Advisory

Multi-Factor Prompt Bombing Attacks

What Is It?
Multi-factor authentication (MFA) prompt bombing is a specific social engineering attack that bombards its victims with countless MFA push notifications. Generally, when people think of social engineering attacks, they think of suspicious emails or unexpected phone calls. However, MFA prompt bombing can be an even more effective strategy to gain access to people’s data, due to the fact it specifically uses social engineering tactics that target the human factor. Below are a few different ways these MFA prompt bombing attacks are carried out:

Send a large number of MFA prompt requests in hopes the user accepts to stop the distraction or annoyance.
Send only a small number each day in hopes a user accepts at some point. This method is stealthier and is more likely to fly under the radar as a malicious attack.
Call the user advising them they need to send an MFA prompt and they need to accept it.

The victim may ignore the first few notifications or calls, but at some point, may click accept to stop the annoyance and get back to what they were focusing on – all while not realizing what they have just done.

More and more authentication portals are adding the ability or requirement to

enable MFA notifications as a secondary form of authentication. The Center for Internet Security (CIS) Control 6 – Access Control Management requires MFA for external facing applications, remote network access, and administrative access. This attack is on the rise and will not be going away any time soon.

Recent Attacks Using This Technique
Back in March, nGuard released a Security Advisory about the Lapsus$ Crime Gang infiltrating Microsoft, Okta, and others. It turns out the group utilized this technique to gain access to these organizations. Lapsus$, in their Telegram channel said, “No limit is placed on the number of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

The image below shows a conversation from their Telegram Channel discussing how they were going to attempt this attack:

The SolarWinds breach that occurred last year that allowed APT29 (Cozy Bear), a group out of Russia, to create backdoors in 18,000 SolarWinds customer’s environments utilized this very same technique.

nGuard’s Experience with MFA Prompt Bombing
nGuard has been using this attack in our social engineering methodology for quite some time. Using these tactics, nGuard has successfully gained access to client’s VPN portals protected by MFA to obtain internal network access numerous times. nGuard has also used this attack to gain access via an organization’s single sign-on (SSO) page, giving us access to many sensitive internal applications. To protect your organization from this attack you can:

Conduct regular social engineering assessments to reinforce training.
Train employees to only accept MFA prompts when they are actively authenticating to a service.
Train employees to never give out MFA SMS codes to anyone.
Report the unsolicited MFA prompts as fraudulent.
Create alerts for anomalous events such as:
- Time of access
- Geolocation
- Large number of MFA prompts events
Draft a policy that states whether and how personal information is to be requested of employees via telephone.
Conduct employee training to raise awareness of social engineering techniques.
Train employees to identify and report suspicious requests for personal information.
Segment employee workstations from higher security zones in the internal network to reduce exposure of critical internal systems to attack from compromised workstations.

If you want to test your users’ likelihood of falling victim to such social engineering attacks, contact your Account Executive or Security Consultant for more information.

This Week in Cybersecurity (TWiC)

Over the past week there have been many hot topics in the cybersecurity world. This edition of This Week in Cybersecurity includes stories about Log4Shell continuing to pop up, a government contractor showing their ability to spy on CIA and NSA personnel, supply chain attacks becoming an increasing threat, and more. Check out the articles below for more on each story.

AWS’s Log4Shell Hot Patch Vulnerable To Container Escape and Privilege Escalation

Following Log4Shell, AWS released several hot patch solutions that monitor for vulnerable Java applications and Java containers and patch them on the fly. If you installed the hot patch to a Kubernetes cluster, every container in your cluster can now escape until you either disable the hot patch or upgrade to the fixed version. A hot patch Daemonset for Kubernetes clusters, which installs the aforementioned hot patch service on all nodes is now available. To patch Java processes inside containers, the hot patch solutions invoke certain container binaries. In Kubernetes clusters, you can install the fixed hot patch version by deploying the latest Daemonset provided by AWS. Note that only deleting the hot patch Daemonset doesn’t remove the hot patch service from your nodes. Penetration testing and vulnerability management remains a key tool to mitigate risks like this.

