Category: blog

Breaches are a fact of life for every business. However, it is possible to stop breaches and improve your security posture by taking a proactive approach to your incident response (IR) strategy.

---

The Risk of a Cyber Security Breach Continues to Increase

Consider: A joint study by Ponemon Institute and IBM Security revealed the percentage chance of an organization to experience a data breach within two years was 29.6 percent in 2019, an increase from 27.9 percent in 2018.

Cost of a Data Breach

As the risk of a breach increases, so does the financial impact. The same study states the average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average. The largest cost of a data breach is due to lost business resulting from customer attrition.

Average Time to Identify and Contain a Breach

According to the Ponemon Institute, the average time to identify and contain a breach is 279 days, representing a 4.9 percent increase over the 2018 breach lifecycle of 266 days.

Fast Incident Response Saves Money

Breaches with a lifecycle less than 200 days were on average $1.22 million less costly than breaches with a lifecycle of more than 200 days ($3.34 million vs. $4.56 million respectively), a difference of 37 percent.

In other words, your likelihood of getting hit with a breach is high and increasing steadily. The faster you identify and contain that breach, the lower your costs.

Most Businesses Aren’t Prepared for a Breach

Despite these realities, most companies – about 77% – don’t have a breach response plan.

It can be difficult to navigate a market saturated with a variety of security tools and services. Building a breach prevention and mitigation plan is daunting. Many businesses don’t know who to contact when a breach occurs, increasing the breach lifecycle and associated costs.

Improve Your Business’s Incident Response Preparedness

Accordingly, it’s more important than ever to implement proactive incident response strategies into your operation to reduce the overall impact of an incident.

What can you do to take a proactive approach to incident response?

Plan for the Inevitable

Assume that you will be breached and put plans in motion to prepare for that inevitable cyber incident. The CRITICALSTART team has found that 40% of all managed detection and response (MDR) customers in the deployment phase had already experienced a breach.

Add an IR Retainer to Your Incident Response Program

With an IR retainer, you’ll gain the benefit of partnering with a team of experts who can help perform tabletop exercises and simulations to evaluate and shorten response time.

The dwell time between finding out you’ve been breached and selecting and onboarding an IR team can cost your organization time, money, and brand reputation.

Get Proactive with CRITICALSTART’s IR Retainer

CRITICALSTART offers incident response (IR) retainers, meaning you’re always covered.

You’ll get immediate access to our TEAMARES IR cybersecurity professionals who stand ready to investigate, contain, eradicate, and remediate your breach.

Find the IR Retainer Package That’s Right for Your Business

We offer several prepaid retainer packages to meet your unique business needs. And our IR retainers are flexible – you may repurpose unused hours and apply them to other IR and cybersecurity consulting service engagements.

An IR retainer can help you:

• Respond immediately to a breach within minutes, not hours or days.
• Improve your security posture, securing funds for immediate incident response remediation.
• Save money by securing IR services now, at a lower cost, than if purchased at the time of an incident.
• Protect your assets 24/7/365 by stopping an attacker’s deep dive into your critical data.

Don’t wait for a breach – be proactive and add an IR retainer to your IR program. For details, contact us today.

Discussions about contact tracing have been ongoing since February 2020, when some experts began looking ahead at how to move through the global COVID-10 pandemic.

What Is Contact Tracing?

Contact tracing essentially comprises identifying those who have been infected with COVID-19 and notifying as many people as possible who have been in close contact with them within a 14-day window.

The goal of contact tracing is to slow the spread of the novel coronavirus to reduce its overall impact both nationally and globally. Both manual (in-person) and software-based (smartphone app) methods have been implemented.

The problem? These approaches fly in the face of the various privacy acts in the U.S., essentially putting these privacy initiatives on hold.

Inconsistency of Contact-Tracing Methods

The challenge with COVID-19 contact tracing is rather than a singular, unified approach, multiple different approaches have been developed.

Along with manual contact tracing, current technology-based solutions include (but are not limited to):

• Exposure Notifications API (co-developed by Google and Apple)
• TrackCOVID (QR code-based)
• VirusSafe

Each technological solution adopts a different approach to contact tracing. For example, some methods rely on GPS, which gathers longitude and latitude as data points, while others leverage a QR system that only tracks where you scanned. Bluetooth technologies vary depending on who implemented them.

