Posts

Showing posts from 2018

Paintball at the WMCAT Hub Debut

Image
Paintball at the WMCAT Hub Debut
Paintball with a purpose. That was the theme for the 6th Annual Purple Event, hosted by the West Michigan Cyber Security Consortium (WMCSC) on October 10th at the West Michigan Center for Arts and Technology (WMCAT) facility. A purple-team cyber competition is unique in that it consists of teams made up of five offensive (red) and five defensive (blue) security professionals. They work together and share skills and knowledge in order to exploit, control, and secure assets within the live fire virtual cyber city, Alphaville. The “live fire” cyber security environment simulates real-life environments such as libraries, schools, city management offices, public utility facilities, residential homes, and even networked vehicles.
In this year’s event SCYTHE provided access to their attack simulation platform. The teams were free to use SCYTHE in any way they saw fit, and due to the flexibility of the tool it could be used both offensively and defensively. Th…

Don’t Get Comfortable Yet - The Declining Fear of Ransomware

Image
Don’t Get Comfortable Yet - The Declining Fear of Ransomware
With the news that ransomware attacks are on the decline, in favor of crypto-mining (aka “crypto-jacking”), it is tempting to now reshuffle your enterprise’s defensive priorities based on the adversary trends. But before you retask your Blue Team to focus on researching cryptocurrency miners, let’s take a moment and remember a few key fundamental facts about ransomware, and how it is still different, and more dangerous, from its money-mining “successor”. It might be easy to forget, but unlike the new “crypto-mining” darling of the adversarial space, ransomware actually holds your company and staff at ransom. Even though the state of ransomware “authors” seems to be at an all time low, as some seem to have even given up on actually encrypting files before asking for ransom, the estimated cost to an organization can still be over $100,000. Remember, regardless of how popular ransomware is (or is not) to attackers, these malici…

What is SCYTHE's origin story?

Image
What is SCYTHE's origin story?
When I started GRIMM, I had a vision to tackle the greatest cybersecurity challenges that face our clients, industry and the greater business and government communities. Two and a half years ago, one of those challenges was brought to the company because of our reputation. A Fortune 50 company had been breached and suffered significant damages. As a result, the IT Security team was given a significantly increased budget which they used to hire incredible talent and have their choice of any assessment/penetration testing software available. Which they did. Extensively. They found they eventually exhausted what these tools could accomplish since they were built to do what they did well, but not for scale or extensibility. So, they called us. The initial requirement was to build another one of these tools, effectively a custom implant with C2 that would be new and thus evade signature. Recognizing they had done thorough product market research (and inter…

SCYTHE Announces $3 Million in Initial Financing Round Led by Gula Tech Adventures

Image
SCYTHE Announces $3 Million in Initial Financing Round Led by Gula Tech Adventures

Earlier today we announced that we raised $3 million in an initial funding round led by the co-founder of Tenable, Ron Gula of Gula Tech Adventures. This investment will help accelerate our ability to deliver our attack simulation platform and drive new product development. We’ve planned a roadmap of new features and innovations that will disrupt the cybersecurity industry. We’re providing organizations the ability to get ahead of threats with real metrics and tangible examples of attacks and compromises. SCYTHE is an attack simulation platform that allows organizations to build and emulate every possible combination of real-world adversarial campaign to test an organization’s security controls with granularity. Our advanced capabilities offer enterprises the ability to set up, customize, and run adversarial campaigns in a matter of minutes to validate the risk posture and exposure of businesses and the…

Malicious Command Execution via bash-completion (CVE-2018-7738)

Image
Malicious Command Execution via bash-completion (CVE-2018-7738)
Note: This was a parallel discovery where we found the bug and later found out it already had a CVE from Tenable.  See timeline for details. I was playing around with USB stick names when I saw something odd happen. I had named a drive `ID` by accident, and when I went to umount the drive I saw: $ umount /dev/s<tab>ID: command not found Something had obviously gone wrong here. After trying again I realized that the command was being executed when I hit the key to bring up the list of valid devices (such as /dev/sdb1). $ sed -n 44,45p /usr/share/bash-completion/completions/umount DEVS_MPOINTS="$(mount | awk '{print $1, $3}')" COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) ) After digging around in the OS I found that the umount bash-completion script is allowing drive names with `` or $() to be executed by line 44: $ sed -n 44,45p /usr/share/bash-completion/completions/umount …

ALPC Task Scheduler 0-Day

Image
ALPC Task Scheduler 0-Day
On Monday (August 27, 2018) a Local Privilege Escalation (LPE) 0-day was released which reportedly affects Windows 10 and Server 2016, at a minimum.  We investigated this to understand the vulnerability, the current Proof of Concept (PoC) exploit, and wanted to write it up in terms which explain the actual risk to organizations. The main things to know are this: This is an LPE, which meansIt needs to be chained with other attacks to be meaningfulIt makes a bad situation (server/end user compromise) much worseIt allows an unprivileged user to gain SYSTEM level accessThe attacker needs to start with code execution in a Medium integrity processIn practical terms, it means unlocking the ability to potentially dump password hashes with tools like mimikatz, modify boot settings, gain additional persistence such as installing rootkits, and so forthThe current PoC is just an example, as is typical with PoCsDoes not demonstrate the full capabilities, just one exploitat…