Normal view

There are new articles available, click to refresh the page.
Before yesterdayVulnerabily Research

4 Essential Strategies For Enterprise Cybersecurity Workforce Development

By: OffSec
5 June 2023 at 13:28

In our most recent webinar, we were joined by Jeremiah Roe, Field CISO at Synack. Paul Griffin, OffSec’s Head of Customer Success led the conversation about the cybersecurity talent gap and how it continues to present significant challenges for organizations across industries. 

Some of the key statistics shared indicate that the shortage of skilled professionals has adverse consequences on organizations globally. 

Fortinet’s 2022 Cybersecurity Skills Gap report found that 60% of organizations struggle to recruit cybersecurity professionals, and 52% struggle to retain them. Additionally, 80% of organizations suffered one or more breaches they could attribute to a lack of cybersecurity skills last year.

All of this proves that it is crucial for organizations to adopt strategies that foster the growth and development of their cybersecurity workforce.

... Read more »

The post 4 Essential Strategies For Enterprise Cybersecurity Workforce Development appeared first on OffSec.

How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents

5 June 2023 at 11:00
How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents

Joe Marshall was a security practitioner before he even knew it.

Marshall started his career in information technology as a systems administrator. On the surface, he jokes that he was a “white-collar plumber” — fixing IT issues as they arose, handing out new credentials and asking users if they had tried turning something off and back on again.

But while he served in these roles across multiple companies for about 10 years, he became familiar with cybersecurity almost by accident.

“When you’re in IT or sysadmin, it’s not just ‘something’s broke, I’m here to fix it,’” Marshall said. “You have to create accounts, worry about password securities, updating critical patches — you don’t think of yourself as a security practitioner but that’s actually what you’re doing every day.”

His work today, though, is a far cry from having to provide hands-on support for someone’s broken email system.

Marshall is a senior security strategist for Talos’ Strategic Communications team, specifically focusing on industrial control systems. He spends most of his days talking to customers, users and industry leaders informing them about the latest security threats facing large industrial systems — think grain co-ops, electrical grids, manufacturing facilities and water pipelines.

He first got into the ICS space by working as a cybersecurity architect for Exelon, one of the largest public utility companies in the U.S. Prior to his time at Exelon, Marshall jokes that he knew nothing about ICS or operational technology, but he soon found that these systems had more in common with the systems he was used to working with.

“IT and OT [operational technology] is 95% one and the same, it’s just how they’re deployed and managed,” Marshall said.

Prior to joining the Strategic Communications team, Marshall also spent time with Talos Outreach publishing new research, and for several years led his own team of researchers who were specifically tasked with finding vulnerabilities and new security threats in ICS systems, internet-of-things devices and other products that are vital to critical infrastructure.

How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents
Marshall speaking at Cisco Live U.S. 2022.

All this experience has given him a greater appreciation for public utilities across the country and the workers who ensure that everyone has basic needs delivered to their home like water and electricity. He’s gotten hands-on at site visits and conferences with electrical grids responsible for serving thousands of households and has even become familiar with the agricultural industry, speaking with grain co-ops and farmers who are asking about threats to their OT processes that help them process their various products.

“I’m never coming in with sunshine and smiles saying, ‘everything’s cool, nothing to worry about,’” Marshall said. “That would be doing a disservice. I'm coming in to tell them how they can make their processes more resilient. To do that means you, as the presenter need to do your homework. You need to understand the basics of crops or how, say, a dairy farm works and what technology stack they’re working with.”

That’s specifically come into play in Ukraine, where Marshall has spent time on the ground with defenders and infrastructure managers to help strengthen the security of the country’s power grid and agricultural supply chain. This has become even more important during Russia’s invasion of Ukraine, during which Russian military forces have launched kinetic and cyber attacks against critical infrastructure.

Marshall said he is always in contact with friends and colleagues there, providing advice to improve their cyber defenses.

“It’s different when you’re looking at Ukraine because every day, there are so many tragedies that occur. I’ve been there. When you see a building that you’ve been in, or you know your friends are in, and you see it get hit with a missile, it rocks you,” he said.