Limitations of Manual Contact Tracing

Many states have decided to implement a manual method of hiring, or asking for volunteers, to become contact tracers. Some may argue that the manual method has worked in the past, so why argue against it now? Let’s review some of the limitations of manual contact tracing.

Minimal Educational and Training Requirements for Contact Tracers

The requirement to become a contact tracer? Surprisingly, only a high school diploma. No medical training or advanced education is required.

In addition to this, the contact tracing class is free and hosted on the site Coursera.

Too Few Contact Tracers in Major Cities

Volume is another factor limiting the effectiveness of manual contact tracers, especially in large cities.

For example, in New York City, MIT Technology Review found that a population exceeding 21 million people with more than 16,000 deaths has had fewer than 1,000 tracers in action.

How do they plan to increase those numbers to handle the potential of another surge? The answer is to spend money, which brings us to our second problem: budget.

High Cost of Hiring Contact Tracers at Scale

States such as Massachusetts have budgeted $44 million to hire contact tracers. And health leaders have asked Congress to provide $3.5 billion to help fund contact tracing. This is at a time where our economy is struggling and the lack of funding for testing is still being fought.

Limited Smart Phone Access Can Hamper Contact-Tracing Effectiveness

So why are people arguing against technology for the manual method? A common argument is that the people most affected do not have access to smartphones which would be required to make this technology work. So, I decided to do a bit of math using New York as my example.

• According to New York health officials, 1 in 5 people may have had COVID-19, which would be roughly 376,080 people using 2020 data.
• To purchase a very cheap Android or Apple smartphone under a prepaid plan that could support app-based contact tracing would cost roughly $3,760,800 using the lowest price I could find on Boost Mobile before adding money to the prepaid plan.

Additionally, the government has a program called LifeLine that offers phones to those in need. So even that can be used to outfit the high-risk individuals with a phone.

Limitations of Contact Tracing Technology

What about the technologies that have been developed around COVID-19 contact-tracing applications? So many have been developed and no one is following the exact same model.

Centralized Data Storage Poses Major Data Breach Risk

Some contact-tracing methods use centralized storage, which is the act of storing ALL data collected by users’ phones to one location.

The risks? A single point of failure and single target for malicious actors to access the data, and government discretion on how long to retain data and how they would use data.

In fact, in the U.K., officials have stated they would hold post-COVID-19 data for “research” purposes.

By contrast, a decentralized model (as adopted by Google and Apple) stores the data on each person’s phone separately. If you test positive for COVID-19, you have the ability to upload your data to a health authority’s server so others can be notified via a random identifier.

Contact Tracing App Privacy and Security Concerns

Outside of storage, what about privacy or security concerns around the use of these apps? We have already seen privacy AND security issues arise just over the last month.

One recent implementation was in South Korea, which is effectively a practice of mass surveillance under the guise of a pandemic app. Other security vulnerabilities were recently discovered in India’s contact-tracing app, Aarogya Setu.

These are not the only security and privacy breaches we will see. Each breach erodes the trust of the people, thereby reducing the effectiveness of each app.

How Google and Apple’s Exposure Notifications API Works

What about tech giants Google and Apple’s implementation of contact tracing? Each has been very upfront on their design of the Exposure Notifications API.

This API is designed to leverage Bluetooth Low Energy (BLE) wireless personal area network (WPAN) technology to randomize a unique Bluetooth identifier and exchange that number with others they may be near for a minimum of 5 minutes.

Participation Is Voluntary

In addition, this entire program is opt-in, allowing users to decide if they wish to participate. And it goes a step further. If you test positive, YOU have the ability to opt into sending your positive test proof to your health authority.

The process involves Google and Apple’s security and privacy reviews that allow the person who tested positive to enter some sort of key or scan a code, which then informs health authorities of your positive test result.

Notifications Are Anonymous

The health authorities then leverage the Exposure Notifications API to distribute your unique key to all other participants. If a match is found, that individual is notified that they may have come into contact with someone who has tested positive for COVID-19. No names, locations, or other personal information are shared.

If you decide to opt-out, Google and Apple both state in their white papers they will delete all keys from your phone.

Exposure Notifications API Phase 2 Rollout

Google and Apple have also indicated a phase 2 rollout where the contact tracing API will be on everyone’s phone, with opt-in capabilities still present. This means you can leverage their APIs without ever using a government application.

