP community is well-known; I also refer to them in some of the articles I wrote.

OWASP started to publish a top 10 list of vulnerabilities way back in 2003. Since then, the list is updated every two or three years. The latest list was published in 2021. At the end of this article, I will provide a list of important pages on OWASP’s site.

By OWASP definition: The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

And, of course, as you can guess, this list is created by the community of developers specializing in security risks.

OWASP Top ten 2021 vulnerabilities:

  • Broken access control
  • Cryptographic failures
  • Injections
  • Insecure design
  • Security misconfigurations
  • Vulnerable and outdated components
  • Identification and authentication failures
  • Software and data integrity failures
  • Security Logging and monitoring failures
  • Server-Side Request Forgery (SSRF)

I will not focus on historical differences within the OWASP top 10. However, I wanted to mention that the difference between new versions of the list is mainly in categorization (often in adding new categories as new malicious attacks emerge), renaming, changing scopes, etc.

In my previous articles, I already covered some of the vulnerabilities from the OWASP list. In this article, I am going to focus more on Sensitive Data Exposure which is now known as Cryptographic failures. Now the focus of this category is cryptography failures that lead to sensitive data exposure.

Sensitive Data Exposure

When web applications accidentally expose sensitive information that should not be public, that vulnerability is called “Sensitive Data Exposure.” By sensitive data, I mean the data which should be protected by the GDPR. This includes personal data such as name, date of birth, credit card numbers, and even usernames and passwords. Unfortunately, if the website’s security is poor, sometimes, data can be found on the web server. But often, it is a case where attackers would perform the “man in the middle – MiTM” technique to try to hijack sensitive data.

This attack happens when the attacker places themself between the user and the web application. They would make a fake site, so the user thinks they went to their desired site but were redirected to the attacker’s fake site. Or for example, the attacker intercepts messages between the user and the server and gains control of that conversation. Basically, they control the flow of the request and the responses.

Exposing flat-file database

The database is often used to store all kinds of data, including sensitive data.

For this example, we will consider a small web application whose database is saved is saved as a single file on the disk of a computer (server).

The most common database engine used for this database type is SQLite.

In this case, the attacker would need to navigate and find the location of the database and then download it. They would then have access to the data in the database and could query it to get the results. Of course, it will probably not be easy if the data is encrypted, but the attack becomes a lot easier if the attacker downloads the database and has the file saved locally.

In one of my articles, I described one technique-Path Traversal, which attackers are using to navigate to a certain file. Check it out! I will not describe how to find the file and download it; if you read the mentioned article, you will have an idea about how it is done.

So, we are on the step when we download the database, and now, we want to check out the results in it.

As I mentioned, in this example SQLite queries are used. You can check out select and distinct syntax with SQLite here.

For example, if you are using Kali, sqlite3 is installed by default, so you can just refer to the man pages.

To access the database, you would issue a command like this:

sqlite3 targetDB

to see the list of tables:

.tables

To check out table info for the table:

PRAGMA table_info(users)

More info about pragma statements on this site.

Check out all user’s info:

SELECT * FROM users

Then, if the passwords are stored in this database, they would probably be hashed, and the next step would be to use some tool to crack the hash, for example, John the Ripper, Hashcat, or some other password-cracking tool.

When the attacker gets to the password, it is the beginning of the game for them! And the end of the game for the user.

Prevention steps Sensitive Data Exposure

When deciding on the storage type, it is very important to remember that you shouldn’t store sensitive data that is not required (store the least amount of data). If you need to store it, first figure out the safest location to store it and how to prevent the leakage of sensitive data.

When you store the data, you must encrypt it! I found this site you can check out if you are working with ASP .NET CORE and want to see how to encrypt/decrypt data using the interface IDataProtector!

Before you store the data, it should be safe at all times, especially in transit! For safe transit, use TLS, which would enable secure communication. If you are using ASP .NET check out how to enable TLS on this blog.

As I mentioned before, attackers often use the “man in the middle” technique; because of that, you might want to consider setting up something like HSTS(HTTP Strict Transport Security). If you are familiar with and want to use Angular to implement HSTS, there is a brief explanation on their official site.

While I mentioned ASP .NET and HSTS, if the application is in production you can modify startup class(or Program.cs if it is .NET 6)to use UseHttpsRedirection(HTTPS Redirection Middleware) and a also UseHsts(HSTS Middleware). If you want to use the mentioned Middleware, check out the official site!

Conclusion

I wanted to show you how many vulnerabilities from OWASP’s Top 10 list we covered through the previous articles and how many are left to be covered.

In the end, secure code is the cheapest code!

