Monday, May 15, 2017

Introducing Comsec's Ransomware Readiness Service


Comsec Group recently created a ransomware readiness service, which maps the gaps, validates the readiness level of an organization against ransomware attacks and provides concrete recommendations for remediation and improvement.

The WannaCry ransomware that struck recently and exploited a vulnerability found by NSA was leaked by TheShadowBrokers hacking group about two months ago. It is the biggest and most notable example of ransomware that includes the ability to spread without further user interaction, significantly increasing the ransomware threat, and making this service a lot more relevant.

So what is this service?

One approach for confronting the ransomware threat, is just to pray and hope it won't hit you, and if it does, to try and recover or just pay the ransom. However, this can take time and more importantly, as was seen in WannaCry, there is no guarantee that you will get your files back even if you pay.

But there is another way: Organizations can actively test if their infrastructure is ready to counter the threat of ransomware, either by preventing the ransomware from executing, or preventing any real damage by allowing quick recovery from backups.

Our ransomware readiness service tests exactly that.

Incident Response

NIST defines a cyber framework that includes five different activities in a cyber incident:
  • Identify – Develop the institutional understanding to manage cybersecurity risk.
  • Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services. 
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a  cybersecurity event.
  • Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.
  • Recover – Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event. 


Details of the Ransomware Readiness Service

The ransomware readiness service tests the organization's readiness level in each stage of the incident response process in order to understand the risk of ransomware, test the organization's protection and detection mechanisms, test the response procedures and verify the recovery process.

The service includes the following steps.


  • Identify management awareness in the organization of the threat of ransomware 
  • Mapping the relevant response procedures for ransomware and general cyber attacks in the organization, highlight the gaps and recommending improvements for these procedures.


  • Web protection: Ensure safe internet browsing by reviewing and adjusting the organization’s web browsing policy to reduce the risk of a malicious executable (or document) being downloaded.
  • Mail protection: Ensure that an appropriate solution for inbound emails exists by reviewing and adjusting the organization’s anti-spam and malicious activity policy. This includes, amongst other things, the detection of malicious files, even if they are not detected as malicious based on anti-virus signatures.
  • User permissions: Ensure that the user workstations are hardened. This includes ensuring that malware can’t be executed by accident (for example, due to an autorun script in a USB drive), and examining any endpoint protection solutions.
  • Limit users' domain permissions: This includes reviewing servers and workstations in the domain in order to ensure that users do not have permissions to execute code remotely. In addition, this review includes restricting writable folders on the domain, to reduce the risk of malware spreading itself via network shares.
  • Servers and endpoint configuration and patching: Ensuring that servers and workstations are updated with the latest security patches in a timely manner in order to reduce the risk of ransomware exploiting known vulnerabilities.


  • Testing endpoint protection: Testing the configuration and update policy of the antivirus and EDR (Endpoint Detection and Response) in order to detect or even prevent the ransomware from executing in real-time.


  • IRT (Incident Response Team): Comsec’s IRT is always available for future support in the event of a security incident caused by ransomware (or any other malware). Comsec investigates the ransomware in order to assess the "family" which it comes from and whether there is a known method of decrypting the files without paying the ransom. Comsec has a registered bitcoin wallet to pay the ransom if needed, as a last resort, following our assessment of the likelihood of the files being decrypted even after paying. 
  • User awareness training: Perform phishing exercises with scenarios such as fake websites, malicious links, malicious files etc., including a detailed report showing statistics of the extent to which the user was susceptible, e.g. opened email, opened link, downloaded file, ran file.


  • Backups: Ensure that files are constantly backed up in order to minimize damage in the event of a ransomware attack and that regular restoration tests are carried out.



In conclusion: In order to better mitigate the risk of ransomware and other modern cyber threats, you should test your readiness across the full chain of events and activities that can occur in such an event, in order to prevent the threat from occurring and\or to limit the damage if it does occur.

For further details and for any question please contact us:

Stay Safe

Gil Cohen

Monday, May 8, 2017

Monday tech: WPAD Man in the middle across LANs *and* the WAN

Hi everyone
WPAD or Web Proxy Autodiscovery Protocol, is a protocol that is used in Windows by Internet Explorer and other web browsers that follow Window's internet configuration, that enable auto discovering of proxy server setings in order to connect to the outside, usually the Internet.