The problem with this approach is you would not be able to upload a positive test to a health authority without the health authority’s app. However, if you met someone who did, you would be notified nonetheless.

This May Be The Best (If Imperfect) Current Contact-Tracing Approach

Are these approaches perfect? Probably not. However, they are the best we have seen that take security and privacy into consideration from the start of development all the way through implementation.

In addition, both have already turned away countries such as France who have requested a centralized approach, which reveals an unwillingness to accommodate government requests.

We have seen numerous times how Apple deals with the federal government, with refusals to allow access to their customers’ phones or data.

These companies have a lot at stake when it comes to their reputation, so it would be unwise for them to abuse public trust with an application like this.

Will I Participate In Contact Tracing? Yes…With Conditions

I am often asked if I would participate in contact tracing. If the method was one I investigated and reviewed the security and privacy controls put in place, absolutely.

A technological approach is the only one that can withstand the volume while also keeping people safe. However, the weakness of this approach is that it relies on the number of people that participate AND the number of people who submit their positive statuses.

Widespread Mistrust of Contact Tracing Apps Stems from Misunderstanding

A recent poll by Axios states that most in the U.S. are against using this technology. In my opinion, this is due to the lack of understanding of what these apps do AND the wide variety of contact-tracing methods being leveraged across the country.

The government needs to be decisive about which implementation to leverage across the United States. This would allow better oversight into the security and privacy of the data. Data leaks or security breaches will erode the trust of the people, making this technology obsolete.

Do Your Homework

Investigate the contact-tracing application or method being implemented in your state to ensure privacy and security have been considered and part of the development from the beginning.

Ask for transparency from your local politicians. If using an application from developers, inquire about their privacy policies.

Finally, question who has access to the data, regardless of the method being used locally or nationally. All these questions should help you decide whether to participate.

One thing is clear: no one is safe from ransomware attacks. What is changing, however, are attack modes as threat actors adjust their methods based on evolving mitigation methods being employed.

For several years, ransomware has been viewed as a type of malware that locks or encrypts the system or data and demands a ransom payment to restore access to systems and data.  Ransomware takes an organization’s dependence on technology and tries to use it to force them into paying the ransom.  With the rise in ransomware attacks, which saw a 229% increase in reported attacks from 2017 to 2018, a number of effective mitigation strategies have emerged, thus making it less profitable for threat actors to use.

As a result, new forms of ransomware have started to emerge. Looking at them from the traditional CIA Triad, these attacks hit:

• Confidentiality of data, which includes loss of personal information like credit card details, usernames and passwords, or loss of corporate intellectual property
• Availability of data, in which hackers demand money to restore access to systems and data targets
• Integrity of data, in which hackers access and change data such as patient health records.

In the more common of these new attacks, instead of targeting availability, victims are threatened with loss of confidentiality, unless the ransom is paid.  The most high profile current example is Maze ransomware, which not only encrypts a victim’s data — as happens with all Windows ransomware — but also exfiltrates it before the encryption process begins, so that they can use it to pressure the victim to pay whatever ransom has been demanded. Another example of this that is currently being seen is Clops where the data is posted to the CL0PS site.

What does this mean? That security professionals cannot afford to neglect Integrity Ransomware attacks as they appear to be trending upwards.

In assessing threat risks, security analysts generally try to determine whether they are vulnerable to the threat, a likely target of the threat, and what damage could occur if the threat resulted in a successful attack. All three legs of the CIA Triad should be examined when performing this analysis.

Executives typically focus on preventing loss of confidentiality since these breaches typically result in fines, brand damage, loss of customer confidence due to identity theft, high remediation and credit card replacement costs, and public embarrassment.

Accordingly, some basic precautionary measures to take include:

• Make backups on a regular basis and for more than a single day. Newer ransomware groups have dwell times on your network of day and weeks before they encrypt your data. Keep the backup on a separate device and, if possible, also store it offline.
• Have a business continuity plan and test it. This plan should include who you will call on for assistance in remediation and incident response.
• Proactively decide what data to collect if you choose to remediate instead of pay the ransom. Evaluate the pros and cons of paying the ransom now that it also affects confidentiality with both legal and technical personnel. The implications for the user, organization or security professional are numerous. With this in mind, recognize that attacks are not static – they change in reaction to our mitigation strategies so that they can remain profitable to the attacker.  If this means that the attack shifts to affect a different part of the triad or adds additional legs of the triad, it will. Defense, mitigation, and recovery strategies for every type of attack need to consider how that attack could affect each leg of the triad.

