Tuesday, 16 August 2022

Ransomware and how can you defend your business from it

 Ransomware is a kind of malware used by cybercriminals to stop users from accessing their systems or files; the cybercriminals then threaten to leak, destroy or withhold sensitive information unless a ransom is paid.

Ransomware attacks can target either the data held on computer systems (known as locker ransomware) or devices (crypto-ransomware). In both instances, once a ransom is paid, threat actors typically provide victims with a decryption key or tool to unlock their data or device, though this is not guaranteed.

Oliver Pinson-Roxburgh, CEO of Defense.com, the all-in-one cybersecurity platform, shares knowledge and advice in this article on how ransomware works, how damaging it can be, and how your business can mitigate ransomware attacks from occurring.

Ransomware attack comprise

There are three key elements to a ransomware attack:

Access-In order to deploy malware to encrypt files and gain control, cybercriminals need to initially gain access to an organization's systems.


Trigger-The attackers have control of the data as soon as the malicious software is activated. The data is encrypted and no longer accessible by the targeted organization.


Demand-The victims will receive an alert that their data is encrypted and cannot be accessed until a ransom is paid.


What is the cost of being targeted by ransomware?

The average pay-out from ransomware attacks has risen from $312,000/£260,000 in 2020 to $570,000/£476,000 in 2021 – an increase of 83%. One report also showed that 66% of organisations surveyed were victims of ransomware attacks in 2021, nearly double that of 2020 (37%). This highlights the need for businesses to understand the risks and implement stronger defenses to combat the threats.

Ransomware continues to rank amongst the most common cyberattacks in 2022, due to its lucrative nature and fairly low level of effort required from the perpetrators. This debilitating attack causes an average downtime of 3 weeks and can have major repercussions for an organization, for its finances, operations and reputation.

Because there is no guarantee that cybercriminals will release data after a ransom is paid, it is crucial to protect your data and keep offline backups of your files. It's also very important to proactively monitor and protect entry points that a hacker may exploit, to reduce the possibility of being targeted in the first place.

Who is at risk of being a target of ransomware?

In the past, cybercriminals have typically targeted high-profile organizations, large corporations and government agencies with ransomware. This is known as 'big game hunting' and works on the premise that these companies are far more likely to pay higher ransoms and avoid unwanted scrutiny from the media and public. Certain organizations, such as hospitals, are higher-value targets because they are far more likely to pay a ransom and to do so quickly because they need access to important data urgently.

However, ransomware groups are now shifting their focus to smaller businesses, in response to increased pressure from law enforcement who are cracking down on well-known ransomware groups such as REvil and Conti. Smaller companies are seen as easy targets that may lack effective cybersecurity defenses to prevent a ransomware attack, making it easier to penetrate and exploit them.

Ultimately, threat actors are opportunists and will consider most organizations as targets, regardless of their size. If a cybercriminal notices a vulnerability, the company is fair game.

How is ransomware deployed?

Phishing attacks

The most common delivery method of ransomware is via phishing attacks. Phishing is a form of social engineering and is an effective method of attack as it relies on deceit and creating a sense of urgency. Threat actors trick employees into opening suspicious attachments in emails and this is often achieved by imitating either senior-level employees or other trusted figures of authority.

Malvertising

Malicious advertising is another tactic used by cybercriminals to deploy ransomware, where ad space is purchased and infected with malware that is then displayed on trusted and legitimate websites. Once the ad is clicked, or even in some cases when a user accesses a website that's hosting malware, that device is infected by malware that scans the device for vulnerabilities to exploit.

Exploiting vulnerable systems

Ransomware can also be deployed by exploiting unpatched and outdated systems, as was the case in 2017, when a security vulnerability in Microsoft Windows, EternalBlue (MS17-010), led to the global WannaCry ransomware attack that spread to over 150 countries.

It was the biggest cyberattack to hit the NHS: it cost £92m in damages plus the added costs of IT support restoring data and systems affected by the attack, and it directly impacted patient care through cancelled appointments.

Four key methods to defend your business against ransomware

It is crucial that businesses are aware of how a ransomware attack may affect their organization, and how they can prevent cybercriminals from breaching their systems and holding sensitive data to ransom. Up to 61% of organizations with security teams consisting of 11–25 employees are said to be most concerned about ransomware attacks.

