Main News

Why do we need a Cyber Threat Intelligence?

Why do we need a Cyber Threat Intelligence?

Imagine a new zero-day vulnerability under exploitation that can impact your organization without a CVE score, and your scanner cannot detect it.

Imagine having many devices exposed over the internet with different vulnerabilities not detected by your vulnerability scanner.

Imagine that your employees used the same password on social media and in your organization also. What if the social media was breached? Your password might be on the Dark web or other data leaked sharing forum. Your organization might be compromised if you are not aware of the breached.

Imagine that your competitor company was compromised, and you might be the next.

Imagine that your company confidential information was leaked on the Dark Web, and you need to find the confidential data

Imagine that your employees are putting pictures containing confidential information about your company over the social media such as Twitter, Facebook, LinkedIn and you are not aware of that.

Imagine that the threat actors made the copy of your website, and your employees s are connecting to it without knowing

Imagine that your employees are receiving a lot of phishing emails daily and are responding to it.

There are thousands of reasons that we still can mention, but let’s limit here.

As security expert when you think about all the imaginations cited, you might think about an option to detect and protect your organization against these imaginations.

A Cyber Threat Intelligence or CTI was created to find the solution against such imaginations.

Before talking about the Cyber Threat Intelligence, we should talk about “Intelligence cycle”

Intelligence Cycle

The intelligence cycle is set of steps that we use to conduct the intelligence. 

The Intelligence Cycle is divided in different phases:

Direction or Planning – This phase is the first phase and is very important.

In this phase, you set your goals, procedures, prioritize based on the asset evaluation result.

Collection – This is where, you will be gathering data to meet your goals set up in the previous phase. You will need to use different tools to achieve this goal.  For example: used of open source or private source to find all the devices that belong to your organization over the internet.

Analysis or Processing– After collecting the data, you must process and analyze all the data you have collected.  You need a specific tool to do that, you will need also to interpret the data at this point. Note that if the data collected, processed and analyzed failed, the results will not be accurate. For example: Collecting and analyzed a bunch of date from the Dark Web by entering your company keyword in order to find the relevant data related to your company. If the tool used did not collect correctly the data and the analysis did not meet the requirement from the planning phase, the result would not be relevant.

Production – Once you get the analysis and processing parts done, the next step will be to prepare the report with the details following with some recommendations. For example: The cyber threat intelligence report about the data collected, processed and analyzed from the Dark Web, the vulnerability assessment report, the report about the threat actors that can target your organization.

Dissemination – When you report is ready, the next step will be to report it to the management level or the C level based on the decision taken in the planning phase.

Some companies might report to different teams. For example: The vulnerability assessment report could be sent to the vulnerability management in order to verify if the vulnerability scanner engine did not detect the findings. This might also help to determine the efficiency of the tool.

The report about data leaked could be sent to the CISO to take the decision based on the recommendation put in the report.

Feedback – The last part and where the report will be verified from the management level or C level like the CISO. If the report did not meet the company requirements, the report might be criticized to improve it. For example: When you send a technical report to the CISO about the data breached on the Dark Web, the CISO might not understand all the terms, as the CISO is not a technical person. It is better always to know where the report will be sent and how to meet the company requirements before reporting it.

Cyber threat intelligence

Cyber threat detection is the process of detecting and analyzing different threats that can impact the organization.

Cyber threat detection without the intelligence cycle will be very difficult, as the data are becoming much bigger over the internal network and the internet, we need to find a proper approach to find the relevant data. That’s one of the reasons, both were merged to bring the idea of cyber threat intelligence.

Cyber Threat Intelligence is the combination of threat detection tool plus the intelligence cycle to detect and analyze threats, vulnerability and risk that can impact an organization.

As you might read at the beginning of this article, the Cyber Threat Intelligence is made of imaginations. The imaginations will help you to find different threats, vulnerabilities and risks that can impact your organization.

With the different explanations provided above, we may provide a general definition for Cyber Threat Intelligence. The Cyber Threat Intelligence is the process of planning, collecting, processing, analyzing, producing, disseminating and providing the feedback about different threats, vulnerabilities and risks that can impact your organization by using different tools (open sources or private sources).

