Security Art Work

Historically, the Russian GRU military unit 29155 (VCh 29155, 161st Specialist Training Center) has been involved in active measures such as subversion, assassinations or sabotage. Recall that Soviet or Russian active measures refer to covert operations with the aim of influencing the policy or public opinion of third countries. These measures include from activities in cyberspace to “wet stuff” (assassinations, blackmail, sabotage…). Other famous operations of this unit include the sabotage of an arms depot in Czech Republic (2014), a coup in Montenegro (2016) or the attempted poisoning of the Skripals in Salisbury (2018).

Although unit 29155 was known to analysts, its existence jumped to generalist media when this unit was accused of being the cause of the “Havana Syndrome”. This syndrome was identified among U.S. and Canadian diplomats and intelligence personnel stationed in Cuba, in 2016, and its symptoms were replicated in other parts of the world. These symptoms include visual problems, vertigo or cognitive difficulties that manifest, according to those affected, after hearing strange sounds. Since the discovery of Havana syndrome, its origin has been controversial. Different studies have associated it with Russian intelligence activities related to new-generation weaponry, from acoustic weapons to directed energy.

In the dynamic and ever-changing cybersecurity environment, staying ahead of threats is more crucial than ever.

At S2 Grupo, in collaboration with the National Cryptologic Center (CCN), we have developed and continuously improved CARMEN, an innovative tool designed to protect organizations against the most sophisticated threats.

What is CARMEN?

CARMEN (Center for Log Analysis and Data Mining) is a comprehensive threat detection and response solution specifically designed to address the evolution of Advanced Persistent Threats (APTs). This tool is fundamental for Threat Hunting processes, allowing security teams to proactively identify and neutralize risks.

CARMEN’s main objective is to generate intelligence from network traffic and user activities within the organization, filtering and prioritizing critical information. In this way, it helps prevent security breaches and mitigate the impact of cyber-attacks. With CARMEN, organizations achieve full visibility of their infrastructure, facilitating both early threat detection and an agile and effective response.

In the world of cybersecurity there is a widely known vulnerability known as Path Traversal, which can affect web servers, including Nginx servers. This represents a significant threat to the integrity and security of information.

What does it consist of?

This vulnerability allows an attacker to access and read files outside the designated root directory. Therefore, an attacker could manipulate file requests to reach resources that should not be accessible.

How is such a vulnerability exploited? This is achieved by manipulating directory paths in HTTP request URLs.

The following image shows an example of how the server’s passwd file would be accessed via the web. The “..” symbols indicate the number of directories between the files shown on the web and the location of the server’s root folder.

That defenses are tested by attacks is now widely accepted by many organizations. For many years now, Red Team exercises have become an essential element in evaluating and improving the security of state-of-the-art IT infrastructures. In these exercises, one or more hackers simulate the behavior of an attacker and test for a set period of time both the security of a set of assets or users and the defensive capabilities of the organization’s security operations center (SOC), whose members must not know that the exercise is taking place.

The results obtained are reflected in a report containing one or more attack narratives and information on the weaknesses identified. This report is then used by the organization to improve security, minimizing the impact of future real attacks.

Red Team exercises are an excellent resource, not only for improving the organization’s defenses, but also for SOC personnel to face a realistic attack situation from which to learn, with the added benefit of being able to sit down with the attackers and discuss the play afterwards.

In recent years we have witnessed the release of a large number of C2s in different languages: Covenant in .NET, Merlin and Sliver in Go or Mythic in Python are some examples. All of them are added to the more classic tools established in previous years (Cobalt, Empire, …) creating a large ecosystem where sometimes it is difficult to choose between them all.

In September 2022, Havoc, a C2 written in multiple languages (C++, Golang, C and ASM) was published on github and has since achieved great notoriety in the world of offensive cybersecurity thanks to its modularity and efficiency, and has become one of the go-to free C2s.

In this post we will take a look at its installation process, as well as its operation and capabilities.

Installation

The installation of Havoc is simple and can be found in the documentation of the tool, the first thing we are going to do is to clone the repository:

In the dynamic and ever-changing landscape of cybersecurity, Advanced Persistent Threats (APTs) stand out as one of the most significant challenges. These threats, characterized by their sophistication and ability to evade traditional defences, can infiltrate corporate and government networks, remaining undetected for extended periods. Effective detection of APTs is therefore a critical priority to protect the integrity and confidentiality of information.