The NHS could have avoided being impacted by the WannaCry ransomware attack in 2017 by heeding warnings and migrating away from outdated software, ensuring strategies were in place to strengthen their security posture.

It's essential that your business takes a proactive approach to cybersecurity by implementing the correct tools to help monitor, detect, and mitigate suspicious activity across your network and infrastructure. This will reduce the number and impact of data breaches and cyberattacks.

Defense.com recommend these four fundamental tactics to help prevent ransomware attacks and stay one step ahead of the hackers:

1 — Training

    Cybersecurity awareness training is pivotal for businesses of all sizes as it helps employees to spot potentially malicious emails or activity.

    Social engineering tactics, such as phishing and tailgating, are common and successful due to human error and employees not spotting the risks. It's vital for employees to be vigilant around emails that contain suspicious links or contain unusual requests to share personal data, often sent by someone pretending to be a senior-level employee.

    Security training also encourages employees to query visitors to your offices to prevent ransomware attacks via physical intrusion.

    Implementing cybersecurity awareness training will help your business routinely educate and assess your employees on fundamental security practices, ultimately creating a security culture to reduce the risk of data breaches and security incidents.

    2 — Phishing simulators

      These simulator tools support your security awareness training by delivering fake but realistic phishing emails to employees. Understanding how prone your staff are to falling for a real cybercriminal's tactics allows you to fill gaps in their training.

      When you combine phishing simulators with security training, your organization can lessen the chance of falling victim to a ransomware attack. The combination of training and testing puts you in a better position to prevent the cunning attempts of cybercriminals to infiltrate your IT systems and plant malware.

      3 — Threat monitoring

        You can make your business less of a target for cybercriminals by actively monitoring potential threats. Threat Intelligence is a threat monitoring tool that collates data from various sources, such as penetration tests and vulnerability scans, and uses this information to help you defend against potential malware and ransomware attacks. This overview of your threat landscape shows which areas are most at risk of a cyberattack or a data breach.

        Being proactive ensures you stay one step ahead of hackers and by introducing threat monitoring tools to your organization, you ensure any suspicious behaviour is detected early for remediation.

        4 — Endpoint protection

          Endpoint protection is key to understanding which of your assets are vulnerable, to help protect them and repel malware attacks like ransomware. More than just your typical antivirus software, endpoint protection offers advanced security features that protect your network, and the devices on it, against threats such as malware and phishing campaigns.

          Anti-ransomware capabilities should be included in endpoint protection so it can effectively prevent attacks by monitoring suspicious behaviour such as file changes and file encryption. The ability to isolate or quarantine any affected devices can also be a very useful feature for stopping the spread of malware.

          This article is written and contributed by Oliver Pinson-Roxburgh, CEO at Defense.com.



          read more news 







          Thursday, 11 August 2022

          Aircrack-ng

          Aircrack-ng is a wireless security software suite. It consists of a network packet analyzer, a WEP network cracker, and WPA / WPA2-PSK along with another set of wireless auditing tools. Here are the most popular tools included in the Aircrack-ng suite. read more

          Wednesday, 10 August 2022

          Netcat

          Netcat is a Unix utility which reads and writes data across network connections using TCP or UDP protocol. 

          Following tasks can be done easily with Netcat:

            • Connect to a port of a target host.
            • Listen to a certain port for any inbound connections.
            • Send data across client and server once the connection is established.
            • Transfer files across the network once the connection is established.
            • Can execute programs and scripts of the client on the server and vice versa.
            • Can Provide remote shell access of server to a client where shell commands can be executed.
          • read more

          Sunday, 7 August 2022

          WPScan

          WPScan is a security scanner designed for testing the security of websites built using WordPress. WPScan was developed using the Ruby programming language and then released in the first version in 2019. The WPScan security scanner is primarily intended to be used by WordPress administrators and security teams to assess the security status of their WordPress installations. It is used to scan WordPress websites for known vulnerabilities both in WordPress and commonly used WordPress plugins and themes. The code base for WPScan is licensed under GPLv3.