American Phone-Tracking Firm Demo’d Surveillance Powers By Spying On CIA and NSA

Anomaly Six, a secretive government contractor, claims to monitor the movements of billions of phones around the world and unmask spies with the press of a button. According to audiovisual recordings of an A6 presentation reviewed by The Intercept and Tech Inquiry, the firm claims that it can track roughly 3 billion devices in real time, equivalent to a fifth of the world’s population.

In a sales pitch, to fully impress upon its audience the immense power of this software, Anomaly Six did what few in the world can claim to do: spied on American spies. “I like making fun of our own people,” Clark began. Pulling up a Google Maps-like satellite view, the sales rep showed the NSA’s headquarters in Fort Meade, Maryland, and the CIA’s headquarters in Langley, Virginia. With virtual boundary boxes drawn around both, a technique known as geofencing, A6’s software revealed an incredible intelligence bounty: 183 dots representing phones that had visited both agencies potentially belonging to American intelligence personnel, with hundreds of lines streaking outward revealing their movements, ready to track throughout the world. “So, if I’m a foreign intel officer, that’s 183 start points for me now,” Clark noted. This isn’t the first time we have heard about a story like this. nGuard has covered a similar topic to this with the NSO Group and their spyware, Pegasus.

Cyber Agencies Renew Warnings Of Russia-Linked Threats Against Industrial Targets

Federal and international authorities issued urgent warnings Wednesday, April 21^st to critical infrastructure providers to take precautions against potential retaliatory cyberattacks from alleged Russian state actors and criminal cyber groups.

Experts have linked other nation state-affiliated actors like Berserk Bear to past cyber incidents against U.S. and Western European targets ranging from energy, transportation, defense contractors as well as water and wastewater system facilities.

nGuard has been helping secure critical infrastructure since 2002 and can validate your segmentation between your business and critical networks and help you stay on top of time sensitive alerts with a managed SIEM.

North Korean Crypto Hacks a Growing Threat, U.S. Warns

A trio of U.S. agencies have issued a joint advisory to warn of escalating North Korean cyberattacks on cryptocurrency and blockchain platforms. The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the U.S. Treasury Department issued the alert Monday in the wake of a stunning $620 million crypto heist by the Pyongyang-connected Lazarus Group.

More Than Half of Initial Infections in Cyberattacks Come Via Exploits, Supply Chain Compromises

The length of time attackers remained undetected on a victim’s network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant. In general, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms. Additionally, government agencies and security firms often notify victims of attacks, leading to faster detection.

Overall, two methods of initial compromise – exploiting vulnerabilities and attacks through the supply chain – accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020. Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks.

Prior to a cyberattack ever occurring, be sure to be proactive and have an incident response partner in place. An incident response retainer ensures the fastest response possible from a third party. nGuard offers its CSIR Complete service which is a full CSIR program with guaranteed service-level commitments, priority response, and ongoing proactive activities throughout the year.

6 Malware Tools Designed to Disrupt Industrial Control Systems (ICS)

A recent attempt by Russia’s infamous Sandworm threat group to disrupt operations at a Ukrainian power company has once again drawn attention to the — still somewhat limited — collection of publicly known tools designed specifically to disrupt industrial control systems. Ukraine’s computer emergency response team (CERT-UA) thwarted the attack before any damage was done. Unlike other malware, which often share commonalities in features and functions, ICS-specific malware tools have tended to be highly customized for targeted environments. Just last month, the FBI issued a Flash Alert on critical infrastructure being targeted with a ransomware strain called RagnarLocker.

FBI Secretly Removing Malware

Late last week, Attorney General Merrick Garland announced that the FBI was removing malware from computer systems around the world in an attempt to thwart Russian cyber-attacks. In March, the White House warned that Russia could be targeting critical infrastructure in the United States. The malware that is being removed from systems by the FBI is reported to allow an arm of the Russian military called the GRU to take over machines and create botnets for DDoS attacks. The GRU is Russia’s largest foreign intelligence agency responsible for handling multiple forms of military intelligence.

The Justice Department says that this strain of malware is designed to compromise externally facing firewalls and loop them into a botnet called Cyclops Blink. The botnet is controlled by a notorious group called Sandworm that has been known to work with the GRU. The DOJ warned owners of infected devices that their machines were part of this Cyclops Blink botnet, but decided that it was not worth the wait and took it upon themselves to remove the malware from infected devices.

