10 Ways Credit Unions Get PWNED

Transcription

1 10 Ways Credit Unions Get PWNED NASCUS 2017 Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

2 Intro I am going to share with you: whoami 10 Ways CUs get PWNED Phishing and Remote Access Lateral Movement and Privilege Escalation Include mitigation strategies for each

3 whoami David Anderson Farm kid turned hacker Worked in IT for 6 years Penetration tester for 5 years Yes, I am older than 18

4 10 Ways CUs Get PWNED The same thing.over and over.

5 10 Ways CUs Get PWNED 1. Users clicking links

6 10 Ways CUs Get PWNED 2. Users clicking links

7 10 Ways CUs Get PWNED 3. Users clicking links

8 10 Ways CUs Get PWNED 4. Users clicking links

9 10 Ways CUs Get PWNED 5. Users clicking links

10 10 Ways CUs Get PWNED 6. Users clicking links

11 10 Ways CUs Get PWNED 7. Users clicking links

12 10 Ways CUs Get PWNED 8. Users clicking links

13 10 Ways CUs Get PWNED 9. Users clicking links

14 10 Ways CUs Get PWNED 10. Users opening attachments

15 QUESTIONS

16 Thank you! David Anderson, OSCP Manager, Information Security, Direct: CLAconnect.com linkedin.com/company/ cliftonlarsonallen facebook.com/ cliftonlarsonallen twitter.com/claconnect

17 Phishing and Remote Access Poor Filtering I am the king of Nigeria

18 Poor Filtering By default, many spam filters don t prevent spoofing of your own domain SPF checks typically occur on the SMTP Envelope FROM address, NOT the Message FROM address

19 Poor Filtering Connected to mail.cogentco.com (38.9.X.X). MAIL FROM: 250 OK RCPT TO: 250 Accepted SMTP Envelope DATA 354 Enter message, ending with "." on a line by itself FROM: <ElonMusk@tesla.com> TO: <david.anderson@claconnect.com> Subject: Free Tesla Car SMTP Message

20 Poor Filtering - Mitigation Configure spam filter to look at both the Envelope FROM field and Message FROM field If it contains your domain, block Implement SPF Also look into DKIM and DMARC Apply extra scrutiny to s that come from domain without a SPF record

21 PowerShell That s one powerful shell

22 PowerShell Windows scripting environment built on.net Comes pre-installed Attackers don t have to worry about AV Able to perform many different tasks that command prompt couldn t

23 PowerShell Search for systems where you have local administrator access Search for where domain administrators are logged in Can download items from a URL Can inject malicious code straight into memory

24 PowerShell - Mitigation Upgrade to PowerShell v5 Remove PowerShell v2 Enable Script Block Logging Enable Script Transcription Configure Constrained Language Mode Prevents advanced features, such as.net execution, Windows API calls, and COM access

25 OWA Attacks I can read your

26 OWA Attacks Exchange supports multiple ways to access mailbox Outlook Anywhere, MAPI, EWS These services are subject to brute force attacks Tools such as MailSniper, Metasploit Targets weak passwords (Winter2016)

27 OWA Attacks Many organizations expose OWA to the Internet without requiring 2FA With access to mailbox Find sensitive information (VPN info, PII, passwords) Impersonate employee in phishing attack Create new Outlook Rule

28

29 OWA Attacks - Mitigation Implement 2FA Be careful, not all 2FA solutions apply to all services Implement strong password policy Require passphrases Implement password filter Configure usernames differently than addresses Log and monitor Logon attempts Outlook Rules

30 Office Macros Welcome back to the 1990s

31 Office Macros Macros allow attackers to access any applications/features that are installed or available on the user s workstation Utilizing PowerShell, attackers can execute malicious code easily

32 Office Macros

33 Office Macros

34 Office Macros - Mitigation Use Group Policy to disable macros Most users don t need them Office 2016 has new GPO for documents originating from the Internet Teach users who utilize Macros the dangers of opening unknown documents Prevent users from receiving Word Docs Block Docs coming through , Websites

35 Office Macros - Mitigation

36 .HTA Payloads Thank you for choosing IE for your browser needs :)

37 .HTA Payloads HTA > HTML Applications Allows attacker to run malicious applications on end user s system Needs to be opened with Internet Explorer.HTA files get launched by trusted Microsoft application - mshta.exe

38 .HTA Payloads From Microsoft - HTAs are not subject to the same security constraints as webpages. The end result is that an HTA runs like any executable (.exe) file written in C++ or Visual Basic.