          WPScan is a WordPress black box scanner. The goal for using WPScan is to execute the activities of a real threat actor. WPScan does not require access to the source code or the WordPress dashboard.  WPScan uses the wpvulndb.com vulnerability database which is a comprehensive list of WordPress core, plugin, and theme vulnerabilities. Frequently running WPScan is important to make sure that plug-ins and themes have no exposed vulnerabilities. Once set up, WPScan will run automatically on a daily basis.

          WPScan is a Ruby application and can be run on Linux (and macOS also) by installing the Ruby gem. You can also run it by cloning the corresponding WPScan Github repository. A quick start can be done by installing the WPScan plugin on the WordPress website. Alternatively, you can use a Docker image. WPScan is also included in Linux distributions including Kali Linux and Pentoo. 

          WPScan has a strong feature set which includes, but is not limited to:

          Username enumeration. 

          Enumeration attacks involve an attacker trying to determine if a target exists on the target system. The threat actor tries to detect which users exist on a website. The threat actor can then use this information as part of a larger attack chain. WPScan will utilize enumeration techniques just like a real threat actor.  In a user enumeration attack, a threat actor will identify the variations in how WordPress responds to specific requests. Depending on the response received, the attacker can determine  if the user exists. The threat actor may be able to use this information as part of a larger attack. Standard WordPress installations are often vulnerable to user enumeration, so you will need to protect against this attack vector. WPScan can quickly identify if this vulnerability exists. WPScan will try to enumerate all users on a given WordPress installation. 

          Version detection.

           WPScan can detect the versions of WordPress core, plugins and themes,

          Publicly accessible sensitive data.

           WPScan can check for publicly accessible wp-config.php backups and other database exports.

          Password cracking.

           WPScan also has a password cracker. This can help you check your website for weak authentication credentials. You would need to provide WPScan with a password dictionary of your choosing. In an online method, repeatedly try to log in using a login form displayed by the targeted website. Success is just a matter of time for threat actors to break weak passwords. In contrast, in an offline attack, threat actors attack hashes which they downloaded from a hacked target on their servers. The use of offline password cracking is much faster. But without a copy of your WordPress database, they have no choice but to try for an online attack. Brute force attacks are also an option, but generally take too much time and effort. Dictionary attacks generally provide the best return on time invested for a threat actor. A dictionary attack relies on the use of a list of commonly harvested passwords. Attackers have a lot of passwords available at their disposal as a result of all the data breaches major websites have faced over the years.

          Version enumeration. 

          WPScan can check theme and plugin versions against the wpvulndb.com WordPress vulnerability database. WPScan will also flag if the version of WordPress you are running contains security vulnerabilities. This results in a prompt to upgrade to the current version of WordPress.

          Licensing

          WPScan is actually not Open Source software. WPScan is licensed with a custom license that requires a fee to be paid if used commercially. Please check the WPScan website here for the best data: https://wpscan.com/wordpress-security-scanner 

          Other important security considerations for WordPress sites

          1) Maintenance of a WordPress audit trail of all WordPress website activity and changes.

          2) A WordPress firewall helps filter incoming traffic to WordPress websites. Good traffic is allowed to access the website, while malicious and suspect traffic and bots are blocked. WordPress firewalls can also be configured to stop attacks on specific targeted entry points and other vulnerabilities within a WordPress website.

          3) The establishment of strong WordPress authentication and password policies

          4) The use of two-factor authentication.





          Saturday, 6 August 2022

          Skipfish

           Skipfish is a free, open-source Automated Penetration Testing tool available on GitHub made for security researchers.  Skipfish is used for information gathering and testing the security of websites and web servers. Skipfish is the easiest and one of the best tools for penetration testing. It provides many integrated tools to perform penetration testing on the target system.

          This tool is also known as an active web application security reconnaissance tool. This tool functions and makes a map on the console of the targeted site using recursive crawl and dictionary-based probes. 

          This tool gives us all the security checks that are active in the domain. Lastly, this tool generates a report which can be further used for security assessments.

