Automatically Mitigate Threats

Stop threats pre-execution

Refocus on higher priority threats

Security Teams are facing more advanced and faster moving attacks. These new threats demand more investigation and mitigation time. CounterTack's Automated Response contains and terminates threats before they can execute, freeing up valuable Security Team time.
img_01

The platform initiates immediate action for known threats by Killing suspicious processes, Quarantining infected endpoints and Inoculating other endpoints against attack.

img_02

Advance mitigation techniques prevent or manipulate events prior to processing by the Operating System. Deny blocks access to a file, registry, remote endpoint and more.

img_03

Delay specifies the time before the CounterTack sensor passes an operation through to the Operating System. For example, specifying zipping 25 files to take 20 minutes.

img_04

Degrade manipulates File and Registry Read/Write operations to impede a malicious process. For example, a random string of data is sent as the read data, matching the expected buffer without passing the operation to the Operating System.

Contain and terminate known threats instantly
Slow down attacks to buy time to investigate
Refocus on higher priority threats
XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More

XXE with local DTD

Automating local DTD discovery for XXE exploitation

By Philippe Arteau

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Java Remote Code Execution Potpourri

By Benoit Côté-Jodoin

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

injection

ESI Injection Part 2: Abusing specific implementations

By Philippe Arteau

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Water violently leaking from a large pipe

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

By Louis Dion-Marcil

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

RDP Man-in-the-Middle - Smile! You're on Camera

By Émilio Gonzalez

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Summary of Statistics Canada's Survey on Cyber Security and Cybercrime

By Masarah Paquet-Clouston

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

Read More

front

The Supply Chain behind the Market for Fake "Likes"

By Masarah Paquet-Clouston

In the past years, there has been increasing awareness by the public and policy makers on the potential harm that social network manipulation can produce. Yet, most researchers have looked at the front end of the problem: developing algorithms to flag fake accounts on social networks and suspend them. No studies have investigated  the problem from an industry perspective, with questions such as:

Read More

Large Scale Vulnerability Scanning with Jenkins

By Benoit Côté-Jodoin

Find Security Bugs can often uncover interesting findings that may lead to the discovery of critical vulnerabilities. Back in May, we published on this blog two vulnerabilities in components of Spring, a Java web framework, using this tool. However, the process of using Find Security Bugs can be a little bit tedious to unseasoned Java users. Also, the process of analyzing compiled code and triaging the findings needed improvements. Here is the solution that was built to find vulnerabilities at scale.

Read More

A Password Hidden Among Other Binary Data

Throwing it out the Windows: Exfiltrating Active Directory credentials through DNS

By Leanne Dutil

This post will detail the password filter implant project we developed recently. Our password filter is used to exfiltrate Active Directory credentials through DNS. This text will discuss the technicalities of the project as well as my personal experience developing it. It is available under an open source license on GitHub.

Read More

Upcoming WEIS presentation: Ransomware Payment in the Bitcoin Ecosystem

By Masarah Paquet-Clouston

In the past year, we developed a data-driven method for identifying, quantifying, and comparing ransom payments in the Bitcoin ecosystem from 35 ransomware families. The study was conducted in partnership with Bernhard Haslhofer from the Austrian Institute of Technology (AIT) and Benoît Dupont from the Université de Montréal (UdeM). It resulted in a paper that will be presented at the 17th Annual Workshop on the Economics of Information Security (WEIS2018) in Innsbruck, Austria, besides renowned academic researchers. 

Read More