Phishing Microsoft cloud users using malicious apps and OAuth2

Weeks ago, I read a blog post by Cofense showing how bad guys can trick users into granting permissions to a malicious application to “grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information“. This kind of phishing attack uses the power of OAuth2 to bypass the need of user’s credentials and second factor.

During Covid-19 lockdown lot of organizations went remote using cloud services; Microsoft 365 services are widely used and a perfect target for attackers. Because of Cofense worrying statement I decided to better understand how these attacks work, how to detect it and what information an attacker can really steal from a corporate account or a personal one.

Continue reading “Phishing Microsoft cloud users using malicious apps and OAuth2”

Configure Squid proxy for SSL/TLS inspection (HTTPS interception)

Squid proxy

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.

Squid can be configured to make SSL/TLS inspection (aka HTTPS interception) so the proxy can decrypt proxied traffic (Squid calls this feature ssl bump).

Afaik the Squid package included in the Linux distros is not compiled with SSL/TLS inspection support but the good news is that diladele (its github repo and Websafety documentation are useful resources) provides packages for Ubuntu and Centos, recompiled (you can do by yourself) with support for HTTPS filtering and SSL/TLS inspection. This means that we have just to configure Squid. Not an easy task anyway 🙂

I provide to you a working config, follow next steps.

Continue reading “Configure Squid proxy for SSL/TLS inspection (HTTPS interception)”

#RomHack2019

Long time since last post.

#RomHack2019 attendees

I was very busy organizing the second edition of RomHack, the free cyber security conference made with ❤ by Cyber Saiyan – the non-profit organization I founded 2 years ago – that took place in Rome past 28th of September.

We had an incredible lineup with italian and international speakers coming from around the world and 400 attendees. Not just the conference; at the end of the conf 16 team played the on site Capture The Flag.

Continue reading “#RomHack2019”

Make your own phishing campaign using office macro and Powershell as simple dropper

Dave

Phishing is a common attack characterized by simplicity and effectiveness; phishing emails are used to drop malware, cryptolocker, steal credentials… and they are successfull just because Dave. I suggest reading this page to understand “the existing forms of phishing attacks and the currently available mitigations“.

Companies – hopefully – train their employees with internal phishing campaigns; in this post I show how we can build a simple office document that – once opened – sends information to an external server. We can use the document – along with Gophish or other tools – to build our own phishing campaign and test our organization exposure to phishing, teaching people and rising awareness.

Continue reading “Make your own phishing campaign using office macro and Powershell as simple dropper”

Raspberry Pi + Pi-hole: a perfect combo

Raspberry Pi 3 B+ from The Pi Hut
Raspberry Pi 3 B+ from The Pi Hut

In our SOC we use Pi-hole to block network ad-serving domains. Benefits of Pi-hole are highlited on their web site

  • Since ads are blocked before they are downloaded, your network will perform better
  • Network-level blocking allows you to block ads in non-traditional places such as mobile apps and smart TVs, regardless of hardware or OS

Pi-hole works on Linux systems and for home usage is common to install it on a Raspberry Pi device.

This is my jurney into installing Pi-hole on my Raspberry Pi. Continue reading “Raspberry Pi + Pi-hole: a perfect combo”

Enable Telegram and WhatsApp web sites behind a proxy

telegram and whatsapp
telegram and whatsapp

In this post I just show what domains you need to enable to authorize access to  telegram and whatsapp web sites behind your corporate proxy. This is useful when you need to allow – like me – just a subset of your users to access it.

Allow following Telegram domains on your proxy

  • web.telegram.org
  • vesta.web.telegram.org
  • telegram.me

Allow following WhatsApp domains on your proxy

  • web.whatsapp.com
  • dyn.web.whatsapp.com
  • w[0-9].web.whatsapp.com (from w0 to w9)
  • pps.whatsapp.net
  • mms.whatsapp.net
  • mmg-fna.whatsapp.net

MineMeld: threat intelligence automation – connect to STIX/TAXII service [5]

This post is the fifth of a series on Threat Intelligence Automation topic.
Post 1: Architecture and Hardening of MineMeld
Post 2: Foundation: write a custom prototype and SOC integration
Post 3: Export internal IoC to the community
Post 4: Search IoC events with SPLUNK

Long time since my last post. I was very busy creating Cyber Saiyan – a non-profit organization – and organizing RomHack 2018, a free cyber security event that will take place in Rome next September 22th.