APTs are characterized by their high sophistication and persistence in target systems. Attackers, often backed by significant resources, employ complex tactics to gain unauthorized access to systems and extract sensitive data or cause prolonged damage. These tactics include the use of custom malware, exploitation of unknown vulnerabilities (zero-day), and advanced social engineering techniques. On the defensive side, the MITRE ATT&CK framework provides a comprehensive structure detailing the various methods and techniques attackers use at each stage of the cyberattack lifecycle, allowing for a better understanding and defence against these advanced threats.

In this context, artificial intelligence (AI) emerges as a promising tool to enhance APT detection capabilities. AI, with its ability to analyse vast amounts of data and detect anomalous patterns, offers an advanced solution against traditional cybersecurity techniques. Unlike conventional methods, which often rely on predefined signatures and static rules, AI can adapt and learn from new threats in real-time.

If you don’t live under a rock and use social media, you’ve surely witnessed or starred in those posts at your favorite coffee shop, close to home, at work, on the road, or at those unforgettable Project X-style epic parties. We love to share those moments, don’t we?

Often, we don’t even realize the mountain of information we give to the world every time we post something on our social networks. We expose ourselves to the Internet without thinking about the possible consequences. It’s like venturing into the digital jungle without a map, not knowing what predators lurk.

But do you know what’s crazy? That with every post we are dropping clues about our location, our daily routine, our activities, our family, our friends, among many other things. It’s as if we are leaving digital breadcrumbs for anyone to follow, revealing our life to an invisible and potentially dangerous audience.

And it’s not just the information we know we share, but also the information we share without even being aware of it, because of course, let’s not forget about metadata. When, for example, we take a photo with our cell phone, that image can contain a lot of information that, at first glance, we could overlook. From the exact location where the photo was taken, to the make, model and software version of the device used, and even details about the camera settings. Small details that, at first glance, seem harmless but, contrary to what we might think, reveal a lot of information, making us vulnerable to possible attacks by those who know how to look for it.

Classified information is a vital component of national and international security in the contemporary world. This type of information, meticulously protected by governments and organizations, encompasses a wide range of sensitive content that, if it falls into the wrong hands, could pose a significant threat to a nation’s security, stability and strategic interests.

The nature of Classified Information

Classified information may include data on military operations, intelligence strategies, advanced technologies, intelligence sources, as well as sensitive diplomatic and political information.

The classification of this information is made according to the seriousness of the damage that its disclosure could cause, and is divided into different levels of classification, such as “Limited Disclosure”, “Confidential”, “Reserved” and “Secret”, and their international equivalents.

When we talk about space, it often sounds like fiction at first. However, we are not as far away as we may think. A new security testing trend that is flourishing nowadays is the well known Pentest against satellites. Today, a single person can design, build and launch a satellite while respecting very few safety standards and protocols.

As we already know, human error is quite well known in our field, which together with the democratization of space that has opened a new frontier to companies and enthusiasts to exploration and innovation in the space field, produces the birth of a new set of specific vulnerabilities, which require qualified and specialized professionals to identify them.

What is Satellite Pentesting?

In short, it is what many of us already know as “pentesting” but extrapolated to satellites. Therefore, it is a process of testing the security of satellite communication systems, where we simulate attacks against them, identifying potential vulnerabilities and deficiencies that can be exploited and then report them to the client with their respective corrective measures, allowing them to mitigate the risks identified.

In today’s cybersecurity landscape, the complexity of the solutions implemented to protect against growing threats is constantly increasing. Because of this, both malicious actors, who seek to compromise organizations and systems for their own benefit, and Red Team operators, whose mission is to identify and report vulnerabilities for later remediation, are driven to identify and exploit new weaknesses in systems, adapting their methods and developing new TTPs that allow them to evade existing defenses.

The tools developed by both operators and hostile attackers are designed for evasion of security solutions such as EDRs. This is because keeping the operation off the Blue Team’s radar is of vital importance. Being detected would result in the defense team obtaining IOCs, which they would use to dismantle an entire operation, blocking IP addresses and domains, creating YARAs for artifacts or implementing the latest updates to all their security solutions.

These actions, in addition to increasing the Blue Team’s alert level, would mean the end or restart of an attack or operation, as the entry vector could be mitigated or directly blocked and the infrastructure would need to be almost completely reassembled. This is why maintaining the OPSEC of an operation is of vital importance, avoiding the generation of alerts that could notify the defenders and thus meet the objective without being detected.