Knowing how devastating cyber attacks can be on critical infrastructure around the world is “pretty sobering knowledge,” Marshall said, but he actively tries to avoid catastrophizing or always putting worst-case scenarios out into the world. Despite many headlines around the dangers of cyber attacks on the U.S. power grid, Marshall jokes that critters like snakes and squirrels have caused more power outages in modern history than cyber attacks.

“Have more faith in the resiliency of your critical infrastructure,” he said. “You have so many smart people talking every day about how to make our infrastructure more resilient and more powerful. Never fear, you have smart people working on it. Even if you’ve lost power, people are working to bring it back.”

Given the high-stakes environments he often works in, Marshall said he tries to unplug and step away from work frequently to decompress and step back — often by playing video games or practicing playing the banjo. Marshall is a proponent of talk therapy and encourages everyone in the security community to reach out to their support systems to avoid burnout.

“We're constantly sitting on knowledge that no one else knows about, and you’re constantly thinking about what the consequences could be,” he said. “Humans are humans, and we all have different thresholds that we crack under. If your cup is very full, and something pours in, something has to pour out.”

Outside of Talos, Marshall also works with the non-governmental organization NetHope, which helps other non-profits embrace and adapt to new technologies. He specifically is working with electric utilities in Ukraine to make their grids and networks more resilient and hopes one day “we can reinvent the way grid resiliency is thought of.”

He likes to embrace the fun side of security, too. Marshall led the team that created  “Advanced Persistent Thirst,” a kegerator that currently resides in Talos’ Fulton, Maryland office. Marshall’s team the keg several years ago that had several interconnected ICS devices. He and his team brought it to different security conferences, offering a job interview (and even hiring them) to anyone who could hack into the kegerator to make it dispense beer.

Even if he’s introducing ideas around cybersecurity with a keg, pun or meme in a presentation, Marshall said his goal is to always make whoever is listening “a better student of the game.”

“People are going to be your biggest and best asset. Technology is not going to solve your woes alone,” he said. “Having smart people and letting them do smart stuff and getting out there, is hands down the biggest leap you can make.”

Flipper Zero Experiments – Sub-GHz

5 June 2023 at 09:00

“The quieter you become, the more you are able to hear.”

This is the tagline associated with Kali Linux, a Linux distribution used by security researchers, penetration testers, and hackers alike. In the context of Kali and typical penetration testing, the listening often refers to a given internal network and insecure broadcast requests therein, however, interesting or useful traffic and signals are not limited to internal networks.

In this blog post, I am going to be exploring one potential physical security attack chain, relaying a captured signal to open a gate using a device called the Flipper Zero.

The types of signals that the Flipper Zero device can capture falls into the following categories: NFC (near-field communication), RFID (radio frequency identification), Infrared, Sub-GHz, and iButton. Fully explaining these types of signals, their uses, and so on is beyond the scope of this article. Just know that a Flipper Zero (sometimes just called a Flipper) has many tools and can capture and replay a variety of signals easily. This blog post will focus on Sub-GHz and one potential abuse of capturing Sub-GHz signals. Namely, I set out to determine how feasible it would be to capture a Sub-GHz signal from a gate opening key fob.

When the Flipper Zero was initially released, I and many other physical security professionals and enthusiasts were curious about how this tool could be used on physical security vulnerability assessments and covert entry assessments. For those unfamiliar, a covert entry assessment is a physical security assessment in which penetration testers try to gain access to sensitive or valuable data, equipment, or a certain location on a target site undetected. A physical security vulnerability assessment consists of an escorted walkthrough of the target site during which a physical security professional investigates potential vulnerabilities and explains and demonstrates how an attacker would abuse a gap or weakness in the sites and company’s physical security.

While I acknowledge that modified versions of Flipper firmware exist with additional functionality and less restrictions, for the sake of simplicity and to better demonstrate the low barrier to entry for a potential attacker, a standard Flipper Zero was used for this experiment.

