Password Spraying

In a statement release by Homeland Security yesterday, TA18-086A: Brute Force Attacks Conducted by Cyber Actors, they indicate that brute force attacks using a “password spraying method” is increasing. Here’s a copy:


National Cyber Awareness System:

 

TA18-086A: Brute Force Attacks Conducted by Cyber Actors

03/27/2018 06:00 PM EDT

 

Original release date: March 27, 2018

Systems Affected

Networked systems

Overview

According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad.

On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals who were associated with the Mabna Institute for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group.

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity.

Description

In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow 3-to-5 bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.

Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols.  An actor may target this specific protocol because federated authentication can help mask malicious traffic.  Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise.

Email applications are also a target.  In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization’s email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages.

Technical Details

Traditional tactics, techniques, and procedures (TTP’s) for conducting the password-spray attacks are as follows:

  • Use social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray
  • Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method
  • Leveraging the initial group of compromised accounts, download the Global Address List (GAL) from a target’s email client, and perform a larger password spray against legitimate accounts
  • Using the compromised access, malicious actors attempt to expand laterally (e.g., via Remote Desktop Protocol) within the network, and perform mass data exfiltration using File Transfer Protocol tools such as FileZilla

Indicators of a password spray attack include:

  • A massive spike in attempted logons against the enterprise SSO Portal or web-based application. Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String). Attacks have been seen to run for over two hours
  • Employee logons from IP addresses resolving to locations inconsistent with their normal locations

Typical Victim Environment

The vast majority of known password spray victims share some of the following characteristics [1][2]:

  • Use SSO or web-based applications with federated authentication method
  • Lack multifactor authentication (MFA)
  • Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”)
  • Use inbox synchronization allowing email to be pulled from cloud environments to remote devices
  • Allow email forwarding to be setup at the user level
  • Limited logging setup creating difficulty during post-event investigations

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

  • Temporary or permanent loss of sensitive or proprietary information
  • Disruption to regular operations
  • Financial losses incurred to restore systems and files
  • Potential harm to an organization’s reputation

Solution

Recommended Mitigations

To help deter this style of attack, the following steps should be taken:

  • Enable MFA and review MFA settings to ensure coverage over all active, internet facing protocols
  • Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords
  • Review IT Helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT Helpdesk password procedures may not align to company policy, creating an exploitable security gap
  • In addition, many companies offer additional assistance and tools the can help detect and prevent password spray attacks, such as the Microsoft blog released on March 5, 2018 (link below):

https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/

Reporting Notice

The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s national Press Office at npo@ic.fbi.gov or (202) 324-3691.

References

ST05-12 – Supplementing Passwords

Advertisements

Heading to MuraCon

69EF409D-B9C9-4404-AE6152196A4E039D_W354_H295At CF Webtools we not only support customers that use Mura CMS but we use it ourselves on our website at cfwebtools.com.

This year CF Webtools is proud to sponsor MuraCon!

Nick Devre and myself will be attending both the “Pre-Con Content Manager’s Training” on April 4th and the conference on April 5th to the 6th.

We will have direct access to industry experts to talk to them about challenges that we have run into along with collaborating with other community professions. This will allow us to provide our customers with great support and integration for their companies.

The conference will focus on storytelling, flow and Docker (containers). Other topics include themes, CSS, JavaScript, API, Slatwall, React, Alexa, Rest, Swagger, OAuth, ColdFusion and more!

Add a comment if you’ll be there and be sure to say hi!

CF Summit 2017 – Part 2

Starting from Part 1 of my “CF Summit 2017” series I will dive into some of my conversations with Adobe and more “Application Monitoring Suite” details.

The Adobe Team

20171117_101210Let me start out by saying that I know a number of people, myself included, enjoyed having the ColdFusion engineering team on-site at the conference. I want to thank them for the long trip from India which appears to be at least a 24 hour trip one-way. I could barely stand the 3 hour cattle flight from Omaha on Southwest. Those seats were great when I was a kid half my current size – but they never seemed to take into account that American adults actually sit in those seats too!

I spent a bit of time speaking with Anit Kumar, the Technical Support Manager, who was very welcoming of what I had to say. A number of people also wanted his attention, so I also spoke a bit to Vamseekkrishna Nanneboina, the Quality Engineering Manager. Continue reading

The Grandparents Went Mobile

“My friends have an iPad, I’m going to get one this weekend.”

“My friends have an iPhone, I’m going to send my nephew to get me one this weekend.”

Those are the sentences I heard from my 80ish year-old grandmother over the past year. She’s from South Korea and survived the Korean and Vietnam wars. She’s, to this day, very smart and can list off your birthday, phone number and her doctor’s address with little thought. Give her a math problem and she’s whip the answer right back at you.

