Posts

Showing posts from 2018

Paintball at the WMCAT Hub Debut

Image
Paintball at the WMCAT Hub Debut Paintball with a purpose. That was the theme for the 6th Annual Purple Event, hosted by the West Michigan Cyber Security Consortium (WMCSC) on October 10th at the  West Michigan Center for Arts and Technology  (WMCAT) facility. A purple-team cyber competition is unique in that it consists of teams made up of five offensive (red) and five defensive (blue) security professionals. They work together and share skills and knowledge in order to exploit, control, and secure assets within the live fire virtual cyber city, Alphaville. The “live fire” cyber security environment simulates real-life environments such as libraries, schools, city management offices, public utility facilities, residential homes, and even networked vehicles. In this year’s event  SCYTHE  provided access to their attack simulation platform. The teams were free to use SCYTHE in any way they saw fit, and due to the flexibility of the tool it could be used both offensively and defe

Don’t Get Comfortable Yet - The Declining Fear of Ransomware

Image
Don’t Get Comfortable Yet - The Declining Fear of Ransomware With the news that ransomware attacks are  on the decline, in favor of crypto-mining  (aka “crypto-jacking”), it is tempting to now reshuffle your enterprise’s defensive priorities based on the adversary trends. But before you retask your Blue Team to focus on researching cryptocurrency miners, let’s take a moment and remember a few key fundamental facts about ransomware, and how it is still different, and more dangerous, from its money-mining “successor”. It might be easy to forget, but unlike the new  “crypto-mining” darling  of the adversarial space, ransomware actually holds your  company and staff at ransom . Even though the state of ransomware “authors” seems to be at an all time low, as some seem to have even  given up on actually encrypting files before asking for ransom , the  estimated cost to an organization can still be over $100,000 . Remember, regardless of how popular ransomware is (or is not) to attackers,

What is SCYTHE's origin story?

Image
What is SCYTHE's origin story? When I started  GRIMM , I had a vision to tackle the greatest cybersecurity challenges that face our clients, industry and the greater business and government communities. Two and a half years ago, one of those challenges was brought to the company because of our reputation. A Fortune 50 company had been breached and suffered significant damages. As a result, the IT Security team was given a significantly increased budget which they used to hire incredible talent and have their choice of any assessment/penetration testing software available. Which they did. Extensively. They found they eventually exhausted what these tools could accomplish since they were built to do what they did well, but not for scale or extensibility. So, they called us. The initial requirement was to build another one of these tools, effectively a custom implant with C2 that would be new and thus evade signature. Recognizing they had done thorough product market research (and

SCYTHE Announces $3 Million in Initial Financing Round Led by Gula Tech Adventures

Image
SCYTHE Announces $3 Million in Initial Financing Round Led by Gula Tech Adventures Earlier today we announced that  we raised $3 million in an initial funding round  led by the co-founder of Tenable, Ron Gula of Gula Tech Adventures. This investment will help accelerate our ability to deliver our attack simulation platform and drive new product development. We’ve planned a roadmap of new features and innovations that will disrupt the cybersecurity industry. We’re providing organizations the ability to get ahead of threats with real metrics and tangible examples of attacks and compromises. SCYTHE is an attack simulation platform that allows organizations to build and emulate every possible combination of real-world adversarial campaign to test an organization’s security controls with granularity. Our advanced capabilities offer enterprises the ability to set up, customize, and run adversarial campaigns in a matter of minutes to validate the risk posture and exposure of business

Malicious Command Execution via bash-completion (CVE-2018-7738)

Image
Malicious Command Execution via bash-completion (CVE-2018-7738) Note:  This was a parallel discovery where we found the bug and later found out it already had a CVE from Tenable.  See timeline for details. I was playing around with USB stick names when I saw something odd happen. I had named a drive `ID` by accident, and when I went to umount the drive I saw: $ umount /dev/s<tab>ID: command not found Something had obviously gone wrong here. After trying again I realized that the command was being executed when I hit the  key to bring up the list of valid devices (such as /dev/sdb1). $ sed -n 44,45p /usr/share/bash-completion/completions/umount DEVS_MPOINTS="$(mount | awk '{print $1, $3}')" COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) ) After digging around in the OS I found that the umount bash-completion script is allowing drive names with `` or $() to be executed by line 44: $ sed -n 44,45p /usr/share/bash-completion/completi