OWASP pages related to the topic:

Cover photo by Brett Jordan

#owasp #cryptographic-failures #top10

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Back CISAnalysis – September 15, 2022

When I got the alert from CISA, I was a bit perplexed too. Why these vulnerabilities and why now? I mean we’re talking about bugs used back in 2015 to root Android devices and infect apps with the Zika malware…ergh, wait, no that’s not right… What was it? Zizi….no…ah! Tizi!

In the Binding Operational Directive (BOD), CISA makes it clear that they only add vulnerabilities to the catalog if there is clear evidence of active exploitation, despite the age of the vulnerability. So it could have been exploited midway through Obama’s first term, as is the case for CVE-2010-2568, or just as recently as last week with attackers going after a vulnerability in Trend Micro’s Apex One.

The Windows Shell Remote Code Execution vulnerability affects Windows XP, Server 2003, Vista, Server 2008, and Windows 7. I can’t say for certain how many federal agencies are running with these operating systems. But governments are typically burdened with red tape and they don’t operate like private enterprises. So there could be some vulnerable systems out there that hackers can take advantage of. 

So, at the end of the day, it doesn’t hurt to dig up these patches from the Stone Age and apply them. But I’m sure most threat actors are not paying any attention these days with so much $$$ in the crypto wallet hacks.

#cisa #cisanalysis #windows #Tizi #vulnerabilities #trendmicro

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

History in the Making: Uber CISO Goes on Trial

Cybersecurity history books will have at least one chapter covering the events of this week. If you’re a CISO, you’re probably well aware of what I’m talking about, but for everyone else, let me explain what’s going on.

 

In 2016, the ride-sharing company Uber fell victim to a data breach that exposed the personal information of 600,000 drivers and 57 million riders. It was a big breach but otherwise unremarkable. The attackers did not deploy any particularly novel techniques or do much damage with the stolen data. The attack was ordinary; the response was not (allegedly).

 

Joe Sullivan, a former federal prosecutor and something of a celebrity in cybersecurity circles, was Uber’s CISO at the time. He led the response to the 2016 data breach…and now he’s on trial for his actions.

 

I will reserve as much judgment as possible as I outline what happened. My goal is not to root for one outcome or another. No, my goal is only to call attention to a fascinating situation in progress that will have repercussions for the entire cybersecurity community and beyond. No matter what happens, cybersecurity will not be the same after this trial.

 

A Fixer or a Fall Guy?

 

Joe Sullivan’s trial for obstruction and failure to report a felony began this week. The government essentially accuses Sullivan of failing to report the 2016 data breach to the Federal Trade Commission (FTC) and hiding it from his employers.

 

That accusation stems from the fact that Sullivan, upon learning about the breach, made contact with the two hackers responsible and offered them each a payment of $100,000 in exchange for signing a non-disclosure agreement. Those payments came through Uber’s bug bounty program.

 

Government lawyers accuse Sullivan of using these payments to essentially hide the attack from both regulators and his bosses at Uber. At the time, Uber was under strict scrutiny from the FTC because of a previous data breach in 2014. Framing the payment as a bounty (something minor) rather than a payoff (something major) allowed Sullivan to keep the existence of the data breach a secret, according to prosecutors, and avoid the ire of the FTC.

 

Sullivan sees things differently. He alleges that payments through bug bounty programs and enhanced secrecy following an attack are not unusual. He also claims the breach was widely known about within Uber’s security team, and that responsibility for disclosing the attack to the FTC fell on Uber’s legal team. Sullivan believes he’s become the fall guy for an organization eager to make excuses for past failures instead of making improvements.

 

Did Joe Sullivan cover up the attack of follow standard operating procedure? That’s the question at the heart of the trial, and it’s sparking heated debates across cybersecurity. Some see Joe Sullivan as a dedicated defender using clever and necessary tactics to deal with the attackers (who were both eventually arrested and prosecuted). Others think Sullivan exemplifies the worst instinct in cybersecurity: to sweep attacks under the rug rather than strive to be transparent and accountable.

 

There’s more grey area here – much of it about the letter of the law rather than cybersecurity best practices – than either side would probably like to admit. But, to me, what’s even more interesting than the outcome of the trial is the fact that it’s happening at all.

 

CISOs in the Hot Seat

 

The government accuses Sullivan of violating federal and state laws mandating breach notifications. But the penalty for breaking those laws is to pay a fine, not to have the CISO stand trial, so why is Joe Sullivan in court?

 

Prosecutors are applying several legal theories that are interesting and worth diving into (but also long, complex, and densely argued). Rather than rehashing those arguments here, suffice it to say that the government has concocted an argument that could, from here out, expose CISOs to criminal charges and sweeping legal liabilities for attacks (successful or otherwise) against their employer.

 

This obviously raises the stakes for being a CISO. And given the worsening state of cybersecurity, it could make serving as a CISO an extremely risky job, certainly compared to any other member of the C-Suite. Will that risk prompt companies to take cybersecurity extremely seriously? Or will it just make it extremely hard to recruit CISOs? I’m not sure, but I’m confident it will change the character of cybersecurity as we know it.

