Phishing Microsoft cloud users using malicious apps and OAuth2

Weeks ago, I read a blog post by Cofense showing how bad guys can trick users into granting permissions to a malicious application to “grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information“. This kind of phishing attack uses the power of OAuth2 to bypass the need of user’s credentials and second factor.

During Covid-19 lockdown lot of organizations went remote using cloud services; Microsoft 365 services are widely used and a perfect target for attackers. Because of Cofense worrying statement I decided to better understand how these attacks work, how to detect it and what information an attacker can really steal from a corporate account or a personal one.

Continue reading →

Configure Squid proxy for SSL/TLS inspection (HTTPS interception)

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.

Squid can be configured to make SSL/TLS inspection (aka HTTPS interception) so the proxy can decrypt proxied traffic (Squid calls this feature ssl bump).

Afaik the Squid package included in the Linux distros is not compiled with SSL/TLS inspection support but the good news is that diladele (its github repo and Websafety documentation are useful resources) provides packages for Ubuntu and Centos, recompiled (you can do by yourself) with support for HTTPS filtering and SSL/TLS inspection. This means that we have just to configure Squid. Not an easy task anyway 🙂

I provide to you a working config, follow next steps.

Continue reading →

Make your own phishing campaign using office macro and Powershell as simple dropper

Phishing is a common attack characterized by simplicity and effectiveness; phishing emails are used to drop malware, cryptolocker, steal credentials… and they are successfull just because Dave. I suggest reading this page to understand “the existing forms of phishing attacks and the currently available mitigations“.

Companies – hopefully – train their employees with internal phishing campaigns; in this post I show how we can build a simple office document that – once opened – sends information to an external server. We can use the document – along with Gophish or other tools – to build our own phishing campaign and test our organization exposure to phishing, teaching people and rising awareness.

Continue reading →

MineMeld: threat intelligence automation – search received IoC events with Splunk [4]

This post is the fourth of a series on Threat Intelligence Automation topic.
Post 1: Architecture and Hardening of MineMeld
Post 2: Foundation: write a custom prototype and SOC integration
Post 3: Export internal IoC to the community
Post 5: Connect to a TAXII service

After having laid the foundations for building a community with the previous posts, it’s now time to make some advanced analysis of the received IoC.
In post 2 I integrated MineMeld output nodes into Splunk SOC near-real-time engine to automate SOC IoC access detection. This configuration strengthens the analysis and response capabilities of our SOC.

With this post I show you how to integrate MineMeld miners IoC events (update and withdraw of remote IoC) into Splunk engine so you can use Splunk search advanced features to have a deeper look into the IoC received from the miners.
This is also an important information for a SOC because if you have an IoC hit the first think to do is to understand where the IoC come from, if it was sent by more than one source etc

Searching for Cert-PA URL that containg PHP — Searching for Cert-PA URL that contain PHP

Continue reading “MineMeld: threat intelligence automation – search received IoC events with Splunk [4]” →

MineMeld: threat intelligence automation – export internal IoC to the community [3]

This post is the third of a series on Threat Intelligence Automation topic.
Post 1: Architecture and Hardening of MineMeld
Post 2: Foundation: write a custom prototype and SOC integration
Post 4: Search received IoC events with Splunk
Post 5: Connect to a TAXII service

After building the architecture and integrating the InfoSec feeds from italian CERT-PA into MineMeld and the near-real-time SOC engine, it’s time to put another brick to build an effective community: export internal IoC to the community in a standard format so authorized parties can get it and use them as they want.

The ultimate goal is to build a community that can share IoC using a standard language and a transport mechanism (STIX/TAXXI) getting data from heterogeneous sources (more integration examples in next posts) and injecting data into the community network.

So let’s start with the configuration steps. Continue reading “MineMeld: threat intelligence automation – export internal IoC to the community [3]” →

MineMeld: threat intelligence automation – foundation: write a custom prototype and SOC integration (Splunk) [2]

This post is the second of a series on Threat Intelligence Automation topic.
Post 1: Architecture and Hardening of MineMeld
Post 3: Export internal IoC to the community
Post 4: Search received IoC events with Splunk
Post 5: Connect to a TAXII service

On the first post of my threat intelligence automation jurney I wrote why I choosed MineMeld, the architecture implemented and the hardening steps. One of the goals is to connect MineMeld to heterogeneous external sources to get IoC (Indicators of Compromise) and integrate it into our i-SOC (Information Security Operation Center) near-real-time engine to get evidences of security events to be analyzed by i-SOC analysts.