Through secret court orders, the Justice Department and FBI were able to quietly remove this malware from infected devices across the globe. After removing the malware, the FBI also closed the management port that was being used as the attack vector. The Biden administration has been ramping up their cyber security operations since the breakout of war in Ukraine. While Ukraine has been the number 1 target of cyber attacks over the last couple months, authorities warn that critical infrastructure organizations in the United States could be next.

Performing external penetration testing and having a formal external vulnerability management program can help to thwart attacks like this. By identifying these vulnerabilities and patching them before adversaries get their hands on them, you can protect your externally facing machines from becoming a part of a worldwide botnet.

Lapsus$ Crime Gang: Hacking Microsoft, Okta, and More

Lapsus$ is a hacking group that first appeared in December of 2021 when they were extorting Brazil’s Ministry of Health. Recently they have been in the news for posting information and screenshots from internal breaches of companies like Microsoft, Nvidia, and Okta. Lapsus$ is unorthodox in their operations in that they do not operate on the dark web or on any social media platforms. Instead, Lapsus$ leverages email and a public Telegram channel which now has over 45,000 members. Lapsus$ does not attempt to hide any of their activity or cover their tracks. In fact, they have been known to join Zoom calls of organizations they have compromised and interrupt their incident response process.

With such high profile targets, it was initially thought that Lapsus$ was state-sponsored but it has been reported that their head is a multi-millionaire 16-year-old teenager in Oxford, England. Researchers tracking the group have said, “The teen is so skilled at hacking — and so fast — that researchers thought the activity they were observing was automated.” Lapsus$ has been spotted recruiting on various online platforms since November 2021. Recruiting ads offering $20,000 a week to perform SIM swapping for AT&T, Verizon, and T-Mobile customers.

Although the group has done significant damage already, the good news is London Police have arrested seven individuals, all 16 to 21 years old in connection with the hacking group.

Microsoft Breach Last week, Microsoft confirmed Lapsus$ was responsible for obtaining and leaking about 37 GB of pieces of their source code for Bing, Cortana, and over 250 Microsoft projects via access it had through a single account. Lapsus$ initially obtained access via stolen credentials which allowed privileged access and the exfiltration of data.

Microsoft has been tracking Lapsus$ for some time now, calling it DEV-0537. Microsoft’s Threat Intelligence Center stated, “… the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”

Okta Breach

Okta, a single-sign-on identity management service that works in cloud and on-premises environments announced Lapsus$ was able to gain access to one of their employee’s laptops for five days in January. The access was originally obtained through subprocessor Sykes Enterprises which is owned by Sitel Group. Lapsus$ utilized compromised credentials to access Sykes Enterprises. It was discovered the credentials were used on VPN gateways. Once Lapsus$ had access they discovered a file on Sitel’s network called DomAdmins-LastPass-xlsx. This would indicate a file with Domain Administrator passwords from the password manager LastPass was exported and saved locally. Lapsus$ was able to pivot to Okta’s network and posted screenshots of their access.

Some screenshots from the incident response investigation were posted showing the timeline of events and activity. Activity such as searching Bing for privilege escalation tools on GitHub, disabling endpoint protection agents, and searching and downloading Mimikatz –a tool to extract and save authentication credentials and Kerberos tickets from a host — were performed during the attack.

Okta has faced a wave of criticism on their slow response to the breach after receiving the incident response report. Okta chief security officer David Bradbury said the company “should have moved more swiftly to understand its implications.” As of now, Okta has stated the breach has impacted 366 of their customers during the 5-day period of the attack.

Other Attacks

Lapsus$ has been highly active in the recent months. To read more about other attacks they have carried out on high-profile organizations click the links below.

How nGuard Pwned Your Network Video Series | Part 3 of 3

In this 3-part series we are demonstrating how nGuard most commonly gains an initial foothold on internal networks, then takes that initial access and pivots through the network to obtain full command and control over systems. If you missed parts I or II, check them out here and here.