My grandfather was, in general, an engineer. He had his HVAC and plumbing master licenses and might as well of had his electrical master license. He not only owned a HVAC and plumbing supply shop on the North side of Omaha but also a computer shop that specialized in AutoCAD. His home office is a library of floppy disks and DVDs of every software you’d never use. He helped fund and setup a high school’s technology program and computerized building HVAC systems he owned on using those green terminal screens and 1200-baud modems. This was all after he retired from the Navy and civil Engineering.

But as he also hit his 80’s, now being 90, his desktops and laptops started to see the dust slowly covering them. Software and hardware started to evolve quicker than he had interest in anymore. Now his day’s consist of watching black and white western TV series.

My grandmother, on the other hand, found that should could no longer ask her husband to search the Internet for information, send emails and print off legal documents. She never really learned how to operate a Windows machine because her husband liked doing that for her so much. It was his “thing”.

Then came the iPad. She found that she could send emails, fill out online forms and do research on the Internet using this ultra portable 10″ screen. It didn’t require a cord to use; no keyboard; no mouse. It was very basic. She could push email or Safari icons and they would just work. She could even wireless print. She no longer needed her “complicated” laptop to do much of anything except write legal documents and fill in financial spreadsheets. It was perfect for her.

She now has an iPhone and loves using it to make phone calls or even send a SMS here and there. Likely because of the “bling” and “peer” factors. So then I showed her maps, camera and photos. It was exactly what she wanted. So simple.

So what’s the point of this blog post? User experience.

She uses these devices because they are not overly complicated, even though you could make them as such if you wanted to.

But let’s take a step further.

The doctor’s office has online forms to fill out. She tried filling them out using her iPad but the doctor’s office told her they didn’t receive the information they needed. She was frustrated… and I can see why.

I came over and started filling out the forms on her iPad. Even though the site worked on the iPad, it was defiantly a desktop-centric site. The form labels were hard to read as they took up multiple lines and ran into each other. The form fields were small. It was almost impossible to exit the date picker widget after I selected the date. And there were form fields that I had no idea where to get that information, yet they were required.

In today’s world if you are creating a public website you should highly consider creating a mobile-first responsive site. Take this experience. My 80ish year-old grandmother and her peers use iPads and iPhones. Not laptops and desktops. Even on a podcast the other day, the speaker was saying the funny looks his son gives him when he tries to show him his desktop setup. He’s just always on a mobile device.

In reality, I use my mobile phone for looking up quick stuff like what a medication does or the address for a auto-repair shop. I don’t own a tablet, outside of a dedicated one for my dart board. I use my work desktop and home laptop for all the “real work”.

So in conclusion, when building or maintaining a public facing website, it’s very important to be mobile friendly and responsive to serve your experience to the many generations and different devices. If you don’t they’ll just go somewhere else, or worse, call you because you’re their only option and can’t use the site you’ve invested so much money in.

Running ColdFusion 9 on Windows 10

CommandBoxLogoMost of us find it impossible to install and run Adobe ColdFusion (ACF) 9 on Windows 10. There are a select few that suspiciously find it easy to install and run on Windows 10.

One of the more popular methods is to create a Windows 7 Virtual Machine (VM) and install Windows 7 there. I’ve even done that. But what you find, particularly on Hyper-V, is that it lacks portability. I can’t reasonably send another developer my VM. #1 due to licensing issues #2 it can be huge depending upon the size you reserved for the virtual drive.

But thanks to the Ortus team, and with a little open mindness, CommandBox takes care of this issue. From the Ortus website: “CommandBox is a standalone, native tool for Windows, Mac, and Linux that will provide you with a Command Line Interface (CLI) for developer productivity, tool interaction, package management, embedded CFML server, application scaffolding, and some sweet ASCII art. It seamlessly integrates to work with any of our *Box products but it is also open for extensibility for any ColdFusion (CFML) project as it is also written in ColdFusion (CFML) using our concepts of CommandBox Commands. It tightly integrates with our contribution community; ForgeBox, so developers can share modules world-wide.”

So basically what’s going on here, in this blog entry’s context, is CommandBox will run ACF 9+, Railo 4.2 and Lucee 4.5+. This is done by running a WAR in Java against CommandBox’s own web server which still supports ACF9 integration. Technically you’re supposed install Java 1.7 for official support of ColdFusion 9. However, from what I’ve seen, it runs just fine on Java 1.8.