          Features and Uses of Skipfish tools :

          • Skipfish is Open source intelligence tool.
          • Skipfish can track enumeration.
          • Skipfish is a fully automated tool.
          • Skipfish has more than 15 modules that can be used for penetration testing.
          • Skipfish is used to scanning websites and web apps.
          • Skipfish is used to scan content management systems(CMS).
          • Skipfish can find vulnerabilities in CMS, eg. WordPress, Joomla, etc.
          • Skipfish has a large number of modules, such as metagoofil, wananga, etc.

          Installation 

          Step 1: 

          To install the tool first move to desktop and then install the tool using the following command.

          git clone https://gitlab.com/kalilinux/packages/skipfish.git

           Step 2: 

          The tool has been downloaded into your kali Linux machine. Now move into the tool directory using the following command.

          cd skipfish

          ls

          skipfish -h

           Step 3:

           Now you can see the help menu of the tool is running. You can use all the flags which are used with the tool. The tool has been downloaded and now we will see how to use it.

          Usage

          Example 1: Use skipfish tool to scan a WordPress website using its IP address.

          skipfish -o 202 http://192.168.1.202/wordpress

          This is the report of the tool. You can use this tool with your own target. You can use any domain of your own choice. 

          Example 2: Use Skipfish tool to scan bodegeit

          sudo skipfish -o SkipfishTEST http://192.168.225.37/bodgeit

          You can see that the tool has given all information such as scan time, HTTP requests to host, compression size, TCP handshakes, etc. This is how you can also perform an operation on your own specified target.

          Thursday, 4 August 2022

          Burp Suite

          Burp Suite contains various tools for performing different testing tasks. The tools operate effectively together, and you can pass interesting requests between tools as your work progresses, to carry out different actions.


          • Target - This tool contains detailed information about your target applications, and lets you drive the process of testing for vulnerabilities.
          • Proxy - This is an intercepting web proxy that operates as a man-in-the-middle between the end browser and the target web application. It lets you intercept, inspect and modify the raw traffic passing in both directions.
          • Scanner - This is an advanced web vulnerability scanner, which can automatically crawl content and audit for numerous types of vulnerabilities.
          • Intruder - This is a powerful tool for carrying out automated customized attacks against web applications. It is highly configurable and can be used to perform a wide range of tasks to make your testing faster and more effective.
          • Repeater - This is a tool for manually manipulating and reissuing individual HTTP requests, and analyzing the application's responses.
          • Sequencer - This is a sophisticated tool for analyzing the quality of randomness in an application's session tokens or other important data items that are intended to be unpredictable.
          • Decoder - This is a useful tool for performing manual or intelligent decoding and encoding of application data.
          • Comparer - This is a handy utility for performing a visual "diff" between any two items of data, such as pairs of similar HTTP messages.
          • Extender - This lets you load Burp extensions, to extend Burp's functionality using your own or third-party code.
          • Logger - This is a tool for recording and analyzing HTTP traffic that Burp Suite generates.
          • Inspector - This provides some useful features for analyzing and editing HTTP and WebSockets messages.
          • Collaborator client - This is a tool for making use of Burp Collaborator during manual testing.
          • DOM Invader - This is a tool for finding DOM XSS vulnerabilities.
          • Clickbandit - This is a tool for generating Clickjacking attacks.
          • Mobile Assistant - This is a tool to facilitate testing of mobile apps with Burp Suite.

          Tuesday, 2 August 2022

          Sqlmap

          sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting to data fetching from the database to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

          Features

          1) Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase, Raima Database Manager, YugabyteDB and Virtuoso database management systems.

          2) Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band.

          3) Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port, and database name.

          4) Support to enumerate users, password hashes, privileges, roles, databases, tables, and columns.

          5) Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.

          6) Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.

          7) Support to search for specific database names, specific tables across all databases, or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain strings like name and pass.

          8) Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL, or Microsoft SQL Server.

          9) Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL, or Microsoft SQL Server.

          10) Support establishing an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session, or a graphical user interface (VNC) session as per the user's choice.

          11) Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.


          Download


          You can download the latest zipball or tarball.

          Preferably, you can download sqlmap by cloning the Git repository:

          git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev


          Documentation









          Monday, 1 August 2022

          Wireshark

          What Is Wireshark?