 

Provided it comes to fruition. Joe Sullivan’s trial is a test of the government’s legal arguments, and whether the court finds them convincing remains to be seen. A not guilty verdict could restore the status quo – but I think change is coming, either now or later.

 

In many ways, the prosecution of Joe Sullivan is punishment for Uber’s repeated and often egregious disregard for data security. They poked the bear one too many times. I think this prosecution, no matter how it plays out, signals a desire on the part of the FTC specifically and the government more broadly to enforce strong cybersecurity standards. Whether that results in CISOs going to jail or something else, I think the era of hiding or excusing cyber attacks is over. The risk far outweighs the reward.

What’s the fate of Joe Sullivan? I don’t know. No matter what, he’s cemented his place in cybersecurity history.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Twitter Whistleblower Hearing

Twitter’s former head of security, Peiter “Mudge” Zatko gave damning testimony regarding Twitter’s alleged lack of cybersecurity measures to the Senate Judiciary Committee last Tuesday. Of course, it remains to be seen if lawmakers will do more than grumble about such inexcusable vulnerabilities. Among the two hours of testimony, Zatko describes a disturbing unwillingness on the part of Twitter’s execs to secure the data of its 400 million users in a meaningful way. After the embarrassing social engineering hack back in 2020 which led to the takeover of several high-profile accounts, Twitter hired Zatko to oversee security operations. He was brought on to control what he describes as a “ticking time bomb of security vulnerabilities” created by “10 years of overdue critical security issues, [without] making meaningful progress on them.” The allegations made by Zatko would paint a comical picture if the implications weren’t so dire. Beyond the lax cybersecurity measures, we learn that Twitter possibly had a Chinese agent from the Ministry of State Security on the payroll. After notifying an executive about the possibility of foreign agents in the ranks, Zatko recounts that the executive responded with “Well, since we already have one, what does it matter if we have more?” We also learn from the hearing that the cause of this debacle, in Zatko’s opinion, is Twitter’s utter lack of understanding in regard to the data it collects. “It doesn’t matter who has keys if you don’t have any locks on the doors,” he said. In response to Zatko’s testimony, Twitter spokesperson Rebecca Hahn said that it “only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies.” Twitter’s response is interesting given the swathe of inquiries into Zatko’s background reported by Ronan Farrow in an article for the New Yorker. Purportedly, a number of research-and-advisory companies have approached former colleagues and individuals in the far reaches of Zatko’s professional sphere looking for information to discredit him. The whistleblower testimony along with Twitter’s subsequent actions point to much more than simple ignorance of cybersecurity best practices. There appears to be a criminal disregard among Twitter’s execs for the data security of the platform’s users in favor of profit and the status quo. Those implicated should be held accountable beyond corporate fines that amount to little more than a scolding. At least things are looking good for billionaire Musk’s attempt to renege on his agreement to acquire Twitter.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Threat Actors, Categories, and the Impact on Your Business

Intro

In this article I will cover some basics about the types of threat actors, threat categories, and their possible impact on your organization.

Let’s get to it!

Threats

Before looking at the types of threat actors, let me give you a quick rundown of what is considered a threat and how it impacts businesses.

By definition, a threat is an event (unplanned/not controlled by you/your systems) that has for its goal to exfiltrate (exfil), manipulate, or access your organization’s resources. This is tightly coupled with the loss of integrity, confidentiality, and availability of the said resources (CIA triad).

This can impact your organization’s information systems, your network(s), and other resources.

Impact

The impact on your organization can vary, however, it should always be considered as a major concern since it can target anything, from your org’s assets to the financials, and for example personal info of your employees. There’s no list that’s set in stone, but usually, the impact is about:

  • Loss of integrity and confidentiality – basically, your data or resources are less trustworthy, this further damages your org’s reputation, and business credibility
  • Damage to the customer relationship – this would impact your org’s relationship with its clients, losing some of them, thus resulting in a drop in profits/sales
  • Financial losses – your org is faced by financial losses, either directly (maybe you got ransomwared and are asked to pay up), or indirectly (the loss of manhours spent to repair and recover from the breach, etc.)
  • Operational impact – disruption to your operations; could even affect your entire org’s network
  • Business reputation – you take a hit to your org’s reputation, which can even result in losing existing clients and having troubles gaining new ones

Threat Actors

There are many different types of threat actors out there, however, the ones I am going to list here are what you will usually find in other resources on the Internet, handbooks, etc.

