Author Archives: TheJulyPlot

Are enterprises Office 365 accounts overly exposed to brute force attacks?

Posted on by

Earlier this year the Scottish parliament was attacked by what described as a “Brute Force” cyber-attack. It was said that the attack targeted “MSPs and staff with parliamentary email addresses”.

This article says “email accounts targeted in the attacks, which use the “parliament.scot” domain, are Office 365 accounts hosted by Microsoft” with brute force itself being described as “a fairly standard scanning attack on accounts, where a tool continually tries different passwords for given logins”.

Although it was suggested that no accounts had been compromised during this attack, the attack was described as being similar to the attack that was carried out against the UK Government. In this instance accounts may have been compromised, International Trade Secretary Liam Fox said:

“We have seen reports in the last few days of even Cabinet ministers’ passwords being for sale online. We know that our public services are attacked so it is not at all surprising that there should be an attempt to hack into parliamentary emails.”

Assuming they have Office 365 is set up with AD/Azure AD/DirSync, which is a fairly standard configuration, they will likely be forced to use the non-configurable default which is:

“After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon. After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period (60 seconds). Further incorrect passwords will result in an exponential increase (not fixed) in the lockout time period.”

If this fairly standard configuration has been successfully compromised, this could leave many org’s exposed with the exposure increasing in scale relative to the size of the target org.

My question is this:

Assuming 2 factor isn’t in use (for non admin accounts the default does not have it enabled) and the password construction policy is of average strength, let’s say a minimum of 8 characters, complexity enforced, forced resets after 60 days and a password history of 5 passwords.

Is this enforced and non-configurable Office 365 password policy secure enough for large public and private organisations from a practical point of view?

i.e. With X amount of accounts the risk of an account being compromised with this becomes Y.

Continue reading Are enterprises Office 365 accounts overly exposed to brute force attacks?

Attacker circumventing 2FA. How to defend?

Posted on by

Detailed in the latest NSA dump is a method allegedly used by Russian intelligence to circumvent 2FA. (In this instance Google 2FA with the second factor being a code.)

It’s a fairly obvious scheme and one that I’m sure must be used regularly.
It appears to work like this:

  1. URL is sent to target via spear phishing, the URL points to attacker
    controlled phishing website that resembles Google Gmail.
  2. User send credentials to the phony Gmail.
  3. (Assumption) Attacker enters credentials into legitimate Gmail, and checks if a second factor is required.
  4. Target receives legitimate second factor.
  5. Phony Gmail site prompts target for second factor. Target sends second factor.
  6. Attacker enters second factor into legitimate site and successfully authenticates.

The only way I can see to defend against this attack is by spotting the phony site as being a scam or blocking the phishing site via FW’s, threat intel etc.

Is there any other practical way to defend against such a scheme?

enter image description here

Continue reading Attacker circumventing 2FA. How to defend?

How to confirm that a ‘Google Play Services’ app isn’t a phishing attempt?

Posted on by

A user of mine was recently prompted by an app purporting to be from Google to re-enter their password on their personal phone.This prompt was derived in the form of an un-dismissible notification.

Upon clicking the notification, a message saying that “There’s been a change to your Google Account. For your security, sign in again.”

Other than the fact that this does look and feel like a legitimate request a number of indicators made the user (and myself) suspicious.

  • None of the Google services, Gmail, Google maps etc. had been signed
    out, despite the wording of the message asking the user to sign in
    again.
  • Two factor authentication is enabled, although the Android devices
    that is displaying the notification is used to receive the second
    factor. The second factor once received is automatically used by
    the app without the user needing to take any action.
  • Upon checking active connections a HTTP connection on TCP/443 and VNC
    connection on TCP/5228 had been established. The VNC connection is
    unexplained, and could be false positive down to the way the SockStat
    app guesses services on the port
  • Looking at recent logins, this login is not listed.
  • The installation of 3rd party app has been enabled in the past as the user is IT based and has installed 3rd party utilities. (Although not in recent memory, and they have since been removed)
  • The phone has no Anti Virus installed
  • The user browses the internet with “reckless abandon”

What practical steps can be taken on the phone by a user to confirm that this app is legitimate and not a phishing attempt before entering their password?

enter image description here

Continue reading How to confirm that a ‘Google Play Services’ app isn’t a phishing attempt?