Recently, I attended Wild West Hackin’ Fest 2020 virtually, and one of the presentations was on threat hunting. I hadn’t really been exposed to threat hunting too much, so I shot some questions into Discord and got some phenomenal resources sent back to me regarding training and courses on the subject. Here are a few of those sources:
Hey! I know it has been quite a while since I last posted, but this coronavirus stuff has been crazy! And aside from that, I haven’t had time to do anything crazy productive outside of my school. But a little extra time came across my hands and I found a great article written by a user called “Slaeryan” and had to post it, because I learned quite a few new things from it. In the article he talks about shellcoding, using metasploit, different attacks and how they might work, and much more. Click the link below to give it a read.
The Equifax breach was one of the largest and impactful breaches of recent years, and I just wanted to take a quick look at it since I discovered that lawmakers had released a PDF report detailing exactly how they were hacked.
Among other things that this report highlights, it looks at how Equifax turned down help from the DHS, and instead went to a private third-party cyber-security company. This isn’t abnormal, but having more than one party check your security, especially when it’s the DHS, can’t hurt one bit.
Above you’ll see a chart that describes how Equifax was breached. Now, the main vulnerability that was used was known, and US-CERT had warned the public about it. For some small businesses, emergency patches like this may not come up for a little while due to negligence or just not knowing the warning had been posted. But when you’re a company as big as Equifax, handling the sensitive data that they have, there is no excuse for a vulnerability to be open in a company that long after they were warned. Something as critical as that should have been patched straight away.
Get this though, the Apache Struts vulnerability that was used was months-old. They knew about it, but just failed to fix it. Using the vulnerability, the attackers gained access to login credentials for three of their servers, and from there, using the same credentials (c’mon guys), they accessed another 48 servers. These servers contained the personal information that was affected.
From there, the attackers stole bits of data from 51 databases ever so slowly, as to not set off any red flags. This process took around 76 days. The breach wasn’t known about until July 29th, and the attackers had their access terminated on July 30th.
In more recent news, Equifax has spent over $200 million on cyber security, and has a newer CISO. The company is attempting to make sure a breach like the one they suffered never happens again. It’s never too late to dump money into cyber security for your company, but why wasn’t this done beforehand? Why weren’t the proper steps taken to ensure their critical infrastructure was secured?
The Justice Department has charged four members of the Chinese Military with the hack though, and it’s amazing that they were even able to come up with names. I, myself, am extremely interested in how they were able to track the culprits down. These attackers had access to the Social Security numbers, birth dates, and more, of about 145 million people. Of course, the Chinese Foreign Ministry is completely denying the charges.
Apparently officials have stated that these hackers covered their tracks by routing traffic through 34 servers in 20 countries to hide their location, and used encrypted channels to communicate, while wiping logs that they left behind. What I’m really looking forward to, is the in-depth forensic report of how they tracked these guys down. I’ve gone through the indictment fully, and it gives away some info, but not much. Especially when it comes to how the U.S. got the server logs/records off of a Taiwanese servers that they hackers almost definitely were cleaning constantly (maybe they weren’t?).