A Commitment to Getting It Right: Palo Alto Networks’ Expedition Migration Tool

November 29th, 2018 by Quentin Rhoads

Versions Tested: 1.0.106   CVE Numbers: CVE-2018-10142   Security Advisories: PAN-SA-2018-0016 –   Background: During a recent penetration test for a client, I came across a tool called MigrationTool from Palo Alto Networks. The tool was littered with issues, like the unauthenticated disclosure of passwords, hashes, versions, and more that were uncovered. So, what’s […]

Read More

Supporting Our Family: In Memory of Ricki Bateman

November 27th, 2018 by Stacie Bon

Today being the National Day of Giving, we come together to celebrate the gift of generosity and contribution. For CRITICALSTART, the day takes on special significance this year as we rally to support a member of our own family. Derek Bateman, a member of the CRITICALSTART SOC team, recently suffered the devastating loss of his […]

Read More

PRTG Network Monitor Privilege Escalation

October 3rd, 2018 by Quentin Rhoads

Versions Tested: CVE Numbers: CVE-2018-17887 Security Advisories: None Background: Recently I’ve seen a decent number of privilege escalations occurring on Windows due to permission issues and using symlinks. The work from Ryan Hanson from Atredis on the Cylance privilege escalation and Windows Standard Collector privilege escalation really inspired me to research more into this […]

Read More

Cisco Umbrella Enterprise Roaming Client and Enterprise Roaming Module Privilege Escalation Vulnerability

September 5th, 2018 by Quentin Rhoads

CVE Numbers:
CVE-2018-0437 – Cisco Umbrella ERC releases prior to 2.1.118 and Cisco Umbrella
CVE-2018-0438 – Cisco Umbrella ERC releases prior to 2.1.127

Versions Tested:
Umbrella Roaming Client 2.0.168

Read More

Defending Layer 8

August 15th, 2018 by Brendan Dalpe

Security awareness training is broken. Read the news any day of the week and you can find articles talking about breaches, ransomware attacks, and countless records stolen resulting in identity theft victims. Our users are continuing to click suspicious links, open attachments they weren’t expecting, and falling for the call to action. Attackers know that […]

Read More

CVE-2018-6961 – Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud

June 29th, 2018 by Section 8

Exploits for network devices including routers, switches, and firewalls have been around for as long as networking has been a thing. It seems like every week a researcher discloses a new vulnerability or publishes proof of concept (PoC) code online for these types of devices, and that is exactly what is happening in this article. […]

Read More

“Fall of Sudo – A Pwnage Collection”

May 21st, 2018 by Quentin Rhoads

Introduction Finding Linux servers heavily reliant on Sudo rules for daily management tasks is a common occurrence. While not necessarily bad, Sudo rules can quickly become security’s worst nightmare. Before discussing the security implications, let’s first discuss what Sudo is. Defining Sudo What is Sudo? Sudo, which stands for “super user do!,” is a program […]

Read More

Finding Enterprise Credentials in Data Breaches

May 1st, 2018 by Quentin Rhoads

In the age of the breach, it’s a safe assumption that almost every public account’s credentials have been exposed at some point. “Have I been pwned” (HIBP), is a database that contains usernames and other information about any compromise they come across.  While available for individuals to search against, certain protections have been put […]

Read More

CryptoJacking: Everyone is a Target

March 23rd, 2018 by Chris Russell

An evolution has occurred with the preferred attack method among hackers. With its high potential for a fast return with relatively little right, instances of crypto jacking, the malicious use of a companies’ compute resources to mine for cryptocurrency, have increased 8500% in 2018 according to Symantec. While 2017 saw a rise in ransomware to […]

Read More

Putting the NEXT in Next Generation Firewall: Tales From the Field

March 1st, 2018 by Chris Yates

You’ve purchased a next generation firewall. You understand the WHY, but HOW do you make the most of your investment? What’s NEXT? When it comes to Next-Generation firewall technology, determining the best implementation methodology can be a bit daunting. You may ask yourself: What features should I enable first? How do I enable these new […]

Read More

Spectre and Meltdown: Why No One Should Implicitly Trust Hardware

January 16th, 2018 by Section 8

Everyone should be wary of downloading, installing, or running unknown scripts or software (especially from questionable sources on the Internet or unexpected email attachments). The truth is, most of us have been conditioned to be a bit paranoid when running code on our machines, as we should be. This innate distrust of questionable or unknown […]

Read More

KRACK Attacks!

October 16th, 2017 by Section 8

What’s the big deal? Mathy Vanhoef of imec-DistriNet, KU Leuven has discovered a serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. Vanhoef has released a whitepaper, video example of an attack, created a thorough website explaining the vulnerability, and will be releasing proof of concept exploit code soon. Links at the end […]

Read More

Bluetooth Blues

September 15th, 2017 by Section 8

The proliferation of wireless devices in the world is astounding, and one of the most widely used are Bluetooth, at an estimated capable device count north of 8 billion. Earlier this week, researchers at Armis released information on their website about an attack vector dubbed “BlueBorne”. The list of vulnerable and exploitable devices spans Android […]

Read More

Embedding Security in a DevOps World

September 5th, 2017 by Aaron Lennon

Times are changing. The days of rigid and lengthy software development life cycles are nearly gone as we move forward into a world of agile code development and DevOps. This is great from a user perspective, as we deliver more features and improved user experience, but this brings about new challenges for security. It was […]

Read More

Security Automation and Orchestration: An Analyst Perspective

August 21st, 2017 by Troy Santana

Security Automation and Orchestration (SAO) Platforms are the newest players in the security landscape focusing on easing the burden of alert-fatigue. Working as a lead in a Managed Services Security Operations Center (SOC), solutions that claim to automate actions, lower time-to-response, and minimize required headcount peak my interest. SAOs operate by implementing logical decision trees […]

Read More

The New Ransomware that makes WannaCry Wanna Cry

June 27th, 2017 by Section 8

Today, 27 June 2017, a new malware has begun attacking networks around the world. Petya, also known as Petrwrap, is the name and encrypting your information is its game. It has shown itself to be different than other ransomware of late. This one does not encrypt files one at a time but denies user access […]

Read More

So You’ve Had an Incident?

