Monday, 21 September 2015

The answer to the above question a few years back would have been “no” but today with proliferation of “internet of things” and hearing about cyber-attacks on critical network infrastructure such as oil gas, water, electricity, transportation system the answer is “Yes”, air-gapped systems can also be hacked.

In wake of the recent data breach which happened on US Government system wherein 4 billion data records were hacked put a question in my mind if a US government system can be breached what about us do we have the appropriate processes, technologies and cyber-aware people to defend the organization against such a threat and as it has been said you are as secure as your weakest link.

I have been reading through a lot of reports/studies from well-known institutes and organizations which put “cyber threat” as the number ONE threat to an organization.  The first thought which came to my mind was while I used to carry out security assessments for clients my objective was to gain access to the system and for that I used to spend hours trying to identify a vulnerability on the client system and then develop an exploit to exploit a vulnerability which would provide me with access to the system.

Now the steps can be included in a piece of automated code and identify a way  of delivering the code on the target system and Wola, you have access to the system. 

This means sophistication and what's known as the Advanced Persistent Threat, a small object of code executed by mindless human bodies never to betray their masters and at the same time lay undetected for long years until the organization knows that they have been breached / hacked.

Can an organization protect itself from such a sophisticated cyber threat?

The good news is “yes” it can but only when it has a razor sharp focused and targeted cyber security program against such a sophisticated threat.

The cyber security program should cover the three core components across people, process and technologies which could be the following:

Cybersecurity governance - This component sets the senior management intent, vision and direction towards cybersecurity

Cybersecurity management controls - This component addresses the required set of process that should be in place

Cybersecurity technical controls - This component address the required set of technical controls for the cybersecurity management program.

Can an air-gap system be hacked?

Thursday, 17 September 2015

Back in July 2015, 12 hours prior to New York Stock Exchange officially reporting that they were facing “technical difficulties and currently working to resolve them”, the infamous hacker’s group “Anonymous” tweeted - “Wonder if tomorrow is going to be bad for Wall Street.... we can only hope” hinting at something sinister. Cyber security professionals from the department of Homeland Security claimed no signs of a cyber-attack correlating to the event and stated that the tweet was just a coincidence.

Well, NYSE wasn’t alone. The Wall Street Journal website also experienced technical issues and the famous United Airlines grounded all its flights due to what they call a technical glitch. The three entities mentioned, lost a lot more than just millions of dollars in terms of paper money; perhaps they lost some of their customers and tarnished a little bit of their reputation on that ill-fated day.

NYSE, WSJ and United airlines might have avoided law suites hovering over them because they practiced and lived up to the concept of “due-diligence” in their own ways. Although, NYSE and WSJ does not openly disclose their methodology of protecting themselves, United Airlines hired the world in one of its most ambitious and novel bug bounty rewards programs to find technical security breaches on its web pages.

The point of writing this post isn’t to highlight the mere fact that Cyber-attacks are flourishing and are real, but to stress on the bitter truth that even if proper controls are in order, a malicious persuasive attacker would get his way through the controls and infiltrate until he hits his target.

Well, what in your opinion would help preventing a determined attacker from achieving its prey? To be honest, it’s nothing! What could be done then? The time and method is certainly not in our hands to control however, the impact of the repercussion is. Continuous monitoring could possibly be one solution. Once an infected system is identified, it must be isolated from the network for obvious reasons.

Threat Landscape

Thursday, 11 June 2015

In highly networked environment, where employees need round-the-clock access to relevant channels for communication, information sharing and collaboration, it is only natural that the use of web-based applications is becoming increasingly prevalent in the business environment. But from a security perspective, this trend has not been without cost.

Cyber security is a problem all over the world, but in the Middle East the problem just intensifies as there aren’t necessary universal standards or regulation being enforced or been followed by the organization. In recent years Middle East has become a hotspot for cyber related attacks. In Aug 2012, we had a major cyber attack at a critical infrastructure institution that generates revenue for the country, herein a massive malware took down 30,000 workstations within the company, and then there was a virus attack on another critical infrastructure organization in the region where the company office systems which paralyzed normal functions of the firm. Financial institutes such as some banks in the region lost $45 million in one such attack where the hackers stole card data from the firm database managed by vendors, they then created fake cards to withdraw cash.   

