Defending with an attackers mindset
Effective defence comes when you can anticipate your attackers’ moves.
End users don't think they'll be hacked, that they aren't important enough, that their data holds no value, but that simply isnt the case.
The fact is that everyone knows someone that's been hacked and stolen from, the question is whether they know it or not.
This video series is a guide to show how easy it can be for bad actors to carry out basic attacks with potentially devastating effects. By putting yourself in the mindset of an attacker you can think about how you can better defend yourself.
Quasar RAT delivered through HTML smuggling
HTML attachment attacks are increasing as more organisations move to URL rewriting, and attackers work to bypass click time protection. Opening the attachment in a browser means its almost indistinguishable to an end user, who may not associate links in emails and links in attachments as different things, but the security challenges a lot of vendors face in being able to scan and block these attachments mean too many of these reach user's inboxes.
This video helps to demonstrate how easy it can be for attackers to package an intrusive malware, like a remote access trojan, into an otherwise legitimate email, and trick users into downloading and executing payloads on their behalf. The videos are designed to show you how easy it can be for even sophisticated attackers to put your organisation, or even your friends and family, at risk.
Password hash cracking with Hashcat and CUPP
The advice to use long complex passwords is commonly given, but few people understand why it is necessary, and how easy it can be for bad actors to crack less secure passwords. To show why this advice is so important I'm going to demonstrate a couple of different tools and attacks. With Hashcat I'll show how a brute force and dictionary attack work, and with CUPP I'll show how easily identifiable information about you in your password is a bad idea. Stick around to the end to see some tips on how you can make sure your online accounts are as secure as they can be.
QR code to Meterpreter compromise on Android phone
QR codes are everywhere. They are now so widespread, and used by so many legitimate services, that people have built trust with them, despite the fact that the data they can contain is not able to be interpreted by the human eye. Let's look at a potential QR code attack in action to show why you should question what you scan before opening your camera app.
Evilginx with MFA bypass
One of the most prominent attack types across enterprises today is bypassing the MFA controls most security teams have spent hours and money implementing. There are dozens of these tools available, but one of the simplest with lowest barrier to entry is Evilginx. If you aren't aware, Evilginx is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which allows bad actors to bypass multifactor authentication protection.
To prove how simple it is I deployed my own instance, after following free public online tutorials, without spending a single penny. The results are staggeringly simple and incredibly destructive, as you can see from this video.
Stealing credentials stored in a Chome browser
Stealers don't get the headlines that ransomware and BEC attacks do, but can be equally as destructive if deployed on the right users machines. If a user stores credentials to critical applications in their browser, and the application isn't using hardened MFA technology and FIDO authentication, then the data within that application may be at risk. Stealers are simply deployed tools with minimal footprint and singular focus to access local files and extract cached passwords, and are typically available to anyone with Bitcoin or a stolen credit card.
This video shows how easy it is for an attacker to crack popular browser stores such as Google Chrome, and access passwords a user probably believes to be safely locked away. By their own admission Google don't have a good solution to this problem, and even enabling Google's on device password encryption does not protect you from this attack today.
Credential harvesting and stuffing
Credentials are the lifeblood of cyber-attacks. Access to users accounts opens up lots of potential attack vectors for a bad actor. They could use the account to attack people in your address book, they can understand when payments will be made to initiate BEC attacks, they can access all of the users files and upload their own malware to cloud repositories, and they can also move laterally within a business by emailing colleagues from the genuine account meaning the email content will likely not be fully scanned but also inherently trusted.
It is important that users know and understand how vulnerable they can be from this type of attack, and how easy they are to perform. This video shows how easy it can be for an attacker to take a user’s credentials and also check if the credential pair are used in other accounts, an attack known as credential stuffing. It may not be the corporate account that is initially targeted, but if a user uses the same password on their Facebook account as they do to log into your network they may be opening up blind spots in your infrastructure.