Cracking Hashes with Cthulhu

Why Password Managers and MFA are Important in your Security Stack The subject of password strength and complexity requirements has been discussed and debated ad nauseam in the security industry. It is a subject as old as information security itself and will not be going away any time soon. We, as penetration testers, absolutely love […]

Read More…

Cybercriminals Going after K-12? Yep, It’s a Thing.

Louisiana Governor John Bel Edwards has issued a state of emergency due to a malware attack against several local schools in the Sabine, Morehouse, and Ouachita Parishes, in northern Louisiana. This is the first activation of Louisiana’s emergency support function relating to cybersecurity in the state’s history, giving the state access to some much-needed assistance […]

Read More…

The Industry’s First – and Only – MOBILESOC App Just Got Better

Instant triage and response to security alerts? We’ve got an app for that. We’re changing the way Security Operations Center (SOC) teams interact. Always looking to improve our best-in-class Managed Detection and Response (MDR) services, we recently redesigned our MOBILESOC app with a new, easy-to-use interface. The app contains a host of new features including […]

Read More…

ManageEngine Privilege Escalation

Background: After running into ManageEngine products on a number of penetration tests we decided to take a closer look at their products and see if there were any vulnerabilities that we could take advantage of.   CVE Numbers: CVE-2019-12876   Versions Tested: DesktopCentral – 10.0.380 ADSelfService Plus – 5.7 ADManager Plus – 6.6.5   DLL […]

Read More…

The Threat of Systematic Cybersecurity Risk in Financial Services

It’s obvious that criminals follow the money, making financial services firms a top target for cyberattacks. Financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries. This equates to attacks of roughly 1 billion times per year, which is nearly the equivalent of 2,000 attacks per minute or […]

Read More…

Drowning in Alerts? CRITICALSTART, Microsoft Defender ATP Collaboration Will Reduce Alerts by 99%

The rapidly changing threat landscape poses numerous challenges for all enterprise organizations. Among those challenges is security infrastructures generating thousands of false-positive alerts, which can obscure legitimate threats. In response, CRITICALSTART recently announced a collaboration with Microsoft Defender ATP – a partnership that will help customers reduce alerts by 99 percent. The collaboration gives CRITICALSTART […]

Read More…

The Last Watchdog Talks to CRITICALSTART About Radical Transparency

At CRITICALSTART, we’ve made the concept of “radical transparency” a cornerstone of our Managed Detection & Response (MDR) offering. Simply put, radical transparency means our customers see everything our analysts are doing 24x7x365. And we mean everything. Customers work from the exact same interface and access all consoles, audit logs, analytic rules, playbooks, and Service […]

Read More…

The Rx for a Healthy Cybersecurity Strategy: A Look at CRITICALSTART Customer, Ardent Health Services

Of course, cybersecurity is a priority for businesses across all industries, but in healthcare, the urgency is on an entirely different plane. From doctors’ offices to outpatient clinics to hospitals, protecting the network – and specifically, patient data – is absolutely critical, and those charged with ensuring that protection must feel confident in the resources, […]

Read More…

ManageEngine User Enumeration

Background: While conducting a penetration test of a client’s external network, I discovered a way to enumerate users’ in ManageEngine’s ADSelfService Plus application. This allows an attacker to determine the system Admin username. Product: ManageEngine ADSelfService Plus Software Version: 5.7, build 5704   Issue: The login page is vulnerable to account enumeration. The admin login […]

Read More…

VMware Horizon Connection Server Information Disclosure

Background:  While conducting a penetration test of a client’s external network, I discovered three separate instances of information disclosure in VMware’s Horizon Access Web Portal. An unauthenticated user could access information such as internal domain names, the Connection Server’s internal hostname, or the gateway’s internal IP address. Version Tested 4.7.0 CVE Number CVE-2019-5513 Security Advisories […]

Read More…

The Pastebin Treasure Hunter

Introduction Malicious actors have multiple ways to share data they have stolen from websites or services. Some might post to popular forums to gain notoriety while others might post anonymously to paste sites like PasteBin. Combing through all the pastes being posted is beyond the ability of humans, so I’ve created a tool that helps […]

Read More…

#BalanceForBetter: International Women’s Day 2019

This year’s International Women’s Day 2019 theme is #BalanceforBetter, a direct call-to-action to drive gender parity across the world. This year’s campaign hinges on the motto “the race is on” for a gender-balanced boardroom and gender balance amongst employees and challenges everyone to “lace up your running shoes”. Cybersecurity is at the heart of protecting […]

Read More…

Data is the New Source Code

The role of data in today’s business world cannot be overstated. Competitive intelligence is inextricably linked to the speed at which valuable data can be consumed and analyzed to yield important business insights. The need for the increased efficiency gleaned by these learning systems has facilitated a massive increase in spending on artificial intelligence (AI) […]

Read More…

Information Disclosure in JForum 2.1.X – Syntax

Background While conducting a penetration test for a customer, I encountered an unused developer forum using JForum version 2.1.8 and started looking for vulnerabilities within the application. Username Enumeration in JForum 2.1.8 Version Tested 2.1.8 CVE Number CVE-2019-7550 Security Advisories None   Issue When creating a new user within the application, the browser sends a […]

Read More…

The Next Step of Social Engineering:
Social Media Hoaxes

From Jonathan Swift’s fake almanac in 1708 to the modern Dihydrogen monoxide joke, hoaxes have been around for as long as humans have enjoyed deceiving each other for fun. The ease of communication via technology has made hoaxes and scams even more prevalent, evolving from word-of-mouth and chain email to Instagram, WhatsApp, and Facebook. Users […]