In this post I show the foundation of the threat intelligence automation model: how I wrote a custom prototype to get the InfoSec feeds from italian CERT-PA (Public Administration – italian web site) and how I integrated these feeds into Splunk near-real-time engine.
I started with this integration because InfoSec has very good feeds (IP, URLs, domains) that are not just copy&paste from OSINT sources but are often updated and automatically analyzed to check that IoC are still “alive”.

This page and this page give you all the information needed to understand how MineMeld works, so RTFM before moving on 😉 Continue reading “MineMeld: threat intelligence automation – foundation: write a custom prototype and SOC integration (Splunk) [2]” →

MineMeld: threat intelligence automation – architecture and hardening [1]

This post is the first of a series on Threat Intelligence Automation topic
Post 2: Foundation: write a custom prototype and SOC integration
Post 3: Export internal IoC to the community
Post 4: Search received IoC events with Splunk
Post 5: Connect to a TAXII service

Last slide at my HackInBo talk (italian) was about how to automatically integrate threat intelligence feeds into our near-real-time Information Security Operation Center (i-SOC) SPLUNK engine to reduce the time spent by SOC security analysts on IoC (Indicators of Compromise) analysis.

At the time I was testing an open source project from PaloAlto: MineMeld. It was the right choice; after extensive tests MineMeld now help me to solve the challenges I had in the past while playing with IoC coming from various threat intelligence sources: collection automation, unduplication, aging and SOC integration.

MineMeld can also share our internal IoC to the italian infosec community we are now building from the ground. We are working hard on this and I’m really confident we will succeed (want to join? DM me on twitter or in the comments). Continue reading “MineMeld: threat intelligence automation – architecture and hardening [1]” →

[ITA] HackInBo Spring Edition 2017 – Video

Di seguito il video del mio talk “L’evoluzione del SOC di una infrastruttura critica” tenuto a Maggio 2017 ad HackInBo Spring Edition 2017 (qui le slides).

Potete trovare tutti i video di questa e delle edizioni passate nella pagina youtube di HackInBo

Mario Anglani – introduzione all’evento
Valerio Costamagna – “Making vulnerability mining better than “ALLOC[A-Z0-9_]*\s*\([^,]*,[^;]*[*+-][^>][^;]*\)\s*;””
Roberto Clapis – “Go get my/vulnerabilities: an in-depth analysis of go language runtime and the new class of vulnerabilities it introduces”
Andrea Pierini e Giuseppe Trotta – “Da APK al Golden Ticket”
Michele Spagnuolo – “So we broke all CSPs… You won’t guess what happened next!”
Andrea Draghetti – “Phishing: one shot, many victims!”
Yvette Agostini, Giovanni Ziccardi, Alessio Pennasilico – “Tavola Rotonda”

Grazie ancora a Mario, lo staff di HiB ed agli amici di Segment per il montaggio.

The WannaCry journey from a SOC point of view – internal sinkholing of killswitch servers

In the previous post I described how our Security Operation Center managed the WannaCry news.

We also made a lot of side activities in the past hours and one of these was to implement an internal sinkholing of the killswitch servers in case some clients where infected; with a working local sinkholing we where able to avoid the ransomware spreading in case of infection.

How? Let me explain.

Continue reading “The WannaCry journey from a SOC point of view – internal sinkholing of killswitch servers” →

The WannaCry journey from a SOC point of view

In the past hours a new ransomware called WannaCry (or WCry or WannaCrypt0) spread very fast on Internet and targeted a lot of public and private organizations. The ransomware make use of public exploits related to the last Shadow Brokers leak, in particular MS17-010 vulnerability that was fixed by Microsoft on March 14 (2 months ago). You can read very good tech posts here, here, here and here and I suggest you also to follow on twitter Hacker Fantastic and Malware Tech.

Here I try to summarize my approach to the news, mainly highlighting what we did in my company in the past months and how we monitored WCry from our SOC (Security Operation Center).

There was (and there is also now) a lot of hysteria, but for people like me that work in a SOC this is not an acceptable mood; you need to relax, really understand what’s happening and verify that what you did before is enough and, if not, apply emergency countermeasures. Continue reading “The WannaCry journey from a SOC point of view” →