WPAD is almost 20 years old and it's an old and unsecured protocol. When WPAD is enabled, the client asks for a DNS record with the hostname of WPAD and a file that is called a PAC file (Proxy auto-config) that contains sandboxed JavaScript code, that tells the browse the location of the proxy server or multiple proxies. If the DNS query failes, another similar protocol that operates in the LAN and called WINS (Windows Internet Naming Service) is used to search for the WPAD host, and then if this also failes, another similar protocol called LLMNR (Link-Local Multicast Name Resolution) is used. This protocol is used for peer-to-peer resolusion, and uses an entire network broadcast to ask for the resolution - not the safest and most reliable method.

If an attacker resides in the network of the victim, he can easily respond to the LLMNR broadcast, return a PAC file and redirect the victim's trafic to his station, performing a full MITM attack.
Moreover, if the attacker adds basic authentication to his malicious server, the victim will be prompt to enter credentials and once he does, he just gave the username and password to the attacker.

This can be automatically executed using the famous Responder tool created by Spider Lab and now part of Kali.
A full example can be seen here:

But wait, the fun doesn't stop there. WPAD first issues a DNS request for WPAD hostname, and in many cases it appends the domain name to the WPAD hostname.
So effectivly if an organization that is called Contoso has a domain with the same name, and of the domain stations enable WPAD, the DNS server will get both a WPAD hostname request and a WPAD.Contoso request.
If WPAD.Contoso is a legal DNS hostname in the internet, this attack becomes FAR more dangerous as it nows leaks from the LAN to the WAN.
During the last BlackHat Las Vegas conference a researcher actually registered multiple top level domains with the WPAD hostname and different suffixes such as, and, hoping to get requests from different organizations. Suprisingly (or not) - he did. A LOT.
The most succesfull suffix was Tokyo, maybe because the upcoming olympics that will take place in the city in 2020.
An article about this hack can be found here:
The presentation from BlackHat can be found here:

Have a great week!

Saturday, May 6, 2017

Cyber Updates - 06/05

Hey all,
Here are this week's cyber updates:

(1) Intel processors remote management features were found to be vulnerable (CVE-2017-5689) to remote code execution.
Intel’s Active Management Technology (AMT), uses a web-based control panel, which is accessible from port 16992 and 16993, and allows an administrator to remotely manage a system. The web server uses digest as its authentication mechanism, but does not properly compare the users_response digest value with the computed_response value. In particular, the website uses the strncmp function with the user_response length instead of the computed_response length.
This means that a null value submitted as the user’s digest response, would invoke the strncmp function with a length of 0, therefore causing it to always return 0 (success). Thus, malicious users can successfully authenticate to the webserver and manage users’ computer.
Fortunately, the AMT features are not installed by default, so not all organizations are affected by this vulnerability.

Here are all the details:

(2) WordPress was found to be vulnerable (CVE-2017-8295) to a logical flaw that might allow an attacker to reset users’ passwords. In particular, WordPress sends a “password reset” email from the following address:, with “” parsed from the user’s request host header. Thus, a mail can be sent from the attacker’s domain if he/she submits a password reset request with their own domain (to the victim's IP address).

A malicious user can flood the user’s mailbox with numerous big attachments (unrelated to the WordPress platform). This would result in the user’s mailbox being flooded, and thus becoming unavailable to receive new emails. 
The attacker can then send the "forgot password" email (from their own domain), which will cause the victim’s MX server to reply to the original email with a "552 mailbox full" error. However, since the attacker has managed to control the domain, the email would be sent to the attacker, and would contain the original email, including the token to reset the password.

Here are all the details:

(3) Flicker was found to be vulnerable to an account takeover vulnerability: the authentication mechanism to Flicker relies on Yahoo, where the user receives a token from Yahoo and sends it to Flicker. Due to insufficient validation on the address URL in Yahoo, a malicious user who causes their victim to invoke a call to Yahoo can receive the victim's Flicker token and login on their behalf.

Here are all the details:

(4) Albert Einstein once said that two things are infinite: the universe and human stupidity. A new phishing campaign proves the latter. Users have received an email from Apple iCloud, requesting them not only to provide their password, but also their credit card details, address, and government issued credit card.

Here are all the details:

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Uni