In this third part, we are going to round out our initial compromise, show you how we can obtain full command and control over a host, and show you the results of our password cracking attempts. For this part we are going to be using PowerShell Empire. The original tool was deprecated, but later was revived and now is maintained on GitHub. The framework has multiple modules and listed on the GitHub they say, “Empire 4 is a post-exploitation framework that includes pure-PowerShell Windows agents, Python 3.x Linux/OS X agents, and C# agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.”

To set this attack up and eventually have persistent command and control of a host, which will be called agents, we need to configure the server and the client. In separate terminals we will run these commands:

powershell-empire server
powershell-empire client

Once those are started, we can now set up a listener. In this attack we will need to configure the client to use an http listener. To do this we will configure the Bind IP and host to use our local IP and choose a port to run on.

After the listener is executed, we will see our sever reflect the results:

The next thing we will want to configure is our stager, which will output the encoded PowerShell command we want to execute on our compromised host. To do this we use the http listener and input the command generate.

Now that we have our encoded PowerShell, we want to go back to our Responder and ntlmrelayx tools. We will leave Responder running in the same configuration used in Part II and only have to change our ntlmrelayx command. This time we will add the -c option to have the PowerShell command run on the host, rather than dumping the SAM hashes.

Once our connection using the ntlmrelayx tool is created and our PowerShell command executes we will receive a connection back to our local machine from a compromised host in the form of an agent.

Now that we have an agent, there are many modules and commands we can run to further exploit the compromised host. In the video demonstration below you will see examples of commands like whoami for basic information about the host and mimikatz to look for more hashed and cleartext credentials on the host.

In part I we talked about loading the hashes in our password cracker and when reviewing we can see the password hash for two users were cracked in 4 minutes and 26 seconds!

Although we were able to crack the password in a relatively short time, environments with complex password requirements may take a significant amount of time to crack or will not during the time you have on an engagement. Since this task may be time consuming or unsuccessful it is much easier and quicker to utilize the hashes and not have to rely on discovering cleartext credentials.

Check out the video below to see all these steps live in action:

IIf you have any questions about this attack or want to see if nGuard can perform attacks like this on your internal network during one of our internal penetration testing assessments please reach out to an Account Executive.

How nGuard Pwned Your Network Video Series | Part 2 of 3

In this second part, we are going to take the hashes we have intercepted from part I and build upon it. We are going to relay the hashes to other hosts on the network and see what permissions and access we have. This attack is different than another common attack called pass-the-hash (PTH). Since the hashes we have captured with our Responder tool are Net-NTLM hashes, we cannot perform the PTH attack. Instead, we relay them to discover local NTLM hashes, which we can perform the PTH attack with.

In this attack we are going to use CrackMapExec and Impacket’s ntlmrelayx Python module. CrackMapExec is a post-exploitation tool that is used in assessing Active Directory environments. This is a tool with many features, but we will only be showing the feature of generating a list with hosts that have Server Message Block (SMB) Singing disabled/not required. To do this we run the command:

crackmapexec smb <IP Range to scan> –gen-relay-list <outputFileName.txt>

This command specifies the name of the tool, the protocol we want to scan for (SMB), command to generate a list, and the name of the file where we want to output the hosts with SMB signing disabled. In the screenshot below you can see we discover two hosts with SMB singing as false (disabled).

The Impacket module ntlmrelayx.py allows us to take the Net-NTLM hashes we captured in Responder and perform SMB relay attacks on the hosts discovered with SMB signing disabled utilizing CrackMapExec. The default behavior of this module is to dump the local Security Account Manager (SAM) file which contains local NTLM hashes. These are hashes we can now perform the PTH with. The two screenshots below demonstrate how this attack is carried out.

As we obtain these hashes throughout these attacks, we will always upload them into our password cracking machine and attempt to discover the cleartext password. As demonstrated in these videos so far, there are many things we can do with hashes, but working with the cleartext is always easier.

Here is a video demonstrating this in action:

In part 3 we will take the access we have gained, use that to setup full command and control over a specific host, and view the results of the hashes being uploaded into our password cracker. If you have any questions about this attack or want to see if nGuard can perform attacks like this on your internal network during one of our internal penetration testing assessments please reach out to an Account Executive.