TryHackMe Walkthrough – Phishing Analysis Tools

Task 1: Introduction

Question 1: No answer needed

Task 2: What information should we collect?

Question 1: No answer needed

Task 3: Email header analysis

Question 1: What is the official site name of the bank that capitai-one.com tried to resemble?

This should be self-explanatory, google capitol one to see what their domain is.

Answer: capitalone.com

Phishing Email Example | How To Report Phishing Attempts in Gmail

I received this email this morning and I thought it would be a great example to point out the issues in the email that flag it as a phishing email.

Alright, here we have Jr. emailing us regarding an invoice. Two things off the bat, I’m not expecting anything from someone named Jr. and I have no idea what invoice I should be expecting. The last name Hade is not familiar to me. Next this attacker used Hello and Dear right after each other. This isn’t done. Then instead of using Jason to address me he uses my email address. Next looking at the attached PDF file name, which you should never open or download, the file name is just gibberish. The attacker didn’t even go to the bother of naming it “invoice” or anything that would make more sense. If we keep looking we see that their email is gibberish too and its from a gmail domain, who does legit business with a gmail address and not a real domain like bestbuy.com or something are slim.

Okay, so I know this is a phishing attempt, but what do I do with it? I could just delete it, but that doesn’t flag as something that gmail can research and prevent other users from getting this message. I could report spam, but it’s worse than just an unsolicited marketing email. This thing is malicious, so let’s see what gmail suggest.

Okay so I click on The three dots near reply and I can submit a phishing attempt.

After clicking on the message we get a pop-up that says…

And the email is removed from my inbox. We’re done. Great job and keep vigilant, Always be suspicious!

TryHackMe Walkthrough – Phishing Emails in Action

Task 1: Introduction

Question 1: No answer needed

Task 2: Cancel your PayPal order

Question 1: What phrase does the gibberish sender email start with?

This answer is in the reading. Look at the email address highlighted with a red circle 2.

Answer: noreply

TryHackMe Walkthrough – Phishing Analysis Fundamentals

Task 1: Introduction

Question 1: No answer needed.

Task 2: The Email Address

Question 1: Email dates back to what time frame?

Answer is in the reading. Second paragraph.

Answer: 1970s

Weekly Cybersecurity Wrap-up 11/13/23

Learn Cybersecurity with me. I’m posting my journey here.

Webinars/Videos

Articles

Australian Ports Resume Operation After Crippling Cyber Disruption – Details of a major cyberattack against Australia’s shipping industry remain few and far between, but the economic impact is clear.
Ransomware Group Leaks Files Allegedly Stolen From Boeing – The LockBit ransomware group has leaked gigabytes of files allegedly stolen from the systems of aerospace giant Boeing.
Hackers swipe Booking.com, damage from attack is global – Hackers breached Booking.com, one of the world’s largest online accommodation reservation sites, by posing as hotel staff to steal credit card information from travelers making bookings.
Administrator of Darkode Hacking Forum Sentenced to Prison – Thomas McCormick, aka fubar, an administrator of the Darkode hacking forum, has been sentenced to 18 months in prison.
CISA Alert – Scattered Spider
Russian Hackers Linked to ‘Largest Ever Cyber Attack’ on Danish Critical Infrastructure – Russian threat actors have been possibly linked to what’s been described as the “largest cyber attack against Danish critical infrastructure,” in which 22 companies associated with the operation of the country’s energy sector were targeted in May 2023.
Ransomware gang files SEC complaint over victim’s undisclosed breach – The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.
IPStorm botnet with 23,000 proxies for malicious traffic dismantled – The U.S. Department of Justice announced today that Federal Bureau of Investigation took down the network and infrastructure of a botnet proxy service called IPStorm.
FBI knows identities of some U.S. members of “Scattered Spider,” but no arrests so far? – For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.
Biden Campaign Looking for CISO – The Biden for President campaign is looking for a cybersecurity chief to “define the organization’s risk appetite” and manage its cybersecurity and IT initiatives.
Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks – A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be potentially leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks.
CitrixBleed Vulnerability Exploitation Suspected in Toyota Ransomware Attack – Toyota Financial Services has been hit by a ransomware attack that may have involved exploitation of the CitrixBleed vulnerability.
Long Beach, California turns off IT systems after cyberattack – The Californian City of Long Beach is warning that they suffered a cyberattack on Tuesday that has led them to shut down portions of their IT network to prevent the attack’s spread.
US Teen Pleads Guilty to Credential Stuffing Attack on Fantasy Sports Website – Wisconsin teenager Joseph Garrison has admitted in court to launching a credential stuffing attack on a betting website.

Podcasts

Cyberwire – Ep 1949 | 11.16.23 – Shopping during wartime? Focus, people.

Projects

LinkedIn Learning – CompTIA Security+ Module 8: Network Security Design and Implementation | Complete!

TryHackMe – SOC Level 1(92 % Complete): Intro to Malware Analysis

UDemy – Python for Cybersecurity – Gitlab

TryHackMe – Intro to Malware Analysis Walkthrough

In this walkthrough we will go step by step to answer the questions.

Task 1: Introduction

No questions here, so let’s keep moving.

Task 2: Malware Analysis

Question: Which team uses malware analysis to look for IOCs and hunt for malware in a network?

The answer can be found in the reading in “The purpose behind Malware Analysis” section. Specifically, the Threat Hunt bullet.

Threat Hunt teams analyze malware to identify IOCs, which they use to hunt for malware in a network.

Answer: threat hunt teams

Weekly Cybersecurity Wrap-up 11/06/23

Webinars

Some good youtubes this week…

Great for me as I finished up Snowden’s autobiography this week as well.