One of the primary goals of the experiment was to determine the viability of this physical security attack chain and the limitations of exploitability. The aim of this experiment was to determine the feasibility of using a Flipper Zero to capture a Sub-GHz signal with limited information about the device or frequencies in use. The basic question I aimed to answer was how feasible it would be for an attacker to capture a gate open request and replay it to gain entry to a target site. For the sake of completeness, I will acknowledge that simply tailgating into an apartment complex or corporate site is a much easier method of entry. It is also worth mentioning that different readers will use different frequencies which can affect the effective read or capture distance. For this experiment, we will imagine that the target site’s gate has an aggressive timer that would prevent tailgating. In my experiment, the theoretical target reading device was a Transcore Smart Pass Reader.


After acquiring a key fob that sends a Sub-GHz signal, the first priority was determining the frequency in use. While the Flipper Zero does have a “hopping” feature in which the device constantly switches which frequency it is listening on, for the sake of some aspects of the experiment it made much more sense to just determine and hard code the Flipper to listen on the relevant frequency.

Arguably the biggest factor that would determine the feasibility of capturing Sub-GHz signals was the read range of the Flipper. If the read range was, for instance, less than 1 foot, then that would significantly reduce the likelihood an individual could covertly capture a key fob or similar device’s signal.

Below are the Flipper read range results using a Sub-GHz key fob and with the relevant frequency configured:

  • 5 ft – worked
  • 10 ft – worked
  • 15 ft – worked
  • 25 ft – worked (took a few clicks of key fob)
  • 35 ft – worked
  • 40 ft – did not appear to work
  • 50 ft – did not appear to work

Being able to capture a Sub-GHz signal 35 feet from the device sending the signal was certainly further than I expected. After determining the effective capture range for the Flipper and the key fob was 35 feet, I tried to capture the key fob signal while using the hopping feature, as a means of determining the feasibility of signal capture in the event the device frequency was unknown. During this part of the experiment, hopping at 35 feet did not successfully capture the signal. Based on my experiments, 20 feet appeared to be the maximum effective read range for Sub-GHz while using the hopping feature.

Taking a step back from the read distance of the Flipper and viewing a potential attack wholistically brings the conversation back to the frequency. This is a problem that is arguably easily bypassed simply by creating a module or custom script to modify the frequency hopping behavior to set the hopping to stay on a given frequency for an hour and then save any captured signals and rotate to the next frequency. Running this on a Flipper left near the targeted reader overnight, or even for days on end, and then returning seems very likely to work based on the behavior I saw while testing.

The easiest option is to just run the Flipper’s Frequency Analyzer tool while near the target reader. It is worth noting that depending on the location there may be ambient signals of varying strengths which could make the results unclear as to which signal was related to the target device.

If for whatever reason a physical security penetration tester cannot reach or otherwise see a target device’s tag, looking up the product online may be the best option. Enough browsing of eBay and other e-commerce sites and looking at the manufacturer’s website should narrow down the relevant model of the target device.

Another method to find out the frequency a given reader uses is simply looking at the reader device itself. At a minimum, a device’s tag will have an FCC ID, and some devices will also include the frequency on the device.

The FCC ID can be used to look up the listening frequency, as shown below.

Graphical user interface, table Description automatically generated


Ultimately, aside from the potential logistical issue of determining the relevant frequency and how that may limit the viable capture range, planting or using a Flipper near a gate appears to be a very viable means of gaining entry to a target site.

If you are interested in having a physical security vulnerability assessment or covert entry assessment, please contact [email protected].


The post Flipper Zero Experiments – Sub-GHz appeared first on Nettitude Labs.

Yesterday — 7 June 2023Vulnerabily Research

Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence

6 June 2023 at 10:55

Executive Summary

  • SentinelLabs has been tracking a social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory.
  • The campaign has the objective of stealing Google and subscription credentials of a reputable news and analysis service focusing on North Korea, as well as delivering reconnaissance malware.
  • Kimsuky engages in extensive email correspondence and uses spoofed URLs, websites imitating legitimate web platforms, and Office documents weaponized with the ReconShark malware.
  • This activity indicates Kimsuky’s growing dedication to social engineering and highlights the group’s increasing interest in gathering strategic intelligence.