As ransomware attacks continue to increase, the best defense is to plan ahead, leveraging strategies to help keep your organization ahead of hackers as they refine their attack modes.

In times like these, we all could use some good news and CyberOne‘s TEAMARES is excited to share some: we just reached top contributor status in our participation in Folding@Home’s fight against COVID-19!

As of this week, we are now in the top 0.3% of all team contributors. It would not be possible without the help of several people both within the team and outside. This is a great example of how the Information Security and Tech community can band together for a great cause.

The backstory: TEAMARES‘s in-house research team has found that our hash cracker Cthulhu can be used to run computer simulations that mimic the same complex protein folding that occurs in diseases. We’re sharing the results of our own in-house research with Folding@Home to simulate how the virus behaves – data that we hope can be used by doctors and healthcare professionals to develop potential vaccines.

Folding@Home is sending our team jobs to process on our CPU and GPU processing power, of which Cthulhu is helping. Folding@Home then takes that data to help in researching viruses.

You too can join the fight against COVID-19 – here are some ways to take action:

• Retweet for awareness and to help spread the news!
• Consider competing against CyberOne’s TEAMARES.

Or, participate in the Folding@Home project:

1. Download the Folding@Home Client at https://foldingathome.org/start-folding/
2. Use our team ID number when you first start the client (239575)
3. Have fun!

Our Team:
CyberOne’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec to stay up to date on our progress, or via our LinkedIn and Facebook channels.

Version Tested:
3.0.0

Product:
https://www.opsramp.com/

CVE Numbers:
CVE-2020-11543

CVSS Score:
10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE:
CWE-798: Use of Hard-coded Credentials

OWASP:
https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password

Summary:
During a recent penetration test, CyberOne‘s TEAMARES researchers discovered that OpsRamp Gateway has an administrative account named vadmin that allows root SSH access to the server. This account was unknown to clients unless requested through a support process. At that time the vendor states they would provide the account to the client and request that they change the password.

Prior to the patch, this password was not unique to all clients, only to those who requested access to the account and changed the password. Cyber One is unaware of the number of clients that may have requested access and changed the password.

Technical Details:
After installing the OpsRamp Gateway server, a script called “kick-start.sh” runs, which sets up multiple user accounts and hardcodes their passwords by setting the pre-hashed passwords.

Our team was able to crack the hash for the vadmin, which can be used to SSH into the server with the password 9vt@f3Vt. Additionally, the account has the sudo permissions ALL, allowing us to easily escalate to root with sudo -i.

We then proceeded to log into client servers in production as root proving that the hashes are not unique to the install.

Timeline:
10/24/2019 – Vulnerability found
01/20/2020 – CyberOne was informed that the Vendor patched the finding
03/26/2020 – Ensured that clients were patched
03/26/2020 – CVE Requested
04/07/2020 – Released vulnerability disclosure

Credit:
Discovered by Charles Dardaman, Senior Adversarial Engineer for TEAMARES at CyberOne

Our Team:
CyberOne’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec to stay up to date on vulnerability discoveries and cybersecurity news.

Versions Tested:
CIPAce Version < 6.80 Build 2016031401
CIPAce Version < 9.1 Build 2019092801

Product:
https://www.cipplanner.com/Products/CIPAce/Pages/CPMPlatform.aspx

Security Advisories:
N/A

CVE Numbers:

• CVE-2020-11586
• CVE-2020-11587
• CVE-2020-11588
• CVE-2020-11589
• CVE-2020-11590
• CVE-2020-11591
• CVE-2020-11592
• CVE-2020-11593
• CVE-2020-11594
• CVE-2020-11595
• CVE-2020-11596
• CVE-2020-11597
• CVE-2020-11598
• CVE-2020-11599

CyberOne‘s TEAMARES researchers have released a steady cadence of advice regarding the importance of testing your systems regularly for vulnerabilities. The following vulnerabilities uncovered during an external penetration test drives home this necessity.

While conducting an external penetration test, our team noticed something very strange: a web application called CIPAce was disclosing errors. Under normal circumstances, this wouldn’t be unusual, but the way the application was handling errors coupled with the fact that full-stack traces were shown meant that the web.config file was configured incorrectly.