Here are the easy steps in Windows to get you running in less than 10 minutes:

  1. Download CommandBox at https://www.ortussolutions.com/products/commandbox#download. I suggest “With JRE Included”.
  2. Extract the contents to something like C:\CommandBox. For all other OS’s see Installation.
  3. Open a Command Prompt
  4. Go to your new directory, such as “CD C:\CommandBox”
  5. Type “box” and enter
  6. This will then initiate Box for the first time and then take you to the Box CLI.
  7. Change the directory to your first website that needs ColdFusion 9, in this example. ex: “cd \websites\cf9test”
  8. Here we will set the ColdFusion engine, version, hostname (optional) and name (optional). Run:
    server set app.cfengine=adobe@9 (this will run the latest version of ACF 9)
    server set web.host=cf9test.local (be sure to set in DNS or your hosts file to 127.0.0.1 or you will get a “Cannot assign requested address: JVM_Bind” error)
    server set name=cf9
    *
  9. Step #8 will be saved in server.json and never needs to be done again as long as that file is intact. For more configuration arguments, see Server.json.
  10. Type “start” and enter**
  11. This will download the ColdFusion 9 WAR and extract it and then initialize it. This may take a number of minutes.
  12. Once CF9 is “installed” a browser window will open up to “http://cf9test.local” or whatever you set the web.host to. If you didn’t define web.host it will open up to “http://127.0.0.1”. Either way it will use a random port number. This port number can be defined in the server.json configuration file.
  13. Append “/CFIDE/Administrator” to the URL it is using. If you accidentally closed the browser tab, look for the blue CF task icon in your task bar. Click it once and click “open browser”.
  14. The password to the ACF admin is “commandbox”
  15. Configure necessary settings such as data sources or enable J2EE session variables if needed.
  16. Then go back to your root URL and you should be up and running.

There is so much you can do with CommandBox, including https, URL rewrite and even generating CFM frameworks. See the CommandBox Manual for more.

*When setting the server name, this will allow you to keep configurations stored such a DSN in the admin. You can use a general name such as “cf9” and use it among different instances or you can use a more specific name just for that instance or a group of instances such as “mysite”. Without it, you have a chance of loosing or overwriting configurations in the CF Admin.

There is a way to script out you ColdFusion config, such as DSN’s, using CFConfig CLI. However as of this post writing, it doesn’t allow you to use ColdFusion 9. But feel free to experiment using this with other versions or later down the road.

There are a number of other ways to configure your servers as well. See Configuring your CommandBox servers on first start by Brad Wood.

**The trick to thinking here is the webroot for the website being loaded up in your browser, is the directory you run “start” in.

“Ride Sharing” Buses Thought

Buses were the original “ride share” concept. The difference is the city always owned the vehicle, it fits many more people and is regulated.

What if the city bus concept adapted to the popular ride sharing services such as Uber and Lyft?

Instead of buses following a predefined route every day, let the computers dynamically route the buses. People with smartphones could request a pickup and set a destination. They would then be routed to the nearest bus compatible and pickup efficient location that isn’t necessarily a predefined “bus stop”. In that app they would also define their drop-off point, which could change the bus that’s picking them up with a more efficient route. People without a smartphone would go to a normal bus stop and press a vandal resistant button. Once on the bus, they would select the destination using a built-in display.

Of course a lot more thinking and planning would need to be done so as each passenger is limited to a ride that is reasonable in time and fairly predictable.

But I think this could go a long way to getting more people to use public transportation, pay via a mobile app and stop routing buses to empty bus stops.

Buying AWS Unwanted EC2 Reserved Instances

You purchase a year-long EC2 Reserved Instance (RI) from Amazon Web Services (AWS). You’re now saving 30% on your sparkling EC2 instance cost!

Fast forward three months. Your project tanked and is costing you money instead of making money. You need to kill it and kill it fast.

But then you remember that one-year contract you have with AWS. <doomed>

You then remember that you can sell off your RI to a marketplace. Bank account saved – mostly.

That part is easy to research and follow the steps for success.

Now “Wannabe Joe” is looking for a deal and wants to purchase that discounted RI you’re selling off. Joe goes to the EC2 console and clicks “Reserved Instances”. He then proceeds to “Purchase Reserved Instances”.

He sees a paragraph:

Reserved Instances sold through the Reserved Instance Marketplace are identical to those sold by Amazon Web Services, except they may have different prices and terms. For more information about the Reserved Instance Marketplace, go to the Reserved Instance Marketplace web page.

He remembers about the marketplace selling unwanted instances so he clinks on the provided link. Listing, selling, fee and getting paid. All great for the seller. But how does he purchase one. Click-after-click just provides frustration.

Don’t worry Joe. You overthought the whole process.

  1. In the AWS Console Home, go to the EC2 console
  2. Press the “Reserved Instances” link on the left and then press the “Purchase Reserved Instances” button up top.
  3. Choose your platform, types, zone, term and tenancy.
  4. Press the “Search” button
  5. If there are any unwanted instances up for sale, they will be listed under the “Seller” column as “3rd Party”.
  6. Add to cart and away you go.

console_ri_purchase_1

Simple 🙂

Reference and image by: https://aws.amazon.com/blogs/aws/amazon-ec2-reserved-instance-marketplace/

#aws, #ec2, #marketplace, #reserved