  • Script kiddies
  • Hacktivists
  • State-sponsored hackers
  • Insiders
  • Cyber terrorists
  • Industrial spies
  • Recreational (hobbyist) hackers
  • Organized/hacker groups
  • Ransomware gangs
  • APTs

Script kiddies – unskilled ‘hackers’ who usually run malicious scripts, and software in hopes of breaching a system/network. They don’t understand the tooling and its inner workings, they just acquire it and run it blindly against system(s). What you might call – spray and pray tactic.

Hacktivists – People who hack but are driven by political and/or ideological agenda. They are not novices and usually know what they’re doing, however, the whole motivation behind their attacks is driven by that agenda. This is usually manifested in the form of disabling or defacing websites, maybe even doxing and other similar stuff.

State-sponsored hackers – These guys are employed by their respective governments to breach and steal top-secret information, or to just damage the systems of other (competing) governments.

Insiders – These are YOUR employees, within your org, and are usually either terminated employees, disgruntled employees, or just good ol’ untrained staff. Generally, its hardest to hunt for these since they are already inside (detection is useless since they are legitimate users). They can also do a lot of damage to the org for the same reason as above – they have authorized access to your systems. Imagine a disgruntled employee ‘sharing’ their credentials with a hacker group they found on the darkweb, or something along those lines. Nasty.

Cyber terrorists – These individuals are similar to the hacktivists as they are also driven by political, or, in this case, religious agenda, but their goal is a bit different. As we all know their currency is fear, thus cyber-terrorists aim to create fear and/or larger disruptions to your systems/network(s).

Industrial spies – They attack companies for commercial purposes, they are usually hired by competing companies with the idea of attacking their competitors to steal confidential data such as financial records, employee information, your business strategy, or your proprietary data.

Recreational hackers – These hackers are the ones who hack systems so they can learn more, they don’t care about financial gain. They mostly exploit stuff they can for the said learning purposes.

Organized/group hackers – A merry band of hacker friends with a goal to exploit and hack stuff for pure profit. They will go for your SSNs, PIIs, health records, financials, credit card information, etc. Anything they can use for leverage to get their payout or steal directly.

Ransomware gangs – These guys are also an organized group of hackers, but they will usually deploy some kind of ransomware, once they breach you and enter your systems. After encrypting your data, they will ask for you to pay the ransom in order to get the data back. Typically, they focus on using compromised credentials to enter your systems. After that, they drop their payloads in form of specially crafted encrypting malware – ransomware. Some well-known ransomware groups include: Conti, Lapsus, Hive, LockBit, AlphV/BlackCat. (Try not to pay the ransom! Instead have backups and a recovery plan. Disconnect network-based devices where you can – I talked about this in previous articles, and even contact authorities.)

APTs or Advanced persistent threats – These are the stealthiest threat actors out there, and are typically a nation state itself, nation-state sponsored groups, or organized crime groups. They aim to breach your systems silently and establish themselves inside while being unnoticed by your detection systems. Their motivations are typically political or economic. The definition may vary from source to source, but the main thing for these groups is the fact they try to remain inside your systems undetected for as long as they can. Mean dwell-time for APTs (2018 data) is 71 days in the Americas, 177 days in the EMEA, and 204 days in the APAC region! APTs – Wiki

Both ransomware gangs and APTs might be grouped within the organized/group hackers, but I wanted to accentuate the distinction here. My article may not have the structure and strictness of a (hand)book, as my goal was not to bore you or enter a scholarly polemic, just provide you with the info straight on, so you can familiarize yourself with it and even take it further from here.

Threat Categories

Again, this might be structured differently in different sources, but I feel the following categorization is a good starting point, as a loose guideline of sorts.

Categories I included here are:

  • Network-based threats
  • Host-based threats
  • Application-based threats

Network-based Threats – This can pertain to: Information gathering/recon, Sniffing (eavesdropping), Spoofing, MITM – Man in the Middle attacks and session hijacking, DNS and ARP poisoning, Password-based attacks, DOS attacks, Firewall and IDS attacks

Host-based Threats – These would include: Malware attacks, arbitrary code execution, unauthorized access, privilege escalation, backdoors, physical security threats, footprinting

Application-based Threats – These can be (but are not limited to, of course – as the above examples too!): Improper input validation, authentication attacks, security misconfiguration, information disclosure, broken session management, buffer overflow attacks, SQLi, phishing, improper error handling and exception management

Conclusion

Think of this article as an extremely compact explanation on threat actors and categories. I hope it provides enough initial info that you can further build on! In the future articles, I will circle back to this topic and cover some of the stuff that’s mentioned here – or is related too – in more depth.

Until next time! Stay tuned.

Useful Links

https://nvd.nist.gov

https://cve.mitre.org

https://www.vulnerability-lab.com

https://cyber.gc.ca/en/guidance/introduction-cyber-threat-environment

advanced persistent threat – Glossary | CSRC (nist.gov)

Cover image by Martin Sanchez

 #threat-actors #threat-categories #impact

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.