Du nouveau dans la (l'in) sécurité de l'Internet ?
Le 3 janvier 2024, une partie du trafic IP à destination de la filiale espagnole d'Orange n'a pas été transmis, en raison d'un problème BGP, le système dont dépend tout l'Internet. Une nouveauté, par rapport aux nombreux autres cas BGP du passé, est qu'il semble que le problème vienne du piratage d'un compte utilisé par Orange. Quelles leçons tirer de cette apparente nouveauté ?
Cyber Extortion activity reached the highest volume ever recorded in Q1 2023 after a decline of 8% in 2022, reveals new Orange Cyberdefense report
The shift previously observed in the geographical location of cyber extortion (Cy-X) victims continues to accelerate, moving from the United States (-21%), and Canada (-28%) to Southeast Asia region (+42%), the Nordics (+40%) & Latin America (+32%). * Whilst Manufacturing continues to be the biggest industry impacted, the number of victims decreased (-39%), with a shift towards the Utilities sector (+51%), Educational Services (+41%) and Finance and Insurance Sectors (+11%). * Businesses in 96 different countries were impacted by Cy-X in 2022, equating to nearly half (49%) the countries in the world. Since 2020 Orange Cyberdefense has recorded victims in over 70% of all countries worldwide * Over 2,100 organizations in the world were publicly shamed as a victim of Cy-X in 2022, across an almost even distribution of business sizes.
Abusing windows’ tokens to compromise active directory without touching lsass
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows server. Looking at the users connected on the same server, I knew that a domain administrator account was connected. All I had to do to compromise the domain, was compromise the account. This could be achieved by dumping the memory of the LSASS process and collecting their credentials or Kerberos TGT’s. Seemed easy until I realised an EDR was installed on the system. Long story short, I ended up compromising the domain admin account without touching the LSASS process. To do so, I relied on an internal Windows mechanism called token manipulation. The goal of this blog post is to present how I did it. We will see what access tokens are, what they are used for, how we can manipulate them to usurp legitimate accounts without touching LSASS and finally I will present a tool and a CrackMapExec module that can be used during such assessments. All the source code, binaries and CrackMapExec module can be found here https://github.com/sensepost/impersonate.
Abusing windows’ tokens to compromise active directory without touching lsass
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows server. Looking at the users connected on the same server, I knew that a domain administrator account was connected. All I had to do to compromise the domain, was compromise the account. This could be achieved by dumping the memory of the LSASS process and collecting their credentials or Kerberos TGT’s. Seemed easy until I realised an EDR was installed on the system. Long story short, I ended up compromising the domain admin account without touching the LSASS process. To do so, I relied on an internal Windows mechanism called token manipulation. The goal of this blog post is to present how I did it. We will see what access tokens are, what they are used for, how we can manipulate them to usurp legitimate accounts without touching LSASS and finally I will present a tool and a CrackMapExec module that can be used during such assessments. All the source code, binaries and CrackMapExec module can be found here https://github.com/sensepost/impersonate.