The threats, vulnerabilities and risks could be anywhere where your infrastructure and data reside. It is very important to find and prioritize your assets and data. You need to have a proper data evaluation and asset evaluation in place to achieve this goal.

Cyber Threat Intelligence Report

As we already mentioned, we need to report the Cyber Threat Intelligence result obtained during the “Production phase”. While creating a report, the report should be based on some frameworks such as Diamond model and Cyber kill chain (Google to find more about the topics).  The frameworks will help you standardize the report and make it much easier to understand.

Cyber Threat Intelligence tools

As discussed earlier, the Cyber Threat Intelligence consists of collecting and analyzing data to find more relevant data. Let’s give the name of some tools used by the Cyber Threat Intelligence team.

One of the biggest repositories related to Cyber Threat Intelligence tools is OSINT Framework , the website contains different tools used by Cyber Threat Intelligence teams, we can also cite other tools such as:

In conclusion, based all the details explained, the Cyber Threat Intelligence is very important for any organization to protect his own environment. It will help you to be more proactive to protect your organization against different cyber-attacks. If you have not implemented a CTI team it is the time for you to start. 

Why should we use a fake email?

Why should we use a fake email?

The most common attack vectors used by the threat actors to compromise the target system is the phishing attack or spam. The phishing attack consist of sending a malicious email to a target, once the target receives and clicks on the message (open a link or attachment), the threat actors could then compromise the system. They are many websites that require to register before using it, some of these websites could be owned by the threat actors or could be sending annoying advertisement every time to you. To avoid this issue, the appropriate solution is the use of “fake email”.

A fake email or email generator is an email address generator used to create an email address that is used to receive a message. The Fake email will help you to protect your email address from receiving spam, phishing, advertisement from third party, avoiding detection during investigation for example instead of using your company email to test a suspicious website, you can use a fake email.

There are many fake emails freely available over the internet.

Temp Mail - Disposable Temporary Email (temp-mail.org)

Temp mail is an open source used to receive for certain amount of time. You can use the service to register to a website and get the notification code or activation code from the Fake email. The technology will help you to protect your work email, your private email from being disclosure on a suspicious website or receiving advertisement that you do not wish.

In the pictures below, we will describe the features available on the Temp mail.

Once you connect to the website, you will see the interface with the email generated for you.

Click on the copy button to copy the email generated, submit it to the website you wish to register, within a couple of the you will receive the mail confirming your registration.

When you receive the activation code, you can then activate it and connect to the website.

Be aware that the email is used for temporary purpose.

The second option is - Fakemail

FakeMail | Temp Mail Addresses

Once you connect to the website, you will see the email address generated, the time set available to use the email and the random generated password for you to use on the website on which you want to connect.

Fakemail can be used maximum for 2 weeks, so in case you have a website that you wish to reconnect again, this option is the one you can use.

 

The last option, we will talk about is the - email-fake.com 

Fake Email - Disposable Temporary Email (email-fake.com)

If you want to keep connected with the email for long period of time, this option is the best option. you need to choose the email you want to use, and the uptime period will be set.

Click on the arrow in “green” you will the uptime time for each email you choose.

 

Constrains related to email generator or fake email:

The email generator has some limits. Some websites such as Twitter, Facebook, Instagram do blacklist such email address so using the fake email to register will not be possible. In order to avoid that problem, you can use a private domain and bind it to the fake email.

A private domain is a domain that you already acquired, or you own after buying it.

To bind a domain to a fake email, once you own a domain, you need to add a DNS mail exchange on it and connect to your Temp Mail account.

For more details, visit: Private domains. How to get your own Temporary Email (2021) (temp-mail.org)

As we described, the fake email is a best practice that people should be aware of and use when needed. The protection of the data is becoming much more difficult so the best way to stay safe it to be protected. Be aware that some fake email could be owned by the threat actors so before using it make sure that it's a safe one.