In collaboration with NK News, a leading subscription-based service that provides news and analyses about North Korea, SentinelLabs has been tracking a targeted social engineering campaign against experts in North Korean affairs from the non-government sector. The campaign focuses on theft of email credentials, delivery of reconnaissance malware, and theft of NK News subscription credentials. Based on the used malware, infrastructure, and tactics, we assess with high confidence that the campaign has been orchestrated by the Kimsuky threat actor.

The social engineering tactics and some infrastructure characteristics closely relate to a Kimsuky activity privately reported by PwC and discussed in an NSA advisory published during the writing of this article. We focus on the specific targeting of expert analysts of North Korean affairs by impersonating NK News and stealing NK News credentials, and provide details on used TTPs to support collaborative hunting and detection efforts.

Kimsuky, a suspected North Korean advanced persistent threat (APT) group whose activities align with the interests of the North Korean government, is known for its global targeting of organizations and individuals. Operating since at least 2012, the group often employs targeted phishing and social engineering tactics to gather intelligence and access sensitive information.

A hallmark of the activity we discuss in this post is Kimsuky’s focus on establishing initial contact and developing a rapport with their targets prior to initiating malicious activities. As part of their initial contact strategy, the group impersonated Chad O’Carroll, the founder of NK News and the associated holding company Korea Risk Group, using an attacker-created domain, nknews[.]pro, which closely resembles the legitimate NK News domain The initial email requests the review of a draft article analyzing the nuclear threat posed by North Korea.

If the target engages in the conversation, Kimsuky uses the opportunity to deliver a spoofed URL to a Google document, which redirects to a malicious website specifically crafted to capture Google credentials. Kimsuky may also deliver a weaponized Office document that executes the ReconShark reconnaissance malware.

Further, Kimsuky’s objective extends to the theft of subscription credentials from NK News. To achieve this, the group distributes emails that lure targeted individuals to log in on the malicious website nknews[.]pro, which masquerades as the authentic NK News site. The login form that is presented to the target is designed to capture entered credentials.

This Kimsuky activity indicates the group’s growing efforts to establish early communication and foster trust with their targets prior to initiating malicious operations, including the delivery of malware. Their approach highlights the group’s commitment to creating a sense of rapport with the individuals they target, potentially increasing the success rate of their subsequent malicious activities.

By actively targeting high-profile experts in North Korean affairs and stealing subscription credentials from prominent news and analysis outlets focussing on North Korea, Kimsuky demonstrates a heightened curiosity in understanding how the international community perceives developments concerning North Korea, such as the country’s military activities. These actions are probably part of their broader objective to gather strategic intelligence, contributing to North Korea’s decision-making processes.

Google Credential Theft

We observed Kimsuky distributing an HTML-formatted phishing email to selected individuals, which requests the review of a draft article analyzing the nuclear threat posed by North Korea. The email primarily aims to initiate a subsequent conversation and is intentionally designed to appear benign: It impersonates NK News leadership and lacks any malicious artifacts.

Kimsuky Social Engineering Campaign Initial email
Initial email

If the target engages in the conversation, Kimsuky eventually follows up with an email that contains an URL to a Google document.

Kimsuky Social Engineering Campaign Follow-up email
Follow-up email

If the target is not responsive, Kimsuky follows up with a reminder email in an attempt to engage the target in conversation.

Kimsuky Social Engineering Campaign Reminder email
Reminder email

The URL’s destination is manipulated through the spoofing technique of setting the href HTML property to direct to a website created by Kimsuky. This method, commonly employed in phishing attacks, creates a discrepancy between the perceived legitimacy of the link (a genuine Google document) and the actual website visited upon clicking the URL.

The displayed URL to a Google document points to an actual article hosted on Google Docs, delving into the topic of the North Korean nuclear threat. The article contains visible edits to give the impression of a genuine draft article, aligning with Kimsuky’s luring tactic.

Kimsuky Google document
Google document

The spoofed destination of the URL redirects the target to an attacker-created website that masquerades as a legitimate Google Docs site for requesting document access, such as


The Base-64 encoded segment, that is, the value of the menu URL query parameter, resolves to the target’s email address.

