10 tips for securing data hosted on Amazon S3

The use of Amazon Simple Storage Service S3 is becoming more and more widespread, being used in a multitude of use cases: sensitive data repositories, security log storage, integration with backup tools…, so we must pay special attention to the way we configure our buckets and how we expose them to the Internet.

In this post we will talk about 10 good security practices that will allow us to manage our S3 buckets correctly.

Let’s get started.

1 – Block public access to S3 buckets across the organization

By default, the buckets are private and can only be used by the users of our account, provided that they have set the correct permissions.

Additionally, the buckets have an “S3 Block Public Access” option that prevents the buckets from being considered public. This option can be enabled or disabled for each bucket in your AWS Account. To prevent a user from deactivating this option, we can create an SCP policy in our organization so that no AWS Account member of the organization can do so.

[Read more…]

Blockchain to secure healthcare environments

The increasing number of data breaches in the healthcare sector is causing serious problems in management and storage. In addition, traditional security methods being used to protect healthcare applications are proving ineffective. This is why emerging technologies such as blockchain are offering new security approaches and processes for healthcare applications, providing data confidentiality and privacy.

Data breaches are one of the main cybersecurity issues in the healthcare sector. Figure 1 shows how the amount of health record data leakage has been increasing, highlighting a large change between 2018 and 2019, a date coinciding with the start of the COVID-19 pandemic.

Figure 1. Number of data breaches of 500 or more health records in the healthcare sector from 2009 to 2021. Source: https://www.hipaajournal.com/healthcare-data-breach-statistics/
[Read more…]

Hunting with Artificial Intelligence: Detection of malicious domains (III)

This post and the full series has been elaborated jointly with Ana Isabel Prieto, Sergio Villanueva and Luis Búrdalo.


In previous articles of this series (see part I and part II) we described the problem of detecting malicious domains and proposed a way to address this problem by combining various statistical and Machine Learning techniques and algorithms.

The set of variables from which these domains will be characterized for their subsequent analysis by the aforementioned Machine Learning algorithms was also described. In this last installment, the experiments carried out and the results obtained are described.

The tests have been carried out against a total of 78,661 domains extracted from the a priori legitimate traffic of an organization, from which 45 lexical features belonging to the categories described above have been calculated.

[Read more…]

Attacks on Cryptocurrency Exchanges

This post has been written jointly with Álvaro Moreno.


Cryptocurrencies have grown so much in recent years in terms of economic volume and relevance that they have become an important target for cybercriminals. Given that exchanges, platforms where users can buy and sell these cryptocurrencies, bring together a large number of transactions and users of these assets, they have become an important target for cybercriminals, who seek to get as much money as possible by exploiting their vulnerabilities.

In this article we will cover some of the most recent attacks on these Exchange platforms and conclude with a table on other major attacks on cryptocurrency exchanges.

Crypto.com

On January 17, 2022, the Exchange platform Crypto.com  discovered that a small number of users were making unauthorized withdrawals of cryptocurrencies from their accounts worth approximately 4800 ETH and 440 BTC, plus about $66,200 in other currencies.

The response from the platform was to suspend withdrawals of any tokens while an investigation was conducted. In the end, no customers of the platform suffered any loss of funds, as the 483 affected users received a full refund.

[Read more…]

Exploiting Leaked Handles for LPE

The inheritance of object handles between processes in a Microsoft Windows system can be a good source to identify local privilege elevation (LPE) vulnerabilities. After introducing the basic concepts around this type of security weaknesses, a tool capable of identifying and exploiting them will be presented, providing Pentesters and Researchers with a new point to focus their intrusion and research actions respectively, read on!

Within a Microsoft Windows operating system, processes are able to interact with securable system objects such as files, PIPES, registry keys, threads or even other processes. To do this and through the use of the WINAPI the source process requires the O.S. of a handle to perform a certain action on the object in question.

If the appropriate permissions and/or privileges are available, the O.S. authorizes this access by delivering the aforementioned object handle to the process that requires it. From that moment on it is possible to interact with it within the limits of the requested permissions. Let’s see the following example where a source process would make use of the WinApi OpenProcess function to try to open a target process (spoolsv.exe) in order to obtain information remotely from it (PROCESS_QUERY_INFORMATION).

[Read more…]

Hunting with Artificial Intelligence: Detection of malicious domains (II)

This post and the full series has been elaborated jointly with Ana Isabel Prieto, Sergio Villanueva and Luis Búrdalo.


In the previous article we commented on the difficulty faced by Threat Hunting analysts as a result of the high number of domains registered daily by an organization. This makes it difficult to analyze and locate potentially malicious domains, which may go unnoticed among so much traffic. For this reason, in an attempt to facilitate the analyst’s task, the use of alternative techniques based on Machine Learning is proposed. Before presenting the different tests performed, the article introduces the algorithms to be used for the detection of anomalies in the domains.

To begin with, it is necessary to comment that having a large and varied database is fundamental for a model to be able to detect potentially malicious domains reliably, since its parameters are going to be adjusted in an environment that must be similar to the real one.