Google Chrome Zero-day vulnerability exploited in the wild.

On November 22. 2022, Google's Threat Analysis Group reported the new zero-day vulnerability CVE-2022-4135.

The vulnerability is rated as High CVE-2022-4135: Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121. The vulnerability could allow a remote attacker to compromise the renderer process to perform a sandbox escape via a crafted HTML page.

The vulnerability is being exploited in the wild.

Google has released the update (the version 107.0.5304.121 for Mac and Linux and the version 107.0.5304.121/.122 for Windows)

How to update your Chrome:

  • Open the chrome browser
  • Go to your setting – right side of the browser – click on the setting option

Go to – About Chrome

  • The browser will start the update automatically

As soon as you read this article, make sure that you update your browser.

WHATSAPP brand targeted by threat actors

On November 24, 2022, the security researcher from OSINTAFRICA has detected many phishing attacks mimicking WhatsApp brand.

WhatsApp is a freeware platform used to send and receive text, voice messages, make voice and video calls, and share images, documents, user locations, and other content. The application is owned by American company Meta Platforms.

The application is used by more than 2 billion of users around the globe.

The name associated to the threat actors is unknown. The domains identified are created a few days ago.

The threat actors are using different locations such as US, SINGAPORE, Hong Kong to avoid detection and target user from those locations as well.

Apart from using different location, the threat actors used also CDN Cloudflare to hide their location and hide the services they use to target the users.

From the details we collected and analyzed, we can assume that the intention of the threat actors is to steal users’ credentials and trick the users by installing a malicious software which look like WhatsApp.

Let's explain the findings in detail:

On the screen below, we can see the image is quite similar to WhatsApp, and it has been classified as Malicious by Google safe browsing. The IP address 2606:4700:3037::ac43:d2ab is located in US and belongs to CLOUDFLARENET, US.

We can also observe some words writing in Chinese which could indicate that the threat actors might be targeting users from China.

gotas.evoluir.sbs - urlscan.io

Virus total detected as a phishing website

VirusTotal - URL - c424a393c09b3c1007258c95aef074d555395af61bda0e02fa68a4abc8ba773b

Another example is whatssap7[.]com

We can see that the IP address is located in US and belongs to TERAEXCH US.

 

https://urlscan.io/result/b7490a37-9c92-4020-8cde-abedee990831/

We decided to connect to Securitytrails to find more information related to the domain. 

We found the following information.

Two domains detected by Securitytrails. The second domain – download.whatssap7[.]com, the malicious domain contains downloading version of the application for Android, Windows and MacBook.

https://securitytrails.com/list/apex_domain/whatssap7.com

Two domains were found. The second one download.whatssap7[.]com a malicious WhatsApp package to download

https://urlscan.io/result/ae426881-2e77-412f-a27a-8ec5b956dfa2/

 

Unfortunately, we could not download the file 

Our last example will be the domain whatqsapp[.]com

https://urlscan.io/result/4f6be6c4-be69-4e24-9618-08605b541c95/

Another domain located in the US.

From Riskiq, we found many subdomains mimicking WhatsApp using the IP address 172.247.175.66.

 

Its not the first time WhatsApp is being targeted. Many users complained in the past about loosing their credential and the phishing attack is the most used technic to achieve the goal.

This issue is quite interesting as WhatsApp is used by many users; some measures should be taken to avoid the users connecting to the malicious websites.

In order to reduce this situation, 3 mains advice need to be followed.