This serves as a means of transporting the target’s address to the fake Google Docs site, which enables the site to dynamically display the address, creating a personalized and convincing appearance of legitimacy. The design and functionality of this site suggest its potential for reuse in targeting different individuals.

Malicious Google Docs site
Malicious Google Docs site

We were unable to analyze the functionality behind the Request access web element as the group has taken down the site. However, given the theme of the site, we suspect that it has been designed to capture entered Google credentials.

During conversations with targeted individuals, Kimsuky also seizes any available opportunity to distribute password-protected weaponized Office documents that deploy the ReconShark reconnaissance malware. ReconShark exfiltrates information relevant for conducting subsequent precision attacks, such as deployed detection mechanisms and hardware information. The implementation of the ReconShark variant we observed in this activity remains the same as the one covered in our previous post on Kimsuky activity, with the main distinction being the use of a different C2 server: staradvertiser[.]store. This domain resolves to the IP address 162.0.209[.]27, which has hosted domains that have been attributed to Kimsuky in previous research, such as sesorin[.]lol and rfa[.]ink. Kimsuky’s use of ReconShark as part of this activity underscores the malware’s central role within the group’s current operational playbook.

NK News Credential Theft

We also observed Kimsuky attempting to steal credentials for the subscription service of NK News, which is known for its comprehensive expert analyses and news reports. Gaining access to such reports would provide Kimsuky with valuable insights into how the international community assesses and interprets developments related to North Korea, contributing to their broader strategic intelligence-gathering initiatives.

In order to accomplish this, Kimsuky distributes an email that lure targeted individuals to log in to a spoofed NK News subscription service. The emails prompt the recipients to confirm their NK News accounts under the pretext of recent security updates.

Kimsuky Phishing Email
Phishing Email

The fake login site, hosted at https[://]www.nknews[.]pro/ip/register/, features a login form with the standard web elements, such as Sign In, Sign Up, and Forgot Password? buttons. When clicked, the Sign In button executes the loginAct JavaScript function, whereas the rest of the buttons do not conduct any activities.

Kimsuky Fake NK News login site
Fake NK News login site

The JavaScript code captures entered credentials by issuing an HTTP POST request to https[://]www.nknews[.]pro/ip/register/login[.]php and then redirects the user to the legitimate NK News site.

Kimsuky JavaScript code
JavaScript code

The main website hosted at https[://]www.nknews[.]pro redirects to the legitimate NK News site,, and uses a certificate issued by Sectigo:

  • Thumbprint: a1597d197e9b084a043ada5c7dac1f9b6d7f7af3
  • Serial number: 00f342582c9a299acf2452aaf5115c5be0

The domain nknews[.]pro, registered through Namecheap, also resolves to the Kimsuky-linked IP address 162.0.209[.]27. The URL https[://]www.nknews[.]pro/config[.]php hosts a password-protected remote management site, which is likely an implementation of the b374k tool, based on the implementation of the login site and the presence of the config.php file. The Kimsuky group is known to use this tool for remote management of its infrastructure.

Kimsuky b374k login site
b374k login site


SentinelLabs remains actively engaged in monitoring the activities conducted by Kimsuky. The findings presented in this post highlight the group’s persistent commitment to targeted social engineering attacks and underscore the need for increased awareness and understanding of Kimsuky’s tactics among potential targets. Maintaining vigilance and implementing effective security measures are imperative to mitigate the risks posed by this persistent threat actor.

Indicators of Compromise

Indicator Description
nknews[.]pro Phishing email sender domain
[email protected][.]pro Phishing email sender address
[email protected][.]pro Phishing email sender address
https[://]www.nknews[.]pro Website impersonating NK News
https[://]www.nknews[.]pro/config[.]php Website impersonating NK News: b374k login site
https[://]www.nknews[.]pro/ip/register/ Website impersonating NK News: Fake NK News login site
https[://]www.nknews[.]pro/ip/register/login[.]php Website impersonating NK News: NK News credential theft endpoint
https[://][.]php ReconShark payload hosting endpoint
https[://][.]php ReconShark C2 server endpoint
162.0.209[.]27 Website impersonating NK News, ReconShark C2 server: IP address
4150B40C00D8AB2E960AA059159149AF3F9ADA09 Malicious document (password-protected): SHA1 hash
7514FD9E5667FC5085373704FE2EA959258C7595 Malicious document: SHA1 hash
41E39162AE3A6370B1100BE2B35BB09E2CBE9782 ReconShark: SHA1 hash

