Written and researched by Mark Bregman and Rindert Kramer Sending signed phishing emails Every organisation, whatever its size, will encounter phishing emails sooner or later. While the number of phishing attacks is increasing every day, the way in which phishing is used within a cyber-attack has not changed: an attacker comes up with a scenario … Continue reading Your trust, our signature
Category: Uncategorized
Phishing – Ask and ye shall receive
During penetration tests, our primary goal is to identify the difference in paths that can be used to obtain the goal(s) as agreed upon with our customers. This often succeeds due to insufficient hardening, lack of awareness or poor password hygiene. Sometimes we do get access to a resource, but do not have access to … Continue reading Phishing – Ask and ye shall receive
Introducing Team Foundation Server decryption tool
During penetration tests we sometimes encounter servers running software that use sensitive information as part of the underlying process, such as Microsoft's Team Foundation Server (TFS). TFS can be used for developing code, version control and automatic deployment to target systems. This blogpost provides two tools to decrypt sensitive information that is stored in the TFS … Continue reading Introducing Team Foundation Server decryption tool
Introducing Orchestrator decryption tool
Researched and written by Donny Maasland and Rindert Kramer Introduction During penetration tests we sometimes encounter servers running software that use sensitive information as part of the underlying process, such as Microsoft's System Center Orchestrator. According to Microsoft, Orchestrator is a workflow management solution for data centers and can be used to automate the creation, … Continue reading Introducing Orchestrator decryption tool
Escalating privileges with ACLs in Active Directory
Researched and written by Rindert Kramer and Dirk-jan Mollema Introduction During internal penetration tests, it happens quite often that we manage to obtain Domain Administrative access within a few hours. Contributing to this are insufficient system hardening and the use of insecure Active Directory defaults. In such scenarios publicly available tools help in finding and exploiting these issues … Continue reading Escalating privileges with ACLs in Active Directory
Lessons learned from a Man-in-the-Middle attack
It’s become a widely accepted mantra that experiencing a cyber breach is a question of ‘when’ and not ‘if’. For Fox-IT ‘if’ became ‘when’ on Tuesday, September 19 2017, when we fell victim to a “Man-in-the-Middle” attack. As a result of the multi-layered security protection, detection and response mechanisms we had in place, the incident … Continue reading Lessons learned from a Man-in-the-Middle attack
Criminals in a festive mood
This morning the Fox-IT Security Operations Center observed a large number of phishing e-mails that contained a link to a downloadable zip file. Anyone downloading and opening that zip file would infect themselves with banking malware, that would subsequently try to lure the victim into divulging their credit card information. So far nothing new: e-mail … Continue reading Criminals in a festive mood
Fox-IT debunks report on ByLock app that landed 75,000 people in jail in Turkey
The Turkish government has been actively pursuing the prosecution of the participants of the Gülen movement in what it calls “the Fetullahist Terrorist Organization/Parallel State Structure (FETÖ/PDY)”. To this end, the Turkey’s National Intelligence Organization (Millî İstihbarat Teşkilatı or MİT in Turkish) has investigated the relation of a publicly available smart phone messaging application called … Continue reading Fox-IT debunks report on ByLock app that landed 75,000 people in jail in Turkey
FAQ about PETYA/GOLDENEYE/PETR outbreak
Revision history: 29th of June, 2017 18:00 (UTC +2) - Update 2 (current) - Added Q11 28th of June, 2017 22:00 (UTC +2) - Update 1 - Initial FAQ Q1 Is the Petya attack still in progress? A: The initial attack vector appears to have been the accounting software M.E.Doc, for which a malicious software update … Continue reading FAQ about PETYA/GOLDENEYE/PETR outbreak
Liveblog: Huge Petya ransomware wave
Revision history: Update 2 (current): 28th of June, 2017 22:45 (UTC +2) - Added Snort rule for detection purposes Update 1: 27th of June, 2017 18:04 (UTC +2) - Initial post A new variant of the Petya ransomware started to spread havoc within various companies around the world the 27th of June 2017 . The … Continue reading Liveblog: Huge Petya ransomware wave