Advice:

Use only WhatsApp.com for downloading the application and connecting

Use 2FA to protect your account

Take down all the domains (should be done by the WhatsApp corporation team)

Domains mimicking WhatsApp

whatssapp8[[.]]com

whatsaaapp[.]com

whataswappapp[.]com

whatsakpp[.]com

whatmsapp[.]com

whatszaapp[.]com                                    

whaxsapp[.]com

www[.]whatscaapp[.]com

www[.]whatszaapp[.]com

www[.]whatstaapp[.]com

whatscaapp[.]com

whatstaapp[.]com

whatqsapp[.]com             

whatsaypp[.]com  

whatmsapp[.]com

www[.]whatmsapp[.]com          

www[.]whatqsapp[.]com

www[.]whhatapp[.]com 

whatsalpp[.]com                           

whatsabpp[.]com 

whatskapp[.]com  

www[.]whatsalpp[.]com

whatuapp[.]com

whlatapp[.]com

www[.]whatskapp[.]com

ww[.]whatsaypp[.]com

whaotapp[.]com   

WORLD CUP OR THE NEW ORDER (TWO VICTORIES THAT CAN CHANGE YOUR MIND)

THE WORLD CUP is the biggest sportive competition in the world where the best countries for the last four years from all around the world meet to compete against each other. But this world cup is different from the past world cup as it’s also a revelation for the worldwide.

Who could imagine some years ago that Asian countries could compete with European countries in football (only if you are in the Asian mindset). If you did not think, guess what, you were wrong.  The Asian’s plan was always to learn and to achieve a goal. This is what we see now, if you look at most of those countries like China, Singapore, Vietnam, Qatar or Emirates, Arabia Saudi, Japan, South Korea, India and may others, you can determine how much affords were put into place to come at this point. You can see how fast those countries are growing up economically, culturally, socially, sportively, educationally etc. To understand that you should not go so far. Most of world-wide products (Mobile phones, cars, Clothes, foods etc.) are produced by those countries. If you take only China, half of the things we use and eat on daily basis are coming from there.

I am not economist but as a football fan and OSINT lover I can make own investigation 😊. The football for many years was directed by EU countries and a few other countries like Brazil, Argentina, but nowadays we see different reality, this is due to the fact that those countries, see the world differently from other, they work hard, analyze the world from different aspects and perspective and the result is visible. I am not saying that they are going to win the world, but this is just a lesson learn for the world. The victory of Arabia Saudi vs Argentina and Germany vs Japan might be surprising for many people who do not follow those teams or the development of football in those countries but in really the plans everything for many years and it's started to work.  With these victories, many other countries could also learn, especially those countries that think only one side could help them to get rid of the poverty or win the world cup.

We can also explain it differently, we all know that the football is based in EU and most of the big players we see on the TV are playing in EU, so people do not know the players from those countries which make the situation more difficult for EU players against those teams. If you take the African teams, it's difficult for them still to compete against EU countries, the reason is simple, most of them are playing in EU, so the way they play does not change. They players know each other, and EU countries have better teams, so it's difficult to win them.

This can explain a lot in the way the world is going on and will be in the future. We can see how the development of the world is changing in realities. The development of football can reflect the development of the economy, mentality, vision, education, society of a country. 

The key here is the work based on self-assessment and self-decision making. Like people say in French (Paris did not become Paris in one day). Let's plan and work hard. Your time will come.

I hope that other countries such as African countries will take it as a lesson learn not only like a football game to develop their economy, culture, sport, society, education etc.

Good luck!

Trackology over the internet a matter of everyone

Trackology is the science of tracking people information over the internet.

The information tracked can be (gender, political opinion, sexual orientation, habits, interests, general opinion about an individual, religion)

Once the information is tracked, they will be collected, analyzed, processed, aggregated and sold to a third party or used for other interests.

Most of the websites use the cookies to track data from the websites but we can also use other technologies such as account tracking, fingerprint, web beacons to achieve this goal.

Many companies do track the data over the internet for marketing reason or advertisement, but others such as media and government might tracked for other reasons like political reasons. Many Medias nowadays collect data over different social medias that will be analyzed later. One example that we can give is the actual situation between Ukraine and Russia. The medias by using their pages over different social medias, can post something related to the topic and people will comment, based on the comments from different platforms such as Facebook, Twitter, LinkedIn, we can determine what people think about the Russia invasion.

 

How to test people to determine their opinion.

Let’s use a technic calls profiling which consists of collection information such as gender, political opinion, sexual orientation, habits, interests, general opinion about an individual, religion about a person or group of persons that will be used later to make a decision about the person or the group of persons.

