惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
Google Online Security Blog
Google Online Security Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
T
Threat Research - Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Forbes - Security
Forbes - Security
P
Palo Alto Networks Blog
Schneier on Security
Schneier on Security
S
Schneier on Security
T
Tor Project blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
The Hacker News
The Hacker News
Hacker News - Newest:
Hacker News - Newest: "LLM"
罗磊的独立博客
Application and Cybersecurity Blog
Application and Cybersecurity Blog
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
小众软件
小众软件
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
Blog — PlanetScale
Blog — PlanetScale
雷峰网
雷峰网
S
Security @ Cisco Blogs
PCI Perspectives
PCI Perspectives
Spread Privacy
Spread Privacy
W
WeLiveSecurity
SecWiki News
SecWiki News
A
About on SuperTechFans
H
Help Net Security
博客园 - 司徒正美
Recent Commits to openclaw:main
Recent Commits to openclaw:main
爱范儿
爱范儿
S
Securelist
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
月光博客
月光博客
Jina AI
Jina AI
博客园 - 叶小钗
Vercel News
Vercel News
阮一峰的网络日志
阮一峰的网络日志
Recent Announcements
Recent Announcements
S
Secure Thoughts
The Cloudflare Blog
美团技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview
OSINT for Incident Response (Part 2)
BHIS · 2024-03-08 · via Black Hills Information Security, Inc.

Be sure to read PART 1!

Metadata and a New-Fashioned Bank Robbery

Let’s face it, some cases are just more interesting than others and, when you do incident response for a living, you’ve got to find joy in your work where you can. Sometimes, after the initial call with a customer, you just want the case. You’d almost do it for free (we don’t suck at capitalism quite that much!) because of the allure, the mystery, the challenge. This was one of those cases.

The customer was a financial services institution with locations throughout the United States, highly regulated, with highly segregated technology and workflow. They had defense-in-depth security solutions from the endpoint to the perimeter, micro-segmentation throughout their environment, extensive auditing and monitoring capabilities, complete with separation of duties for all workflow involving significant financial transactions. In short, they were checking all the “cybersecurity best practices” boxes and then some. But they were still getting robbed.

I’m sure all financial services institutions suffer from some measure of loss due to fraudulent transactions. But FFSI Bank (“Fictitious Financial Services Institution Bank,” because that’s just how creative I am) was seeing a significant increase in fraudulent activity for a specific type of transaction over a period of recent months. Because they ran such a tight ship, they’d caught and stopped most of the transactions, but despite extensive, internal analysis, they’d failed to identify or stop the source.

On the initial call, they were clearly a very smart and capable group and seemed frustrated and a little embarrassed that they were unable to figure this out on their own. Could it be an insider threat with multiple, internal collaborators? Might it be some new, extremely stealthy malware? Was it possible that their multiple layers of security and segmentation had somehow been breached from the outside?

 The part that isn’t fun about engagements like this is preparing the proposed statement of work. “Hey, Derek, how many hours you think this is going to take?” To which Derek replies, “Oh, somewhere between 40 and 400.” Exactly. I mean, these are smart folk with some pretty cool capabilities. To do “better,” we’ll need to dig deeper, further, wider. But first… OSINT.

We went back to the customer, warned them that this could get expensive, but proposed spending a few hours performing some external analysis first, to see what we could “see” and learn from the internet.

As per “OSINT for Incident Response – Part 1,” a compromise usually occurs because something changed, from misconfigurations to zero-day exploits to end-user behaviors, and the avenue of attack is most frequently the internet. If the internet knows, the threat actors (bank robbers?) know, and as incident responders, we need to know!

I have a standard 5-minute OSINT for IR process (see Part 1) which I ran through. I was fairly certain this wasn’t going to be that easy, but it was still a good place to start and yielded some useful information, though no smoking guns.

Much of OSINT is reviewing intentionally “public” information, like DNS records, then sleuthing out tangential or inferred data. For example, if FFSI has a DNS “A” record mapping the name “portal.ffsibank.com” to 50.x.x.100 and another mapping “support.ffsibank.com” to 50.x.x.102, we can hypothesize that 50.x.x.101 likely belongs to FFSI (subject to validation of course). If I pull on that particular thread, lookup 50.x.x.101 and find reverse DNS records that map to “dev.ffsibanking.com,” which is slightly different (“bank” vs “banking”) but pretty clearly related, I now have additional domains to enumerate!

Sadly, in this case, I pulled on all the “IP address and DNS/domain” threads and nothing unraveled. So, I scratched my head a bit, mused about how to go “deeper, further, wider,” and pondered the question: “What is the most granular search query I can perform that still uniquely identifies the customer?” I can’t very well search for “F” or “FF” and obtain useful results, but what if I base OSINT searches on “FFSI” or “FFSIB” or “ffsibank?”