Typically, a red teamer would blindly attack this application if it could not be downloaded from an open-source repository or as a trial version. However, we decided to ask our client directly for the entire application source code as it was unavailable for download anywhere. Although these types of requests are ordinarily refused, our client was more than happy to share the source code with the team.

With the source code in hand and Jet Brains dotPeak .NET decompiler downloaded, we promptly delved into the application only to find a whopping 15 zero-days! This is a great example of why providing your source code to red teamers can help us fully flush out bugs and investigate vulnerabilities that pose a greater risk.

Technical Details:
Upon receiving code for the version 6.80 Build 2016031401 of the CIPAce application, we were not aware of a newer version. However, while going through the source code and APIs, we noticed an API named GetDistributedPOP3 that returned the username and password of the SMTP user.

Figure 1: API Request obtaining SMTP Password

We quickly emailed the client to inform them of this bizarre “feature” and heard that there was a newer version available for review. This vulnerability did not exist in version 9.1 of the CIPAce application; however, we discovered this was just the tip of the iceberg.

The client provided us the source code for version 9.1 Build 2019092801. Since the first “feature” that leaked sensitive data was an API, we dug further and found a ton of other SOAP calls that leaked internal data, including hostname, folder/file paths, and database structures. The one that stood out the most was a SOAP API call that exposed all contents of the user table within the database, thus making SQL Injection unnecessary as we had everything we needed to login to the application with the highest user permissions. On a positive note, the passwords were MD5 hashed.

Figure 2: API Request Leaking Username and Password Data

Lastly, the most impactful vulnerability that we discovered during our penetration test was a neat file called “Upload.ashx”. After a quick review, our team observed that it lacked the necessary code to put it behind authentication and allowed the upload of any ASHX file to the underlying file system. With that in mind, we quickly drafted a multipart/form-data POST request to upload a web shell. At this time, the client locked down the application to only be accessible to our IP so we were not concerned about uploading a web shell that did not require authentication.

Figure 3: Uploading ASHX web shell

Figure 4: Executing commands through uploaded web shell

Additional Vulnerabilities:
These are just a few of the many vulnerabilities existing today with the following table outlining some additional vulnerabilities. It’s important to note that all of these issues are exploitable without authentication, which underscores the necessity of thoroughly reviewing applications to prevent bugs – especially applications that are marketed to government agencies and major corporations.

Timeline:
11/13/2019 – Discovered POP3 Password Disclosure Issue
11/14/2019 – Confirmed the POP3 Password Disclosure was fixed on version 9.1
11/17/2019 – Discovered other 14 0-days in application version 9.1
11/17/2019 – First communication sent to vendor / No Response
11/19/2019 – Second communication sent to vendor / No Response
11/25/2019 – Third communication sent to the vendor
11/26/2019 – Vendor responded via phone call and stated they are working with the client to get it fixed
01/23/2020 – Confirmed all but one information disclosure issue was fixed
03/19/2020 – Confirmed that the last information disclosure item was fixed
03/24/2020 – Requested CVEs

Credit:
Discovered by Quentin (paragonsec) Rhoads-Herrera, Director of Professional Services at CyberOne

Our Team:
CyberOne’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.

Follow us on Twitter @TeamAresSec to stay up to date on vulnerability discoveries and cybersecurity news.

Due to current events, your organization is more than likely experiencing disruption resulting from a rush to implement remote work policies, social distancing, and other unexpected changes to business as usual.

And if you’re like many organizations, chances are you did not have remote work contingency plans in place and may be scrambling to find the right tools to ensure your security programs continue uninterrupted.

Whether you’re a VAR or managing an internal team, your red team can still function remotely with offensive security testing tools that leverage open-source technology. Remote and open-source teams can help keep security in place with no gaps.

TEAMARES‘s Director of Professional Services, Quentin Rhoads-Herrera, and partner Telesploit’s chief consultant, Wirefall, encourage you to explore the open-source version of Telesploit on GitHub.