However, there is great difficulty in identifying patterns in high-dimensional data, and even more difficulty in representing such data graphically and expressing them in a way that highlights their similarities and differences. This is where the need arises to use a powerful data analysis tool such as PCA (Principal Components Analysis).

[Read more…]

Hunting with Artificial Intelligence: Detection of malicious domains (I)

This post and the full series has been elaborated jointly with Ana Isabel Prieto, Sergio Villanueva and Luis Búrdalo.


Internet brings a world of possibilities for personal development and the realization of many of the daily activities, being an indispensable piece in today’s society. On this network there are hundreds of millions of domains to access, although unfortunately not all of them are safe. Malicious domains are those used by cybercriminals to connect to command and control servers, steal credentials through phishing campaigns or distribute malware.

In many cases, these domains share certain lexical characteristics that at first glance may attract attention. For example, in phishing campaigns, domains with TLD xyz, top, space, info, email, among others, are relatively common. Similarly, attackers use DGA (Domain Generation Algorithm) techniques to create random domains to exfiltrate information, such as istgmxdejdnxuyla[.]ru. Other striking properties can be excessive hyphens, multi-level domains or domains that attempt to impersonate legitimate organizations such as amazon.ytjksb[.]com and amazon.getfreegiveaway[.]xyz.

With digitization on the rise, organizations surf to thousands of different domains, making it difficult to detect malicious domains among so much legitimate traffic. In a medium-sized organization, between 3,000 and 5,000 domains of traffic are logged daily. This volume makes it unfeasible to analyze them manually. Traditionally, part of this detection process is automated using pattern search rules, for example, rules to find domains with TLDs (Top Level Domain) used in phishing campaigns, containing the name of large companies that are not legitimate or have more than X characters.

[Read more…]

Hacking DICOM: the hospital standard

Have you ever thought that radiographs were just JPG images? Do you remember hearing the name DICOM? In this article we expect to resolve all your doubts about the protocol for sending medical images and show you its implications for cybersecurity.

Quick introduction to DICOM

Figure 1. DICOM logo

Medical images that are transmitted within hospitals, such as X-rays or ultrasounds, are not in the common image formats, but are in DICOM (Digital Imaging and Communications in Medicine) format. However, they can be converted to JPG or PNG.

Although at first glance it looks like a simple image format, DICOM is much more: it is the standard for transmission, storage, retrieval, printing, processing and visualization of medical images and their information. Thanks to the implementation of this standard, technology in the health field was revolutionized, replacing physical radiographs with digital radiographs with all the implied data. Today, DICOM is recognized as the ISO 12052 standard.

[Read more…]

Purple Team: Why all the fuss? (III). Vectr.io

As you can already guess from previous spoilers, in this third part of the series (see part one and part two), after having made clear the role that Threat Intelligence plays in the Purple Team methodology, we will go a bit more into details about the phases of preparation, execution and lessons learned in an exercise.

Disclaimer: As I mentioned in the first episode, I do not intend to set in stone anything in this article, but rather to give my point of view and provide an overview of a subject for which there is not much documentation, and what I found, is scattered in multiple sources.

After having developed an implementation plan based on the mapping of threats on the MITRE ATT&CK MATRIX, it is time to put all the use cases into practice. To do so, we will use Vectr.io, an open source web platform developed by Security Risk Advisors.

This tool is responsible for centralizing all the coordination tasks of the Red and Blue teams. But far from being a tool just for coordinating exercises, it is also prepared to be used as a sort of logbook of all operations executed in various exercises and their outcome over time, so that the evolution of the organization’s security posture can be tracked.

With an abstract description such as the above, it may be difficult to imagine how all of this is accomplished. Therefore, the aim of this post is to opt for a more practical approach.

For the sake of brevity, we will not detail all the functionalities of this tool but will show the possibilities it offers and how these can help us with our goal. It will then be up to you to explore the more advanced functions and evaluate whether they are useful for your particular use case.

[Read more…]

Purple Team: Why all the fuss?(II). Threat Intelligence

After having made a brief introduction and exposition of the Purple Team methodology and listed the phases that constitute it in the first part of this series, in this second part I will go into more detail on how Cyber Threat Intelligence (CTI) integrates in the whole process of adversarial emulation, and therefore, in the Purple Team exercises or programs.

I feel obligated to repeat that (as stated in the first article) many of the content and methodology shown thereafter comes from Scythe and its Purple Team Exercise Framework and closely linked to the entire MITRE doctrine and tools. My goal with this article is to provide a comprehensive view of the topic along with my experience and opinion on some things.

First: understanding the target organization

Whether you are performing CTI as an outside consultant or as part of the organization, it is important to have as much information about the organization as possible.

To do this, the CTI team must conduct an intensive and extensive information gathering exercise, just as an enemy threat agent would. In addition to this, the information must be enriched with that obtained through interviews and inquires with the organization’s personnel.

[Read more…]