May 31st, 2017 by Section 8

Security incidents are an unavoidable occurrence. If your security team has never observed a security incident, there is likely a hole somewhere in your monitoring and alerting process, and you’ve missed it. That said, the initial signs of a breach or security incident are rarely black and white. The most advanced threat actors can stealthily […]

Read More

The Devil’s in the Subtitles

May 23rd, 2017 by Section 8

Wide spread malware affecting media players On May 23rd, 2017, Checkpoint found a vulnerability in four popular media players that uses a new attack vector by creating malicious subtitle files to infect computers, smartphones and smart TVs. Once the files are downloaded, an attacker can potentially take complete control over the device. Over 200 million […]

Read More

WannaCry Recap

May 15th, 2017 by Section 8

Friday could not have come sooner for some last week. For the rest of us, we may have wished Friday never happened. What is now being considered the most “successful” and prolific ransomware campaign took off like a wildfire in a dry forest. We’ve all heard the name, WannaCry, hopefully it did not make anyone […]

Read More

WannaCry IOCs and Technical Details

May 12th, 2017 by Section 8

Technical Details It is currently unclear whether this payload is delivered via malicious attachment or through the WAN using the FuzzBunch EternalBlue SMB exploit. The malware behaves much like typical ransomware during execution on the victim’s machine. Below are the operations that are ran via cmd.exe: /c vssadmin delete shadows /all /quiet & wmic shadowcopy […]

Read More

WannaCry? You might.

May 12th, 2017 by Section 8

Urgent information regarding WanaCrypt/WannaCry/WCry Ransom-ware Outbreak Today, 12 May 2017, a massive ransomware outbreak has been reported across the globe. There are reports of computer systems completely locked up in Russia, Western Europe, East Asia and North America. British hospitals and a Spanish telecom company have been the largest confirmed victims thus far, along with […]

Read More

Zero Trust and Microsegmentation

May 10th, 2017 by Chris Yates

by Chris Yates | Senior Security Architect | [email protected] Adoption of Zero Trust and Micro-Segmentation as core design principles can help improve the security posture of your network and attached systems. However, it is important to understand how we got to our current state in order to understand how these principles can help us. Let’s do a quick […]

Read More

Mitigating Against the Shadow Broker Exploit Dump

April 17th, 2017 by Cory Mathews

On Friday, April 14, a group called “Shadow Brokers” released multiple exploits and tools, purported to be from the NSA, entitled “Fifth Leak: Lost in Translation”. Over the holiday weekend, the Critical Start research team and the greater InfoSec community went through and analyzed many of the tools. Affected Systems The tools are primarily comprised […]

Read More

Threat Intelligence?

April 8th, 2017 by Randy Watkins

by Randy Watkins | Director, Security Architecture | [email protected] With the uptick in Cyber Crime, security professionals are looking for methods to gain an edge.  Many security professionals are attempting to gain this edge using detection technologies like Intrusion Prevention Systems (IPS), or logging solutions like System Information and Events Monitors (SIEMs) and Endpoint Detection and […]

Read More

Hijacking the CEO’s Email Account

October 13th, 2016 by Cory Mathews

Why Security Teams Need a Second Set of Eyes During a recent penetration test, I hijacked the client’s email server, posed as the client CEO, and sent a fraudulent email to the client CFO asking the CFO to wire $10,000 USD to an offshore bank account. Interestingly, after receiving a string of actual malicious phishing […]

Read More

On the Reliance of Client Side Security

September 22nd, 2016 by Cory Mathews

I recently conducted a penetration test of a web application. Because of design decisions, I was able to bypass CAPTCHA to brute force user accounts and, ultimately, bypass file upload restrictions to upload malware onto the web server and into the internal network environment. The owner had taken a healthy view of security, had conducted […]

Read More

Picking the Right Silver Bullet

May 15th, 2016 by Randy Watkins

  With the current state of cyber security, the market has become inundated with “solutions”. When every manufacturer is selling hammers, then all problems look like a nail. Security personnel are expected to evaluate solutions, while still trying to find time for operational tasks. After the media fills executives’ minds with the latest security buzzwords, […]

Read More

What Are the Mistakes That Get Hackers Arrested?

April 29th, 2016 by Rob Davis

At Critical Start we use a concept called the Defendable Network and map organizations to SecCon levels designed to give companies a chance against threat actors of varying skill levels.  We group threat actors skill levels into: Untrained Attacker (just gets lucky) Novice Attacker Intermediate (using automated tools mostly) Advanced Expert Phineas Fisher is a Blackhat hacker and […]

Read More

Critical Start is the fastest-growing cybersecurity integrator in North America. Our mission is simple: protect our customers’ brands and reduce their business risk. We do this for organizations of all sizes through our award-winning portfolio of end-to-end security services – from security-readiness assessments using our proven framework (the Defendable Network) to the delivery of managed detection and response, incident response, professional services, and product fulfillment. Critical Start has been named to the CRN 2018 Tech Elite 250 and top 100 Security MSPs lists.