Cyber attack is a growing problem in all sectors of our world right from the government institutions to the private organizations. Many organizations are experiencing thousands of network intrusion attempts by cyber attackers daily.  What’s important is that organization need to be prepared to handle such intrusion in a way where it’s detected early and mitigated on time before it creates major disruptions. Many organization lack the process, technology and governance to combat this growing threat, including very sophisticated and stealthy advanced persistent threat’s (APTs), which can compromise multiple systems, it collects mass data over time, and transmute such data to an attacker or attacker network.  

Organizations need to plan ahead if it has to safeguard its infrastructure from a cyber attacks. It needs to identify its trust boundaries and develop a layered security approach. The key step is to identify its critical assets within the organization and identify vulnerabilities which could lead to a security breach. Organizations need to conduct an external and internal security assessment on its identified assets to identify important vulnerabilities and develop a mitigation plan. Network based attack could be mitigated by conducting technical review of the organization’s network architecture, configuration of various network elements such as firewall, IPS, IDS, Access servers need to be reviewed for best security practices and implementation.

For organizations to win its race against cyber crime, it’s important to stay a step ahead of the hackers. It is also reasonable to expect cybercriminals, whatever their motivation, to use ever-more sophisticated means to gain control of information and threaten critical infrastructure. Thus it’s important for organizations stay alert and stay prepared to counter cyber crime.          

The land of San dunes and Oil: Cyber crime overview - A post by Franklin Lobo

Thursday, 12 February 2015

A vulnerability classified as critical has been released by Microsoft. And it is called JASBUG.
Cutting the Jazz and coming to the point, this vulnerability is serious as it poses a high risk of a MiTM type attack and exploitation could cause remote code execution without user intervention.

The vulnerability impacts core components of the Microsoft Windows Operating System. 

All domain-joined Windows Clients and Servers (i.e. Members of a corporate Active Directory) may be at risk. The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines – domain-joined Windows devices that connect to corporate networks via the public Internet (e.g. from hotels and coffee shops) – are at heightened risk.

Now lets explain the flow:

1.       In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located.
2.       The attacker machine, a share is set up that exactly matches the same path of the file requested by the victim.
           Now this attacker, will have crafted the contents of the file . to execute arbitrary, malicious code on the target system. Depending on the service requesting  to the file,  this could be executed as the local user or as the SYSTEM account on the victim’s machine.
3.       The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server is now routed through to the attacker’s machine.
4.     When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of the file.

This attack cannot be used broadly across the internet. An attacker need to target a specific system or group of systems that request files. So as of now, Home users are reasonably okay. But it is important that systems administrators move rapidly but responsibly.

1. Configuring UNC Hardened Access through Group Policy
2. Server Message Block (SMB) implementation.
3. Revisiting the Group Policy Settings
We at cyberwarriors, highly recommend to visit,

| Ryan (Zeus)

A Fundamental design flaw in Microsoft’s platform: Patched after a decade!

Friday, 6 February 2015

This is just for awareness. During my engagements in security assessments for organizations in the middle east, I have tried to predict a list of top five threats for the year 2015.

1.      Mobile Application Threats: This is a new frontier for Cybercrime. This could range from personal data leakage to client side injections.

2.      The cloud: Account or service traffic Hijacking. Although this sounds rudimentary to the cloud security, The cloud Security Alliance says it’s a serious problem. An intruder with control over a user account can eavesdrop on transactions, manipulate data, provide false and business-damaging responses to customers, and redirect customers to a competitor's site or inappropriate sites. To conclude, this dark cloud, doesnot have a silver lining.

3.      A trend observed in the past years, of large scale data thefts will continue not only in financial organizations but also critical infrastructures. Groups like Anonymous have being pretty vocal on their views of trading Oil in Dollars and have being threating the oil and gas sector since two years primarily during the month of June. This trend is not going to stop anytime soon.

