Security Series
Defending with an Attacker's Mindset
To build effective defences, you first need to understand how attackers think, move, and operate. This series breaks down real attack techniques — and the defensive lessons they teach.
The Attack You Never See Coming: HTML Smuggling + Quasar RAT
HTML attachment attacks are increasing as more organisations move to URL rewriting, and attackers work to bypass click time protection. Opening the attachment in a browser means its almost indistinguishable to an end user, who may not associate links in emails and links in attachments as different things, but the security challenges a lot of vendors face in being able to scan and block these attachments mean too many of these reach user's inboxes.The video below helps to demonstrate how easy it can be for attackers to package an intrusive malware, like a remote access trojan, into an otherwise legitimate email, and trick users into downloading and executing payloads on their behalf. The videos are designed to show you how easy it can be for even sophisticated attackers to put your organisation, or even your friends and family, at risk.
Read postPassword hash cracking with Hashcat and CUPP
The advice to use long complex passwords is commonly given, but few people understand why it is necessary, and how easy it can be for bad actors to crack less secure passwords. To show why this advice is so important I'm going to demonstrate a couple of different tools and attacks. With Hashcat I'll show how a brute force and dictionary attack work, and with CUPP I'll show how easily identifiable information about you in your password is a bad idea. Stick around to the end to see some tips on how you can make sure your online accounts are as secure as they can be.
Read postQR code to Meterpreter compromise on Android phone
QR codes are everywhere. Because they are now so widespread and used by so many legitimate services people have built trust with them, despite the fact that the data they can contain is not able to be interpreted by the human eye. Let's look at a potential qr code attack in action to show why you should question what you scan before opening your camera app..
Read postCredential farming - harvest and re-use
Credentials are the lifeblood of cyber-attacks. Access to users accounts opens up lots of potential attack vectors for a bad actor. They could use the account to attack people in your address book, they can understand when payments will be made to initiate BEC attacks, they can access all of the users files and upload their own malware to cloud repositories, and they can also move laterally within a business by emailing colleagues from the genuine account meaning the email content will likely not be fully scanned but also inherently trusted. It is important that users know and understand how vulnerable they can be from this type of attack, and how easy they are to perform. This video shows how easy it can be for an attacker to take a user’s credentials and also check if the credential pair are used in other accounts, an attack known as credential stuffing. It may not be the corporate account that is initially targeted, but if a user uses the same password on their Facebook account as they do to log into your network they may be opening up blind spots in your infrastructure.
Read postStealing credentials stored in a Chome browser
Stealers don't get the headlines that ransomware and BEC attacks do, but can be equally as destructive if deployed on the right users machines. If a user stores credentials to critical applications in their browser, and the application isn't using hardened MFA technology and FIDO authentication, then the data within that application may be at risk. Stealers are simply deployed tools with minimal footprint and singular focus to access local files and extract cached passwords, and are typically available to anyone with Bitcoin or a stolen credit card. The video below shows how easy it is for an attacker to crack popular browser stores such as Google Chrome, and access passwords a user probably believes to be safely locked away. By their own admission Google don't have a good solution to this problem, and even enabling Google's on device password encryption does not protect you from this attack today.
Read post