Telesploit was designed by and for penetration testers. It creates a simple solution for performing internal penetration tests remotely. In this blog, Quentin and Wirefall share the key benefits of deploying a remote internal penetration testing solution, which includes:

• Reduced travel costs. Travel can be a significant factor in the overall cost of doing business for internal security testing. If you’re seeking to reduce expenses associated with 3rd party assessments, organizations that don’t have a remote offering will find themselves at a disadvantage.
• Increased utilization. While reducing travel time can have a positive effect on overall utilization, being able to leverage a single resource across multiple concurrent engagements significantly enhances utilization.
• Maximized onsite productivity. All initial reconnaissance can be completed prior to arrival. If a new vulnerability or unfamiliar target is identified during the discovery phase then attacks can be staged and tuned in a lab environment well in advance of deployment within the client environment. The penetration tester will be ready for exploitation on Day 1.
• Become more flexible. Leverage your resources wherever they’re located, whether it’s Boise, Boston, or Bengaluru.
• Provide new services. Open source can allow for novel approaches to penetration testing that weren’t economically feasible before, such as “low and slow” attacker simulation, blue team training, and more convenient retesting.
• Decreased employee burnout. Eliminate unnecessary travel to help keep your talent from moving on.
• Increased employee health and safety. A sound work from home policy, even under normal circumstances, can keep employees productive without exposing them to colleagues who may be sick.

Follow us at @TeamAresSec to stay up to date.

If you need help implementing remote penetration testing tools, talk to a TEAMARES team member or reach out to Telesploit at info@telesploit.com today for assistance. We want to keep you working!

Versions Tested:
Web Revision: 1.107, Board: 3.001, Firmware: 2.213

Product:
https://www.3xlogic.com/products/access-control/infinias-ethernet-enabled-integrated-door-controller-eidc

Security Advisories:
N/A

CVE Numbers:
CVE-2020-11542

CVSS Score:
N/A

CWE:
CWE-305: Authentication Bypass by Primary Weakness

NIST:
IA-4: Identifier Management

OWASP:
A2: Broken Authentication

With access to a system’s control interface, a malicious actor can unlock controls remotely, allowing them to gain physical entry to restricted areas. However, lessons learned from other breaches can help everyone better understand how to prevent unwanted access.

During an internal penetration test, our team discovered a physical access control system from Infinias on the target network. As luck would have it, the device was still configured with default credentials, which allowed us to log in and look around. After briefly browsing the manufacturer’s site and reading their documentation, it became clear that this could be an interesting target as the Infinias eIDC is a PoE-enabled door controller that allows one or more physical access control systems to be integrated into a network for ease of management. It was interesting to find a device configured to still accept default credentials. However, we did notice something else that was strange. When reviewing HTTP logs in Burp Suite, the string “CMD” was found in a number of requests. That sounded juicy, so we did what red teamers do and started chasing the white rabbit down a hole.

We discovered that the Infinias eIDC32 WebServer has an exploitable authentication bypass vulnerability due to unsecure authentication methods handled on the client-side JavaScript. This would have been more difficult to identify without a set of valid credentials, whether default or not. However, with physical access to IoT devices like these, the firmware can be pulled off and analyzed to take an even deeper dive.

Technical Details:

Greeted with the device’s web interface we were able to log in using default credentials found within their documentation.

While watching the traffic in Burp Suite, this little gem stood out immediately.

When intercepted, this is the HTTP Response to the request with valid credentials:

At this point, we decided to take a look at the source code to see how the authentication was being handled. A quick search for the string “LGI” returned the following bit of vulnerable code:

This section simply hex encodes the username/password and adds a “00” between the two encoded values. The next step was to start digging in to see the differences between valid and invalid credentials. Submitting another authentication request with invalid credentials (UN:AAAA PW:AAAA) confirmed this.

Comparing the HTTP responses of invalid and valid credentials, the difference becomes clear. The HTTP response to the successful login contains the string “<KEY>MYKEY</KEY>” in the XML body data, whereas the failed login does not.

Using Burp Suite, we intercepted the eIDC32 WebServer’s response to our login attempt using invalid credentials. From there, we added the string “<KEY>MYKEY</KEY>” to the XML body data to match the successful login response and forwarded the response.

Changing this value in the HTTP response bypasses the client-side JavaScript controls,  allowing an attacker with invalid credentials to bypass the login process of the device and access it as an administrative user.

Lessons learned
While central management of networked access control systems can be a huge convenience, it is important to ensure that the systems are configured properly, kept updated, and to disable/change any default accounts to prevent malicious activity.