As an example, we want to know what people think about LGBT in the world. We will create a group on Facebook and posts different messages and analyze it.

Let’s create a group on Facebook and call it “We love LGBT”. Post something on the page and wait for the comments and people reaction.

Once you analyzed the data collected, you can guess people opinion about such topic in general.

This technic is used by many entities such as medias, E-commerce, Sports to sell their products or to make a decision.

Risks related to data tracking

If the data are not tracked following the regulations, many issues may be arised.

With the example we gave above about “LGBT”, imagine that you apply for a job, and you should have an interview with the company. Before the interview the company tracked you from different social media and reveal your negative comment about “LGBT”, if the manager is a gay or Lesbian or one the people who received the feedback after the data collection, then it could impact negatively the interview. In order to avoid such issue, the regulations should protect people privacy over the internet.

 

As we see, the data tracked could lead to prejudice, as the simple comment made cost the person to lose the job.

 Advantages of data tracking

Like we said before, many businesses do track data for marketing or advertisement reasons, which help those businesses to improve the way to sell their products. 

Data tracking can also help to find terrorist. As today the world is facing with many terrorists attack so the data tracking could be very important for entities such as police departments, militaries, Threat investigation and so on.

Data tracking could be used also for background checking to determine if the person is suitable for the position. 

As you see, everything can have a good side and bad side. The best way to be on the good side will be to follow the regulations and best practices and monitor them as well.

Solution against data tracking without the consent of people

They are many solutions to avoid being tracked by the websites you visit.                 

  • Enable cookies (check the cookies preference before accepting it)
  • Enable DO NOT TRACK
  • Do not give a permission to share your data to a third party (Social medias like Facebook, Google, Twitter do it, you need to edit the setting option to not allow it)
  • Implement a data privacy regulation if not in place (this should be done by each country) and if the companies comply with it.
  • You can use a tool like Trackography - Who tracks you online?   To verify where your data are going when you connect to some medias.
  • Use VPN or a browser like TOR, TRAILS to stay anonymous online.
  • Use proxy to hide your activities over the internet.
  • Use incognito mode (it does not provide complete privacy)

They are many other solutions to stay protected online. But the best way to be protected is to not stay online which is not possible. Therefore, follow the best practices always is the key to stay safe online.

How to find the router password online

 

The role of the router is to send the packets from one network to another network over the internet.

In order to access   the router, the password is required. Most of the routers have a default password that can be used to access and configure it. The problem is that most of the clients do not change the default password. The default password for the router is available online and the password is unique, so it does not change. You need to know the name of the router and search on the browser to get the password. Which makes the password easy to guess. Another problem here is that most people do not change the default password and leave it as a blind password. Imagine that you gave the access to your local network to someone with bad intention, the person will have just to use the cmd command “ipconfig” to find the gateway IP address which is your router IP address and use the default password to connect and change the settings from the router. The person could have the whole control of your network and redirect the traffic to another place.

As we said, the default passwords are available over the internet, let’s show you how you can get the default password and connect to it.

Example:

  1. First you need to know the router on which you want to access (check the router name on the router you have or want to access)
  2. Click on the link and find the router name and click on find password

Accelerated Networks Router passwords – List of all default passwords for the Accelerated Networks Router

Router name listed

      3. Open cmd, type ipconfig

Check if you are connected by cable or cableless, in our case, we are connected via cableless

4. Now you have the IP address from the gateway or the route, open any browser from your choice, type the "http:/ /IP address" of the gateway, you get the dashboard with the username and password. Type the username name and password to get the access.

NB: Note that from the link Accelerated Networks Router passwords – List of all default passwords for the Accelerated Networks Router, you might not find the router name or the password. You can type the name from your search browser (google search, Microsoft bring or others) to find the relevant information.

In order to prevent someone without your consent to get access to your router and change the settings, you need to follow some best practices.