          Wireshark is a network protocol analyzer, or an application that captures packets from a network connection, such as from your computer to your home office or the internet. Packet is the name given to a discrete unit of data in a typical Ethernet network.

          Wireshark is the most often-used packet sniffer in the world. Like any other packet sniffer, Wireshark does three things:

          Packet Capture: Wireshark listens to a network connection in real time and then grabs entire streams of traffic – quite possibly tens of thousands of packets at a time. 

          Filtering: Wireshark is capable of slicing and dicing all of this random live data using filters. By applying a filter, you can obtain just the information you need to see. 

          Visualization: Wireshark, like any good packet sniffer, allows you to dive right into the very middle of a network packet. It also allows you to visualize entire conversations and network streams.

           Packet sniffing can be compared to spelunking – going inside a cave and hiking around. Folks who use Wireshark on a network are kind of like those who use flashlights to see what cool things they can find. After all, when using Wireshark on a network connection (or a flashlight in a cave), you’re effectively using a tool to hunt around tunnels and tubes to see what you can see.

          What Is Wireshark Used For?

          Wireshark has many uses, including troubleshooting networks that have performance issues. Cybersecurity professionals often use Wireshark to trace connections, view the contents of suspect network transactions, and identify bursts of network traffic. It’s a major part of any IT pro’s toolkit – and hopefully, the IT pro has the knowledge to use it.

          When Should Wireshark Be Used?

          Wireshark is a safe tool used by government agencies, educational institutions, corporations, small businesses, and nonprofits alike to troubleshoot network issues. Additionally, Wireshark can be used as a learning tool.

          Those new to information security can use Wireshark as a tool to understand network traffic analysis, how communication takes place when particular protocols are involved and where it goes wrong when certain issues occur.

          Of course, Wireshark can’t do everything.

          First of all, it can’t help a user who has little understanding of network protocols. No tool, no matter how cool, replaces knowledge very well. In other words, to properly use Wireshark, you need to learn exactly how a network operates. That means you need to understand things such as the three-way TCP handshake and various protocols, including TCP, UDP, DHCP, and ICMP.

          Second, Wireshark can’t grab traffic from all of the other systems on the network under normal circumstances. On modern networks that use devices called switches, Wireshark (or any other standard packet-capturing tool) can only sniff traffic between your local computer and the remote system it is talking to.

          Third, while Wireshark can show malformed packets and apply color coding, it doesn’t have actual alerts; Wireshark isn’t an intrusion detection system (IDS).

          Fourth, Wireshark can’t help with decryption with regards to encrypted traffic.

          And finally, it is quite easy to spoof  IPv4 packets. Wireshark can’t really tell you if a particular IP address it finds in a captured packet is a real one or not. That requires a bit more know-how on the part of an IT pro, as well as an additional software.

          Common Wireshark Use Cases

          Here’s a common example of how a Wireshark capture can assist in identifying a problem. The figure below shows an issue on a home network, where the internet connection was very slow.

          As the figure shows, the router thought a common destination was unreachable. This was discovered by drilling down into the IPv6 Internet Message Control Protocol (ICMP) traffic, which is marked in black. In Wireshark, any packet marked in black is considered to reflect some sort of issue.

          In this case, Wireshark helped determine that the router wasn’t working properly and couldn’t find YouTube very easily. The problem was resolved by restarting the cable modem. Of course, while this particular problem didn’t necessitate using Wireshark, it’s kind of cool to authoritatively finalize the issue.

          When you take another look at the bottom of Figure 2, you can see that a specific packet is highlighted. This shows the innards of a TCP packet that is part of a transport layer security (TLS) conversation. This is a great example of how you can drill down into the captured packet.

          Using Wireshark doesn’t allow you to read the encrypted contents of the packet, but you can identify the version of TLS the browser and YouTube are using to encrypt things. Interestingly enough, the encryption shifted to TLS version 1.2 during the listening.

          Wireshark is often used to identify more complex network issues. 












          Microsoft Thwarts Chinese Cyber Attack Targeting Western European Governments

            Microsoft on Tuesday   revealed   that it repelled a cyber attack staged by a Chinese nation-state actor targeting two dozen organizations...