CyberIsle2019

October the 23rd saw the inaugural Isle of Man Government Cyber Security Conference – ‘CyberIsle 2019‘, where our CEO David Stubley was invited to speak on the subject of Business Email Compromise (BEC).

The talk covered the motivations for malicious actors looking to conduct such attacks, the anatomy of a successful attack and then three case studies based upon real life incidents that the team here at 7 Elements have managed for our clients.

The talk finished with mitigation advice that can be deployed by any organisation to reduce the risk of a successful compromise. The following document provides an overview of BEC and the core content from the presentation:

Anatomy of a BEC Attack – Release

The talk also looked at how malicious actors can gain credentials via attacks against externally facing infrastructure, such as Virtual Private Network (VPN) devices. More information on this can be found here: http://www.7elements.co.uk/resources/research/exploit-script-cve-2018-13379/

If you would like to discuss how to gain assurance over cloud based email solutions such as Office 365 then please get in touch with the team.

Exploit Script for CVE-2018-13379

While conducting further analysis of the path traversal vulnerability within the FortiOS SSL VPN web portal, the team at 7 Elements created a script to enumerate vulnerable hosts and extract sensitive information such as user names and passwords.

The following video shows the tool in action with the ability to scan multiple hosts (the script used for the purpose of the video masks sensitive information):

Using the script it was possible to enumerate ~200k hosts globally, identifying around 20,000 vulnerable hosts and extract over 60,000 credentials (further blog post to follow).

Both the NSA and NCSC have recently posted advisories alerting on the use of this vulnerability by Nation State Advanced Persistent Threat (APT) actors to gain access to enterprise environments.

Over three weeks prior to the advisories, the team here at 7 Elements identified that what was then being reported as a medium level risk issue, was in fact a critical impact issue. More on that can be found here.

Today we have released a  version of the script that is limited to a single IP/Host to enable testing against devices owned by the individual running the script. The tool can be downloaded here.