4.      With vulnerabilities identified in OS which were once thought to be secure, OS command injections is not going to die down anytime soon. Attempts on this, is seen happening almost every second day in one organization or the other.

5.      Cross Site Scripting and Cross Site Request Forgery will make a big comeback this year. Many consumer internet companies using the newer JavaScript type frameworks will be affected due to implementation bugs in their filters against such attacks.

 | Ryan (Zeus)

Top threats for the middle east in the year 2015

Saturday, 31 January 2015

 Nmap aka "Network Mapper" is a free and open source tool for network discovery and security auditing. The tool came into existence through the work of Mr.Gordon Lyon, whom we also know as "Fyoodor". I have a huge respect for Mr.Fyoodor for his help to the open source and security community.
Everyone in the security community who has something to do with security testing has used this wonderful tool known as "Nmap", but is Nmap the best port scanner available ?

Recently, I was engaged in a penetration testing assignment, I was using Nmap for scanning ports but the results I was getting from Nmap and a Free Online Scanner were different.
The free online scanner was giving out more results which I could validate using different scripts from different places.
I found that Nmap,is lacking behind in terms of  "Scripts".
The Scripts database hasn't been updated from a long time.

so, the next time you are making a port-scan just consider using other port-scanners as well to get better results.

Is NMAP really the best PORT Scanner ?

Wednesday, 13 August 2014

POS or "Point of Sale", it is a place where a Transaction made by the Consumer is made. The "place" here refers to the point where you swap your credit-card against the machine at a vendor.
“Backoff” is a family of POS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware which would include-
These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities-
  • Scraping memory for track data
  • Logging keystrokes
  • Command & control (C2) communication
  • Injecting malicious stub into explorer.exe
The malicious stub that is injected into "explorer.exe" is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.

Based on compiled timestamps and version information witnessed in the C2 HTTP POST requests, “Backoff” variants were analyzed over a seven month period. The five variants witnessed in the “Backoff” malware family have notable modifications, to include:

1.55 “backoff”
  • Added Local.dat temporary storage for discovered track data
  • Added keylogging functionality
  • Added “gr” POST parameter to include variant name
  • Added ability to exfiltrate keylog data
  • Supports multiple exfiltration domains
  • Changed install path
  • Changed User-Agent
1.55 “goo”
  • Attempts to remove prior version of malware
  • Uses as resolver
1.55 “MAY”
  • No significant updates other than changes to the URI and version name
1.55 “net”
  • Removed the explorer.exe injection component
1.56 “LAST”
  • Re-added the explorer.exe injection component
  • Support for multiple domain/URI/port configurations
  • Modified code responsible for creating exfiltration thread(s)
  • Added persistence techniques


The impact of a compromised POS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.


At the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution
The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise.

Remote Desktop Access
  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.[12]
  • Limit the number of users and workstation who can log in using Remote Desktop.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).[13]
  • Change the default Remote Desktop listening port.
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.[14]
  • Require two-factor authentication (2FA) for remote desktop access.[15 ]
  • Install a Remote Desktop Gateway to restrict access.[16 ]
  • Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.[17],[18]
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate key-logger or credential dumping attacks.
  • Limit administrative privileges for users and applications.
  • Periodically review systems (local and domain controllers) for unknown and dormant users.
Network Security
  • Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to ex-filtrate data to their IP addresses.
  • Segregate payment processing networks from other networks.
  • Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.
  • Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.
  • Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.
  • Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).
Cash Register and POS Security
  • Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website.
  • Install Payment Application Data Security Standard-compliant payment applications.
  • Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
  • Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible.
  • Perform a binary or checksum comparison to ensure unauthorized files are not installed.
  • Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on POS systems. It is recommended that merchants work with their POS vendors to obtain signatures and hash values to perform this checksum validation.
  • Disable unnecessary ports and services, null sessions, default users and guests.
  • Enable logging of events and make sure there is a process to monitor logs on a daily basis.
  • Implement least privileges and ACLs on users and applications on the system.

POS Malware "Back-off"