Read More…

One Month Later: The Marriott Data Breach – What You Should Do

Just over a month ago, Marriott International, one of the world’s largest hotel chains, announced that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. Among the hotels under the Starwood brand are the W Hotels, St. Regis, Sheraton, Westin, and […]

Read More…

Naughty or Nice: Cybercriminals’ Latest Targeting Strategies During the Holiday Season

(Please note: You should always proceed with caution before clicking on a link that you are not familiar with. We sometimes link to third-party sources as a point of reference – some of those links could contain malicious content.)   Economics of Christmas: The Joy of Shopping Retailers solicit most fervently on a handful of […]

Read More…

Announcing Beta MDR Program for Windows

CRITICALSTART is the fastest growing MDR service in North America, and we are expanding our service offerings and integrations with new technologies that increase our capabilities for our customers. CRITICALSTART has partnered with Microsoft to build a strong integration between Windows Defender ATP and our ZTAP Security Orchestration Automation and Response MDR service. WDATP solution […]

Read More…

Phishing Attacks Today:
DRIDEX and URSNIF Are Back

On the morning of December 12th, 2018, the CRITICALSTART CYBERSOC began seeing the resurgence of a prolific phishing campaign. This campaign included malware variants such as DRIDEX & URSNIF, both common Banking Trojans used in macro-based attacks. These files are observed hiding with macro enabled documents or downloaded after the code executes, requesting the host […]

Read More…

A Commitment to Getting It Right: Palo Alto Networks’ Expedition Migration Tool

Background: During a recent penetration test for a client, I came across a tool called MigrationTool from Palo Alto Networks. The tool was littered with issues, like the unauthenticated disclosure of passwords, hashes, versions, and more that were uncovered. So, what’s a SECTION8 team member to do? I quickly grabbed my screenshots and informed Palo […]

Read More…

PRTG Network Monitor Privilege Escalation

Background: Recently I’ve seen a decent number of privilege escalations occurring on Windows due to permission issues and using symlinks. The work from Ryan Hanson from Atredis on the Cylance privilege escalation and Windows Standard Collector privilege escalation really inspired me to research more into this issue and potentially find some myself. After several weeks […]

Read More…

Defending Layer 8

Security awareness training is broken. Read the news any day of the week and you can find articles talking about breaches, ransomware attacks, and countless records stolen resulting in identity theft victims. Our users are continuing to click suspicious links, open attachments they weren’t expecting, and falling for the call to action. Attackers know that […]

Read More…

Unauthenticated Command
Injection Vulnerability in VMware
NSX SD-WAN by VeloCloud

Exploits for network devices including routers, switches, and firewalls have been around for as long as networking has been a thing. It seems like every week a researcher discloses a new vulnerability or publishes proof of concept (PoC) code online for these types of devices, and that is exactly what is happening in this article. […]

Read More…

Fall of Sudo – A Pwnage Collection

Introduction Finding Linux servers heavily reliant on Sudo rules for daily management tasks is a common occurrence. While not necessarily bad, Sudo rules can quickly become security’s worst nightmare. Before discussing the security implications, let’s first discuss what Sudo is.   Defining Sudo What is Sudo? Sudo, which stands for “superuser do!,” is a program […]

Read More…

Cryptojacking: Everyone is a Target

An evolution has occurred with the preferred attack method among hackers. With its high potential for a fast return with relatively little right, instances of cryptojacking, the malicious use of a companies’ computer resources to mine for cryptocurrency, have increased 8500% in 2018 according to Symantec. While 2017 saw a rise in ransomware to be […]

Read More…

Putting the NEXT in Next Generation Firewall: Tales From the Field

You’ve purchased a next-generation firewall. You understand the why, but how do you make the most of your investment? What’s next? When it comes to next-generation firewall technology, determining the best implementation methodology can be a bit daunting. You may ask yourself: What features should I enable first? How do I enable these new capabilities […]

Read More…

Spectre and Meltdown: Why No One
Should Implicitly Trust Hardware

Everyone should be wary of downloading, installing, or running unknown scripts or software (especially from questionable sources on the Internet or unexpected email attachments). The truth is, most of us have been conditioned to be a bit paranoid when running code on our machines, as we should be. This innate distrust of questionable or unknown […]

Read More…

KRACK Attacks!

What’s the big deal? Mathy Vanhoef of imec-DistriNet, KU Leuven has discovered a serious weakness in WPA2, a protocol that secures all modern protected Wi-Fi networks. Vanhoef has released a whitepaper, a video example of an attack, created a thorough website explaining the vulnerability, and will be releasing proof of concept exploit code soon. This […]

Read More…

Bluetooth Blues

The proliferation of wireless devices in the world is astounding, and one of the most widely used are Bluetooth, at an estimated capable device count north of 8 billion. Earlier this week, researchers at Armis released information on their website about an attack vector dubbed “BlueBorne”. The list of vulnerable and exploitable devices spans Android […]

Read More…

Security Automation and Orchestration: An Analyst Perspective

Security Automation and Orchestration (SAO) Platforms are the newest players in the security landscape focusing on easing the burden of alert-fatigue. Working as a lead in a Managed Services Security Operations Center (SOC), solutions that claim to automate actions, lower time-to-response, and minimize required headcount peak my interest. SAOs operate by implementing logical decision trees […]

Read More…

The Devil’s in the Subtitles

Widespread malware affecting media players On May 23rd, 2017, Checkpoint found a vulnerability in four popular media players that use a new attack vector by creating malicious subtitle files to infect computers, smartphones, and smart TVs. Once the files are downloaded, an attacker can potentially take complete control over the device. Over 200 million devices […]

Read More…