39 .HTA Payloads <script> a=new ActiveXObject("WScript.Shell"); a.run( calc.exe, 0);window.close(); </script>

40 .HTA Payloads

41 .HTA Payloads

42 .HTA Payloads - Mitigation Block mshta.exe from running on systems Web filter/content filter block.hta extension

43 Domain Fronting I dare you to block Azure/AWS/Cloudflare

44 Domain Fronting Utilizes Content Delivery Networks (CDNs) to hide malicious servers Malware delivery C2 communication There are many well known/reputable providers Microsoft Azure Amazon AWS Cloudflare

45 Domain Fronting

46 Domain Fronting Connect to awsstatic.com Legitimate AWS Domain Highly trusted --HTTP Header-- GET / HTTP/1.1 Host: <guid>.cloudfront.net

47 Domain Fronting - Mitigation This one is hard to detect/prevent Monitor web traffic through proxy Utilize SSL stripping Look for oddities over period of time Block these IP ranges if there is not business need

48 Lateral Movement and Privilege Escalation DA Hunter Hunting your admins

49 DA Hunter PowerShell scripts automating the discovery of: Computers on network Who is logged into each computer Who are the administrators Does the current user have admin rights on the target

50 DA Hunter VERBOSE: No Local Admin on OR-TIG VERBOSE: bob has local admin access on D0543 VERBOSE: bob has local admin access on D0467 VERBOSE: No Local Admin on EMS-104 VERBOSE: alice (DA) is logged in!

51 DA Hunter Win 7 through Win 10 (excluding latest update) Allows any user to enumerate logged in users We are looking for admin rights in order to compromise additional user accounts Continue the process over and over until we find a system with a DA logged in and we have local admin access on

52 DA Hunter - Mitigation Latest update to Windows 10 allows the ability to deny user enumeration through GPO/Registry Windows Version Who can query local users Can be change < Windows 10 Any domain users No Windows 10 Any domain user Yes (only registry) Windows 10 Anniversary Only local administrators Yes (registry or GPO) Network Access: Restrict clients allowed to make remote calls to SAM

53 DA Hunter - Mitigation PowerShell script NetCease.ps1 Prevents user enumeration if not an administrator Download from TechNet site Works on Win7/2008 and newer

54 Kerberoast I like my passwords medium-rare

55 Kerberoast Abuses Windows implementation of Kerberos Service accounts that utilize Kerberos authentication are stored in AD as Service Principal Names (SPNs) SQL IIS FTP NTLM password hash of service account is stored in PAC file which any authenticated user can request

56 Kerberoast Multiple free tools can extract these hashes Hash format is supported by Hashcat and JtR Example Hash: $krb5tgs$23$*hps$domain.local$mssqlsvc/sqlserv er1.domain.local~1433*$9cb4e5bcb96cb64f... Service accounts often are not changed frequently and have fairly simple passwords

57 Kerberoast - Mitigation Ensure service account passwords are: Long Complex Changed periodically Monitor logons for service accounts

58 Mimikatz Passwords for all

59 Mimikatz Tool designed to manipulate Windows credentials Extract NTLM hashes Extract clear text passwords Forge Kerberos tickets Pull AD hashes Etc. Windows manages credentials in LSASS.exe process User needs to have admin rights for most of the features to work

60 Mimikatz - Mitigation Don t give users admin rights!!! Win7/8 and Win2008/20012 KB Update to Improve Credentials Protection and Management Windows will no longer store password in clear text Win8.1 and Win2012R2 Enable LSA Protection Not bullet proof but more difficult and easier to detect

61 Password Storage You think your password is safe?

62 Password Storage We commonly look for insecure storage of passwords Spreadsheets Text files Password managers Just found Keypass password for an IT person in a text file in home directory These are easy to find, need to ensure they are properly secured

63 Password Storage - Mitigation If you use password managers MUST enable 2FA Computers that access the password database should be highly locked down Know they are not bullet proof E.g. Certificates can be easy to steal

64 QUESTIONS

65 Thank you! David Anderson, OSCP Manager, Information Security, Direct: CLAconnect.com linkedin.com/company/ cliftonlarsonallen facebook.com/ cliftonlarsonallen twitter.com/claconnect