Timeline:
3/20/2019 – First communication sent to the vendor
3/22/2019 – Technical Support replies saying it will be sent to the “access team” for review
3/25/2019 – Response from a second technical support employee:

“What vulnerability are you speaking of? We do get flagged on occasion for different things. To my knowledge, most or all have a workaround”

3/25/2019 – Back and forth discussing finding, submitted PDF with additional details, no response.
4/8/2019 – Still no response, I reached back out to no avail.
9/30/2019 – The client met with a rep from Stanley Security, 3XLogic’s parent company, and connected us. All info including the write-up and previous emails were sent to Stanley Security.
2/27/2020 – No response still
3/12/2020 – Submitted for CVE

Credit:
Discovered by the following Security Researchers for TEAMARES at CyberOne
Quentin Rhoads-Herrera, Director of Professional Services – @paragonsec
Cory Mathews, Offensive Security Manager – @M3chSec
Chase Dardaman, Senior Adversarial Engineer – @CharlesDardaman

New course offered at BlackHat 2020:

To help sharpen the skills of penetration testers and threat hunting teams, TEAMARES will be offering an onsite training course at BlackHat USA 2020 in “Adversary Emulation and Active Defense.”  This course will provide information security concepts utilized in both offense and defense. Attendees will learn skills that can be applied to increase capability from both sides including exploitation, circumventing defenses and lateral movement from an attacker’s perspective. The course will also cover key techniques for detection, threat hunting and mitigation to counter an attacker’s toolbox.

Follow us on Twitter @TeamAresSec to stay up to date on vulnerability discoveries and cybersecurity news.

With the daily routines of millions rapidly changing as we settle into a period of social distancing, many are looking for ways to pass the time once their reading lists have been plowed through and the Netflix binge is no longer do the trick. Why not take advantage of this downtime to learn a new skill or brush up on your knowledge with a few refresher courses?

CyberOne‘s TEAMARES has compiled a list of the best online security training course currently on the market – both free and paid. Here are some to consider:

Paid Courses:

Offensive Security:

• OSCP provides solid entry-level certification that will teach you how to think like an attacker. This is the one you need to land a job in penetration testing if you have no experience.
• OSCE is a good entry point to learning stack-based exploit development.

ElearningSecurity:

• Penetration Testing Student is a good entry point to learn the tools and techniques.
• Web Application Penetration Testing covers mostly web app basics with good labs.
• Web Application Penetration Testing Extreme is a practical online course on the most advanced web application penetration testing techniques.
• Penetration Testing Extreme focuses on social engineering/phishing, Active Directory, red teaming MSSQL Server, red teaming Exchange, red teaming WSUS.
• Mobile Application Security and Penetration Testing covers mobile app basics.

Hack the Box – Offshore & Rasta Labs

• Inexpensive lab environments – NOT courses – with hands-on practical’s that cover everything from open-source intelligence gathering to exploit development. Commonly touted as a great practice area for certification courses, such as the OSCP.

Nathan House Security Courses:

• The Complete Cybersecurity Course: Hackers Exposed covers advanced practical skill sets in defeating all online threats – advanced hackers, trackers, malware and all types of Internet nastiness, including mitigating government spying and mass surveillance with the very latest up-to-date information and methods.
• The Complete Cybersecurity Course: Network Security is an advanced practical skillset in assuring network security against all threats including – advanced hackers, trackers, exploit kits, Wi-Fi attacks and much more.
• The Complete Cybersecurity Course: Endpoint Protection offers advanced practical skill sets in securing laptops, desktops and mobile devices.
• The Complete Cybersecurity Course: Anonymous Browsing with advice on how to stay anonymous online, how to maintain privacy and how to bypass firewalls and proxies.

Free Courses:

• Azeria Labs to learn ARM32 bit exploit development.
• Ruben Boonen with a lot of great tutorials around Windows security and penetration testing.
• Corelan Team offers a series on learning exploit development.
• Malware Unicorn is a great resource on malware reverse engineering and includes a VM.
• Hack the Box has free resources along with paid that can be used to get hands-on practice.
• VulnHub contains a resource of vulnerable by-design boxes that users can practice on.
• EdX offers a series of courses ranging from intro to python programming to Linux and beyond.
• Coursera contains over 1,000 free courses that can be used to further your IT experience.
• Cybrary contains tons of free IT classes and videos.
• Google LearnDigital with Google contains many courses for learning
• Portswigger contains many free labs to practice web application penetration testing.