CARMEN: The S2 Grupo’s advanced threat detection tool

In the dynamic and ever-changing cybersecurity environment, staying ahead of threats is more crucial than ever.

At S2 Grupo, in collaboration with the National Cryptologic Center (CCN), we have developed and continuously improved CARMEN, an innovative tool designed to protect organizations against the most sophisticated threats.

What is CARMEN?

CARMEN (Center for Log Analysis and Data Mining) is a comprehensive threat detection and response solution specifically designed to address the evolution of Advanced Persistent Threats (APTs). This tool is fundamental for Threat Hunting processes, allowing security teams to proactively identify and neutralize risks.

CARMEN’s main objective is to generate intelligence from network traffic and user activities within the organization, filtering and prioritizing critical information. In this way, it helps prevent security breaches and mitigate the impact of cyber-attacks. With CARMEN, organizations achieve full visibility of their infrastructure, facilitating both early threat detection and an agile and effective response.

[Read more…]

Path Traversal Vulnerability in NGINX Servers

In the world of cybersecurity there is a widely known vulnerability known as Path Traversal, which can affect web servers, including Nginx servers. This represents a significant threat to the integrity and security of information.

What does it consist of?

This vulnerability allows an attacker to access and read files outside the designated root directory. Therefore, an attacker could manipulate file requests to reach resources that should not be accessible.

How is such a vulnerability exploited? This is achieved by manipulating directory paths in HTTP request URLs.

The following image shows an example of how the server’s passwd file would be accessed via the web. The “..” symbols indicate the number of directories between the files shown on the web and the location of the server’s root folder.

[Read more…]

“Breach and Attack Simulation” (BAS). Beyond de Red Team

MITRE Caldera Logo

That defenses are tested by attacks is now widely accepted by many organizations. For many years now, Red Team exercises have become an essential element in evaluating and improving the security of state-of-the-art IT infrastructures. In these exercises, one or more hackers simulate the behavior of an attacker and test for a set period of time both the security of a set of assets or users and the defensive capabilities of the organization’s security operations center (SOC), whose members must not know that the exercise is taking place.

The results obtained are reflected in a report containing one or more attack narratives and information on the weaknesses identified. This report is then used by the organization to improve security, minimizing the impact of future real attacks.

Red Team exercises are an excellent resource, not only for improving the organization’s defenses, but also for SOC personnel to face a realistic attack situation from which to learn, with the added benefit of being able to sit down with the attackers and discuss the play afterwards.

[Read more…]

Havoc C2: Installation, use and features

In recent years we have witnessed the release of a large number of C2s in different languages: Covenant in .NET, Merlin and Sliver in Go or Mythic in Python are some examples. All of them are added to the more classic tools established in previous years (Cobalt, Empire, …) creating a large ecosystem where sometimes it is difficult to choose between them all.

In September 2022, Havoc, a C2 written in multiple languages (C++, Golang, C and ASM) was published on github and has since achieved great notoriety in the world of offensive cybersecurity thanks to its modularity and efficiency, and has become one of the go-to free C2s.

In this post we will take a look at its installation process, as well as its operation and capabilities.

Installation

The installation of Havoc is simple and can be found in the documentation of the tool, the first thing we are going to do is to clone the repository:

[Read more…]

R2D2 Project: applying AI for APT detection

In the dynamic and ever-changing landscape of cybersecurity, Advanced Persistent Threats (APTs) stand out as one of the most significant challenges. These threats, characterized by their sophistication and ability to evade traditional defences, can infiltrate corporate and government networks, remaining undetected for extended periods. Effective detection of APTs is therefore a critical priority to protect the integrity and confidentiality of information.

APTs are characterized by their high sophistication and persistence in target systems. Attackers, often backed by significant resources, employ complex tactics to gain unauthorized access to systems and extract sensitive data or cause prolonged damage. These tactics include the use of custom malware, exploitation of unknown vulnerabilities (zero-day), and advanced social engineering techniques. On the defensive side, the MITRE ATT&CK framework provides a comprehensive structure detailing the various methods and techniques attackers use at each stage of the cyberattack lifecycle, allowing for a better understanding and defence against these advanced threats.

In this context, artificial intelligence (AI) emerges as a promising tool to enhance APT detection capabilities. AI, with its ability to analyse vast amounts of data and detect anomalous patterns, offers an advanced solution against traditional cybersecurity techniques. Unlike conventional methods, which often rely on predefined signatures and static rules, AI can adapt and learn from new threats in real-time.

[Read more…]

Geolocation through Artificial Intelligence #OSINT

Joey Tribbiani (Friends) apunta a la televisión donde aparece él mismo

If you don’t live under a rock and use social media, you’ve surely witnessed or starred in those posts at your favorite coffee shop, close to home, at work, on the road, or at those unforgettable Project X-style epic parties. We love to share those moments, don’t we?

Often, we don’t even realize the mountain of information we give to the world every time we post something on our social networks. We expose ourselves to the Internet without thinking about the possible consequences. It’s like venturing into the digital jungle without a map, not knowing what predators lurk.

But do you know what’s crazy? That with every post we are dropping clues about our location, our daily routine, our activities, our family, our friends, among many other things. It’s as if we are leaving digital breadcrumbs for anyone to follow, revealing our life to an invisible and potentially dangerous audience.

And it’s not just the information we know we share, but also the information we share without even being aware of it, because of course, let’s not forget about metadata. When, for example, we take a photo with our cell phone, that image can contain a lot of information that, at first glance, we could overlook. From the exact location where the photo was taken, to the make, model and software version of the device used, and even details about the camera settings. Small details that, at first glance, seem harmless but, contrary to what we might think, reveal a lot of information, making us vulnerable to possible attacks by those who know how to look for it.

Left: Example of metadata extracted from a photo captured with the cell phone. Right: Example of metadata extracted from a photo captured with the cell phone.
[Read more…]

The importance and complexity of Classified Information

Classified information is a vital component of national and international security in the contemporary world. This type of information, meticulously protected by governments and organizations, encompasses a wide range of sensitive content that, if it falls into the wrong hands, could pose a significant threat to a nation’s security, stability and strategic interests.

The nature of Classified Information

Classified information may include data on military operations, intelligence strategies, advanced technologies, intelligence sources, as well as sensitive diplomatic and political information.

The classification of this information is made according to the seriousness of the damage that its disclosure could cause, and is divided into different levels of classification, such as “Limited Disclosure”, “Confidential”, “Reserved” and “Secret”, and their international equivalents.

[Read more…]

Pentest in space

When we talk about space, it often sounds like fiction at first. However, we are not as far away as we may think. A new security testing trend that is flourishing nowadays is the well known Pentest against satellites. Today, a single person can design, build and launch a satellite while respecting very few safety standards and protocols.

As we already know, human error is quite well known in our field, which together with the democratization of space that has opened a new frontier to companies and enthusiasts to exploration and innovation in the space field, produces the birth of a new set of specific vulnerabilities, which require qualified and specialized professionals to identify them.

What is Satellite Pentesting?

In short, it is what many of us already know as “pentesting” but extrapolated to satellites. Therefore, it is a process of testing the security of satellite communication systems, where we simulate attacks against them, identifying potential vulnerabilities and deficiencies that can be exploited and then report them to the client with their respective corrective measures, allowing them to mitigate the risks identified.

[Read more…]

EDR Silencer

In today’s cybersecurity landscape, the complexity of the solutions implemented to protect against growing threats is constantly increasing. Because of this, both malicious actors, who seek to compromise organizations and systems for their own benefit, and Red Team operators, whose mission is to identify and report vulnerabilities for later remediation, are driven to identify and exploit new weaknesses in systems, adapting their methods and developing new TTPs that allow them to evade existing defenses.

The tools developed by both operators and hostile attackers are designed for evasion of security solutions such as EDRs. This is because keeping the operation off the Blue Team’s radar is of vital importance. Being detected would result in the defense team obtaining IOCs, which they would use to dismantle an entire operation, blocking IP addresses and domains, creating YARAs for artifacts or implementing the latest updates to all their security solutions.

These actions, in addition to increasing the Blue Team’s alert level, would mean the end or restart of an attack or operation, as the entry vector could be mitigated or directly blocked and the infrastructure would need to be almost completely reassembled. This is why maintaining the OPSEC of an operation is of vital importance, avoiding the generation of alerts that could notify the defenders and thus meet the objective without being detected.

[Read more…]

ATT&CK: The game of squares

The world of cybersecurity is becoming increasingly complex and challenging. With each new threat, from harmful capabilities such as malware or 0 days, to changes in infrastructure, having moved from on-premise to hybrid or full-cloud environments, there is an urgent need for schemes and methodologies to help address these adversities. We not only seek to minimize the impact of any threat, but also to achieve a level of detection and neutralization with which we feel confident, although this can often give a false sense of security.

Today we find various schemes that help us understand and contextualize the modus operandi of hostile actors. From the widely recognized MITRE to the Malware Behavior Catalogue (MBC), through Microsoft Attack Kill Chain and Lockheed Cyber Kill Chain, these tools offer us a guide to understand and confront the tactics, techniques and procedures (TTPs) used by adversaries. Within this scenario MITRE ATT&CK is the most recognized scheme. Its matrix breaks down the different techniques, tactics and procedures (TTPs) used by hostile actors.

Imagen 1: Ejemplo de Mitre ATT&CK
[Read more…]