Articles

Okta Hack Blamed on Employee Using Personal Google Account on Company Laptop – Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.
FBI: Ransomware gangs hack casinos via 3rd party gaming vendors – The Federal Bureau of Investigation is warning that ransomware threat actors are targeting casino servers and use legitimate system management tools to increase their permissions on the network.
Atlassian Bug Escalated to 10, All Unpatched Instances Vulnerable – Active ransomware attacks against vulnerable Atlassian Confluence Data Center and Servers ratchets up risk to enterprises, now reflected in the bug’s revised CVSS score of 10.
Two Russian Nationals Charged For Conspiring To Hack The Taxi Dispatch System At JFK Airport – “…these four defendants conspired to hack into the taxi dispatch system at JFK airport. Cyber hacking can pose grave threats to infrastructure systems that we rely on every day, and our Office is dedicated to pursuing criminal hackers, whether they be in Russia or here in New York.”
Major ChatGPT Outage Caused by DDoS Attack – ChatGPT and its API have experienced a major outage due to a DDoS attack apparently launched by Anonymous Sudan.
Cloudflare website downed by DDoS attack claimed by Anonymous Sudan – Cloudflare confirmed that the outage resulted from a DDoS attack that only affected the www.cloudflare.com website without impacting other products or services.
Tri-City Medical Center in Oceanside hit by cybersecurity attack – Tri-City Medical Center is diverting ambulance traffic to other hospitals Thursday as it copes with a cybersecurity attack that has forced it to declare “an internal disaster” as workers scramble to contain the damage and protect patient records.
1.3 Million Maine Residents Impacted by MOVEit Hack – The State of Maine says the personal information of 1.3 million individuals was compromised in the MOVEit attack.

Projects

LinkedIn Learning – CompTIA Security+ Module 8: Network Security Design and Implementation | This is a long one, I’m still working on it.

TryHackMe – SOC Level 1(91 % Complete): TheHive – Complete

UDemy – Python for Cybersecurity – Gitlab

Smishing Example

What is Smishing?

Smishing, a portmanteau of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services, is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.

I received this lately and I wanted to share it so you see a real-life example. I’ve blocked out the link for safety.

I did not go to this website, but you can bet they copied the look of USPS’s website along with a login page. This login page will not work for you to login, because this is a fake site. What it will do is capture you’re password and email.

So what, right? No harm done. Well here is another term to learn. Credential stuffing.

What is Credential Stuffing?

Credential stuffing is the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.

Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.

Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.
https://owasp.org/www-community/attacks/Credential_stuffing

This is exactly what these bad guys or hackers will do. They might also sell the list that they get to other hackers. which will then in turn try the same thing. So use a password manager and don’t use the same password on more than one site. Don’t click on anything you are not expecting. If you’re unsure, contact the source directly. In this case, I am not expecting anything from USPS, and I see so many red flags on this I know it is smishing.

Those red flags are:

I’m not expecting it.
The senders address – It is not usps.gov which is what I would expect instead it is ups.gidaew24lw@usps.tw. What the heck is that?!
The URL didn’t make sense either. I would expect usps.gov, but it is a .com and it wasn’t usps.com either. So strange, right?

TryHackMe – TheHive Project Walkthrough

Task 1 & 2 are easy “I read this” ones, so let’s skip to…

Task 3

Question 1: Which open-source platform supports the analysis of observables within TheHive?

In the reading under “Observable Enrichment with Cortex” bullet it explains that

One of the main feature integrations TheHive supports is Cortex

Answer: Cortex

Weekly Cybersecurity Wrap-up 10/30/23

Happy Halloween! It’s already the end of the year! Time files when you are learning cybersecurity!

Videos

What Hiring Mangers Really Think

Insider Threat

Articles

British Library knocked offline by weekend cyberattack – The British Library has been hit by a major IT outage affecting its website and many of its services following a “cyber incident” that impacted its systems on Saturday, October 28.
Massive cybercrime URL shortening service uncovered via DNS data – An actor that security researchers call Prolific Puma has been providing link shortening services to cybercriminals for at least four years while keeping a sufficiently low profile to operate undetected.
Canada bans WeChat and Kaspersky products on govt devices – Canada has banned the use of Kaspersky security products and Tencent’s WeChat app on mobile devices used by government employees, citing network and national security concerns.
LastPass breach linked to theft of $4.4 million in crypto – Hackers have stolen $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases, according to research by crypto fraud researchers who have been researching similar incidents.
Hackers Accessed 632,000 Email Addresses at US Justice, Defense Departments – A Russian-speaking hacking group obtained access to the email addresses of about 632,000 US federal employees at the departments of Defense and Justice as part of the sprawling MOVEit hack last summer, according to a report on the wide-ranging attack obtained through a Freedom of Information Act request.
ServiceNow Data Exposure: A Wake-Up Call for Companies – Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in “unintended access” to sensitive data.
Okta hit by third-party data breach exposing employee information – Okta is warning nearly 5,000 current and former employees that their personal information was exposed after a third-party vendor was breached.
Boeing Confirms Cyberattack, System Compromise – The aerospace giant said it’s alerting customers that its parts and distribution systems have been impacted by cyberattack.
ISC2 Study: Economic Conditions Continue to Sandbag Cyber Hiring – Nearly 1.5 million people work in cybersecurity in North America, but even with a growing gap in skilled specialists, they bear a higher chance of hiring freezes and layoffs. Read the whole paper from ISC2.

Podcasts

Cyberwire Daily – Ep 1940 | 11.2.23 – The beginning of an international consensus on AI governance may be emerging from Bletchley Park.

Projects

LinkedIn Learning – CompTIA Security+ Module 8: Network Security Design and Implementation | This is a long one, I’m still working on it.

TryHackMe – SOC Level 1(90 % Complete): Velociraptor – Complete

UDemy – Python for Cybersecurity – Gitlab