Best practices:

  • Change the default password and username
  • Use MAC access control
  • In case you have a doubt that someone accessed to your network, contact your service provider immediately
  • In case you do not remember your new password or username, you can reset the router (reset factory) to go back to the main configuration and change it again.
  • Reduce the WIFI signal so it does not go out of your real.

All follow the best practices to protect your network.

Mastodon users vulnerable to password-stealing attacks

A security researcher has detected a vulnerability in Glitch, a fork of Mastodon. An attackers could steal the credentials from Mastodon.

Mastodon is free and open-source software for running self-hosted social networking services (check Wikipedia for more details).

The security researcher was able to steal the credentials on Infosec Mastodon with a HTML injection vulnerability, without the need to bypass CSP.

Stealing passwords from infosec Mastodon - without bypassing CSP | PortSwigger Research

The vulnerability was reported to Mastodon. The flaw is specific to the Glitch fork used by InfoSec. Exchange. Mastodon has released the version 4.0.1, 3.5.5, and 3.4.10 to mitigate the issue. The 2FA authentication could prevent someone with the password to not access to your environment.

How to use Have I Been Pwned?

Haveibeenpwned is an open-source tool used mostly by cyber security people (no worries you also can use it). The tool is very powerful and useful. Most of organizations today working in the field of cyber security used it.

The tool is used to notify different organizations about data breached, assess password before using it.

Description of the tool:

 

Have I Been Pwned

HOME

Once you type the domain name of the website, you will be redirected to the “Home page” of the website

 

 

Type your email address or phone number to verify if your password or sensitive information such as phone number, credit card, email addresses, physical addresses, social security number and others were leaked in a data breached.

 

We can see the email address entered was not found in the database which means that there was no data breached where the email address entered was found.

Below in the “Home page”, you can find some information related to previous data breached.

 

Click on one of the links, you will find the information about the data breached in April 2021, the marketplace named OGusers suffered from a data breached and the compromised data details.

NOTIFY ME

If you want to be notified about any data breached where your email address was found, click on the menu “Notify me”, enter your email address, if you are not a robot, please select “I’m not a robot” and click on the button “Notify me of pwnage”

 

You will receive the message if your email was found in any breached in the past and also will be notified about future breached.                             

DOMAIN SEARCH

If you want to find all the emails addresses with a specific domain in a data breached, you can use this option.

You will have to verify if you are the domain’s owner to be able to use this setting.

WHO’S BEEN PWNED

This menu contains information about breached websites and companies available in the “Havebeenpwned” database.

 

PASSWORDS

This menu can be used to assess a password before using it. Put a password that you want to use and click “pwned”.

You see the message “Oh no - pwned” which means that the password entered was breached 264 149 times. Please do not use the password entered 😊.

API

The API can be used to retrieve data breached information for example many organizations used this option to be notified about the data breached in their company email address.

DONATE

As you can see, the owner of the website who is Troy Hunt worked a lot to provide this amazing tool to the worldwide.  Any donation will be used for building, running and keeping the website. This option is also very important 😊.

Citrix and Citrix ADC released patches for Citrix Gateway

 

 Three Vulnerabilities have been discovered in Citrix Gateway and Citrix ADC.

The vulnerabilities are the following:

  • CVE-2022-27510 Unauthorized access to Gateway user capabilities
  • CVE-2022-27513 Remote desktop takeover via phishing
  • CVE-2022-27516 User login brute force protection functionality bypass

Be aware that only appliances that are operating as a Gateway (appliances using the SSL VPN functionality or deployed as an ICA proxy with authentication enabled) are affected by the first issue.

The affected versions are the following:

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
  • Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
  • Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
  • Citrix ADC 12.1-FIPS before 12.1-55.289
  • Citrix ADC 12.1-NDcPP before 12.1-55.289

The released applies to customer-managed Citrix ADC and Citrix Gateway appliances. Customers using Citrix-managed cloud services do not need to take any action.

Recommendation:

Install the relevant updated versions of Citrix ADC or Citrix Gateway.

NB: Only Citrix ADC and Citrix Gateway versions prior to 12.1 are EOL and customers on those versions are recommended to upgrade to one of the supported versions.