So, I visited https://shodan.io, ran these queries, and came up empty. Then I visited https://leakix.net and got a promising hit for “ffsibank.”  Apologies that the images are so redacted, but they are hopefully still representative! Ironically, the result below is an actual, fairly recent hit on a related search term (‘visit_log.txt’ – see below) for an entirely different non-fictional financial institution.

Leakix.net – Search Term Results (“ffsibank”)

Based on my leakix.net results, I suddenly have multiple additional threads to pull on, including a new IP address, a domain name, a service provider (Digital Ocean), a geographical location, etc. Which do I pull on first? Honestly, I want to browse the site in question, but I want to do it safely and from an unattributable IP, as I don’t want to tip my hand to the threat actor if I can avoid it. Browserling to the rescue! Browserling is basically a hosted, virtualized browser session primarily designed for web testing and development. You can use it for free, with some limitations, or pay a very reasonable price to extend features: www.browserling.com

I started by visiting the bare URL, “mail.redacted-pid.com,” where I was torn between doing my personal banking or trying my luck at some digital slots! Apologies for the intentionally blurry screenshot, as it is actually from case data.

Browserling – visit to the “suspect” domain

Why would a Cambodian gambling site have references to “ffsibank?” And isn’t this supposed to be a “mail” server? The plot thickens! Let’s see if we can find the “ffsibank” reference while “safely” browsing through Browserling.

Browsing “mail.redacted-pid.com” – “ffsibank” folder

Browsing the site contents reveals an “ffsibank” folder. The contents of that folder turn out to be high-quality imitations of the “FFSI” Bank customer login portal.

Browsing the contents of the “ffsibank” folder (simulated)

Smoking gun? Yeah, I think so. But we’re not done yet! What else can we see, learn, extrapolate? Do you think this is the only site attempting to mirror the “FFSI” Bank customer portal?

Returning to the parent directly, as above, note the “visit_log.txt” file. We want to be very careful accessing content on the site, so we can attempt it via Browserling or perhaps you have another, authorized mechanism for visiting “suspicious” websites, like curl or wget (command-line web browsers) on an isolated virtual machine (that’s an entirely different blog post!). In this case, the file was legitimately just a text file, containing user-agent strings (information about the browser used for access) and IP addresses for everyone who’d been duped into visiting the folders in the “Index of” image above. A smoking gun and a gold mine in one fell swoop!

What about other potentially malicious sites? Let’s pull on the “certificate” thread and see what we can find! Next, I visited https://search.censys.io to leverage their certificate services search features. Since modern browsers are very aware of “insecure” sites or certificate to domain name misalignments, the threat actors are often smart enough to use “https” and a valid certificate. After all, they can now easily do so for free.

On search.censys.io, I’ll start with a “Certificates” wildcard search ‘names: “ffsib*”’ first, then, depending on results, I’ll likely drill down to a specific, free certificate services provider, e.g. “Let’s Encrypt.”

Search.censys.io – Certificates “ffsib*” Search

How do you spell “bank” anyway? When I first performed the wildcard name search, there were approximately 425+ returned results, many of which were likely valid/legit. But I noticed a pattern of three or four certificates with “common name” (CN) and a slight misspelling of the word “bank” (as above). Re-running the search and filtering on “Let’s Encrypt” as a certificate services provider, it became clear that there were indeed many more forged, malicious sites being used to target “FFSI” Bank customers.

Search.censys.io – Certificates “ffsib*” + “Let’s Encrypt” Search

At this point, we’re ready to report back to the customer with some pretty significant insight into targeted attacks against their customers. We’re also able to derive high-fidelity intelligence to help identify existing malicious sites and monitor for new malicious sites, e.g. “ffsibank” directory, “visit_log.txt” file, “Let’s Encrypt” associated certificate, etc. And I’m happy to report that we accomplished all of this well below the “40 to 400” hour initially projected timeframes. OSINT for the win!

As mentioned in “OSINT for IR – Part 1,” being a digital-forensics and incident response consultant is largely about unanswered questions. When we engage with a client, they know something bad happened or is happening, but they are uncertain of the “how, when, where and why.” A significant component of our job is to tease out the “known knowns,” the “known unknowns,” and effectively and efficiently help the client answer their questions. OSINT for IR can be extremely valuable and should be part of the investigative process.

Case #3: Metadata and Denial of Service via Domain Account Lockouts

In the next installment of “OSINT for IR,” we’ll continue our metadata sleuthing adventures and unravel an enterprise-wide, Active Directory account lockout “denial of service” attack. Thanks for reading!

READ: PART 1

Be sure to tune in next Thursday, 3/14, at 1pm EDT for Patterson’s webcast:

Demystifying Windows Malware Investigations w/ Patterson Cake

You can register HERE!



Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand