Team Ghost Shell returns

While doing a bit of reading recently I ran across this interesting story about Teamghostshell an active hacking group that has come back to life on June 29th after a couple of years of silence. The groups recent exploited an extensive list of sites, which they disclosed on pastbin

If you read the hacker team's extensively long diatribe you will get an impression that their motives are pure and for the benefits of society, but like all disclosures the only people that suffer are the victims found in the data drop. You can also distill from the dialog that they probably used several COTS exploit kits, and it seems that these involved extensive use of cross site scripting attacks.

What interested me in particular is that in 2012 when the team supposed 'peace treaty' and extensive hiatus they included a data dump of a host that they compromised.  The host information was listed as -
  
Server Type: Apache/2.2.3 (Red Hat)

What is noteworthy to me is that this particular version of Apache had 18 remotely exploitable vulnerabilities and eight of these vulns were cross-site scripting related. Out of these vulnerabilities posted to cve details all  had patches posted to resolved the vulnerabilities.

Fast forward to the most recent exploit, out of the list of sampled files I explored, there was a pattern of similarity  (full disclosure I did not review all the files) but generally it's fair to say that;

  • Out of my sampling many of the compromised sites were l running Apache 2.2.3 and older.
  • Most likely the attackers where able to use many of the same exploits from their 2012 escapade.
  • Servers where generally unpatched and have been easy to exploit.
  • Organizations do not have a clear accounting of all the assets they own - per this quote from the hackers log - " The constant expansion of these websites/networks will forever have a lingering aftereffect where some server somewhere will be vulnerable due to it being unpatched etc"


What's the simple takeaway.


  • Inventory your assets, know what you own.
  • Maintain a current and secure configuration for your servers.
  • Patch your systems.. And if you don't know how, find someone who does.

Comments

Post a Comment

Popular posts from this blog

2020 predictions

Image
2020 is coming upon us, and it's time to reflect on my 2019 predictions I made, and look forward to this coming year with another technology prediction. So let's get started - first off - a lookback to see  progress in the areas I outlined, possibly no earth shattering results, but progress.  2019 retrospective - New UX - probably not as much evolution as I would have wanted to see in this area. For now, we use windows, android, IOS, and it's pretty much the same UX as it's been for a while. IoT the simple assistant - IoT continues to be the hot area of growth. I consider this more evolution than revolution. As we see IoT based technology being embedded into more and more devices. Cloud growth advances in   astonishing speeds - This past year all three cloud providers made strides in the cloud worth noticing.  AWS entered the quantum computing market with Bracket, introduced an in-house...
Read more

Secure workstation - Root of trust to manage the cloud

Image
Two months ago I introduced the Azure secure workstation, and I’ve had the privilege to present the ideal to some great audiences. From the discussions, a common question I’ve been asked is a pattern that would provide the Secured PAW model lock down scenario to exclusively manage an Azure Portal (EG how to I assure only secured workstation, and users assigned to the program can manage my cloud services)? In this article I’ll provide the NEXT step to accomplish exactly that outcome. This includes additional configurations that I only lightly covered, or net new technology to apply since the publishing of the doc. Proposed outcome “ How do I” Use a Secured workstation (that I can trust) to manage my Azure cloud. Here’s how I would deploy the solution. First I will start by deploying the Secured Workstation model this using the secured profile. New technology, and capabilities to add: Hardware root of trust – in our solution we post the idea that you can...
Read more

What is the Security Threat Landscape in 2024?

Image
 I was working up a question that I thought would make a great blog. the question is in 2024 what is the the security threats landscape? Here's the key take aways that I considered. Proactive Mindset : Today’s threat landscape demands a proactive mindset. Organizations are moving away from reactive security measures and are instead focusing on identifying potential intrusion points and actors before an incident occurs . Cyber Threats evolving : Cyber threats are leveraging AI, exploiting vulnerabilities in mobile and cloud platforms, and targeting data breaches. The rise of connected cars has led to concerns about automotive hacking. Ransomware attacks have become more sophisticated, causing significant damage to organizations. The proliferation of IoT devices on a 5G network presents new security challenges. As systems become more integrated and automated, they also become more vulnerable to cyber threats.  Remote Work and Digitization : The rush to adapt to pandemic-inspired...
Read more