On the field of threat intelligence automation and info sharing community building, the work continued too.

I’m working hard with italian community and we setup a STIX/TAXII network using a combination of open source sofware: MISP, OpenTAXII and MineMeld. We are now testing a complex consumer/producer network where companies (producers) can push IoC that, after validation, are injected into the consumer network, a TAXII service built on top of MineMeld.

Continue reading “MineMeld: threat intelligence automation – connect to STIX/TAXII service [5]”

[ITA] Ed il primo BSides Roma è andato!

Sabato 13 Gennaio 2018 sono stato relatore, insieme ad amici e colleghi bravissimi, della prima edizione del BSides Roma con un talk dal titolo “Building an Effective Info Sharing Community“.

L’evento è stato un successo: sala piena e livello dei talk notevole – a parte il mio ovviamente 🙂

Sala piena = Agostino soddisfatto
Sala piena = Agostino soddisfatto

Continue reading “[ITA] Ed il primo BSides Roma è andato!”

[ITA] Cyber Saiyan: l’inizio di un’avventura

Tutto è iniziato a Gennaio 2017 quando a Milano ho conosciuto Mario Anglani, l’organizzatore di HackInBo. Quel giorno quando Mario mi ha parlato di HackInBo, incuriosito, ho deciso di avvicinarmi a questa community inviando una mia proposta di talk per l’imminente spring edition 2017.

inizio by Marco Scandella (flickr)
inizio by Marco Scandella (flickr)

Non avevo troppe speranze a dire il vero, ma la voglia di raccontare la mia esperienza, le mie idee e confrontarmi con altre persone – fino ad allora sconosciute – era grandissima.
Il mio talk fu selezionato e per me è stata un’esperienza stupenda ed indimenticabile che mi ha permesso di conoscere tantissime persone e di condividere con loro idee, problemi e soluzioni. Un “mondo” per me sconosciuto fino ad allora – lavoravo comunque nella Security operativamente da quasi 6 anni – e che mi ha immediatamente conquistato.

In questi sei mesi sono successe tantissime cose che mi hanno convinto di tentare di restituire alla community – il famoso give back – un po’ di quello che ho “preso”. E così insieme ad altri tre amici – DavideB, DavideP e Federico – abbiamo prima di tutto deciso di costituire un’associazione di promozione sociale che abbiamo chiamato Cyber Saiyan (sito web , twitter) che “persegue la promozione di iniziative di qualsiasi genere con la finalitĂ  di divulgare tematiche relative a cyber security ed ethical hacking“.

Presto organizzeremo qui a Roma un incontro per presentare l’associazione, con l’obiettivo minimo di realizzare nel 2018 un evento di sicurezza su Roma che abbia il pieno supporto della community.

Oggi per me è un nuovo inizio e spero che nel 2018 Cyber Saiyan possa regalarci delle stupende iniziative.

merlos

[ITA] BSides Roma 2018

#BSidesRoma18
#BSidesRoma18

[4/1/2018: aggiornato indirizzo location a seguito di variazione da parte dell’organizzazione]

Il 13 Gennaio 2018 si terrĂ  a Roma, presso il Centro Congressi di via Salaria – Dipartimento di Informatica (via Salaria 113), la prima edizione del BSides Roma. Un evento organizzato dalla community e a cui avrò il piacere di contribuire in qualitĂ  di speaker.

Il tema del mio intervento è qualcosa a cui tengo molto, ovvero l’Information Sahring: “Building an Effective Info Sharing Community”.

Nel talk cercherò di ricostruire in maniera sistematica e strutturata il lavoro fatto in questi mesi e già in parte descritto qui sul blog in una serie di post.

Sono convinto che per Roma è un’occasione importante per portare un po’ di sana “ciccia” (come si dice da queste parti) sulla scena della Security romana. Da parte mia sono davvero contento di dare il mio contributo e spero che in tanti supportino questa iniziativa partecipandovi.

Qui la ricca agenda dell’evento e qui la pagina per la registrazione.