Adversaries increasingly using vendor and contractor accounts to infiltrate networks

6 June 2023 at 12:01
  • Cisco Talos Incident Response (Talos IR) has repeatedly observed attackers targeting and using compromised vendor and contractor accounts  (VCAs) during recent emergency response engagements.
  • While high-profile software supply chain compromise events garner significant media attention (e.g., the recent disclosure of supply chain attacks via the 3CX Desktop Softphone application), abuse of third-party workforce accounts is often overlooked.
  • VCAs typically have expanded privilege and access. They may be glossed over during account audits because of increased trust placed in the third party.
  • Organizations should increase prevention and detection capabilities around VCAs.
Adversaries increasingly using vendor and contractor accounts to infiltrate networks

The software supply chain has become a key security focus for many organizations, but the risks associated with supply chain attacks are often misunderstood. High-profile incidents like those reported by 3CX and MSI routinely grab headlines, continuing a trajectory of big-name security events that involve one specific aspect of the supply chain – software.

Successful software-focused supply chain attacks can give an adversary access to dozens or even hundreds of victims, but they are resource-intensive and require an extensive understanding of the target environment, the build process, and the software itself. The inherently broad scope of a software supply chain attack also eliminates the ability for adversaries to strategically target victims. Attacks with higher victim counts create increased awareness within the cybersecurity community, which means the attackers are more likely to eventually be discovered and stopped.

Other aspects of the supply chain offer greater ease of exploitation and could still result in the opportunity to pivot between victim organizations. While the industry focuses on identifying and addressing software-focused supply chain attacks, Talos IR has seen more incidents involving the abuse of compromised VCAs.

Adversaries view vendor accounts as an attractive supply chain entry point

VCAs are accounts created for third-party workforce members – employees of external partner organizations that maintain physical or virtual access to an organization’s environment.

VCAs are particularly attractive to adversaries before and after initial access is gained. During one investigation, Talos IR observed an adversary gaining access to an organization using a low-privilege user account, then later authenticating successfully using two other accounts: a service account used to deploy software across the organization and a third-party vendor account.

Both accounts had Domain Admin or comparable privileges. Talos IR observed that the adversary authenticated to the service account first, but the vendor account was used almost exclusively thereafter. Why?

There are a few reasons adversaries may favor VCAs over other accounts with comparable privileges.

Vendors may remotely access the environment intermittently or at unusual times, making it difficult for the information security team to establish an activity baseline for those accounts. How would an organization detect a time-of-day authentication anomaly if their contracted development team had members around the world working their own unique shifts? What about for a contractor who only connects remotely a few times a month based on their schedule? Or one that only logs in for ad hoc troubleshooting?

Geolocation anomalies can be difficult to detect as well. If the organization hires a freelance consultant who prefers the travel-and-work lifestyle, that account may be seen authenticating from many different geographic regions. Similarly, in large organizations, how easy is it to keep track of who is on vacation or is traveling for business, or who has relocated to a different area (temporarily or permanently)?

Privilege levels are another attractive aspect. VCA privileges are usually based on the vendor’s role, but these accounts usually have elevated privileges – think Domain Admin. In some cases, such as Electronic Health Record (EHR) or core banking applications, the VCA might even have access to manage systems and data that no one in the organization’s IT and infosec department shares.

Adversary activity may be camouflaged by other legitimate vendor activity. Technology vendors commonly perform tasks involving command line execution, modification of configuration files, and complex debugging and troubleshooting. Even under scrutiny, these tasks bear similarities to typical adversary activity. As evidenced by the incident mentioned previously where the adversary chose to leverage a VCA over a service account, it’s much easier to hide in the noise if you take over an account that is regularly used for system administration activities.

Lessons learned from IR engagements involving VCAs

Over the past several years, Talos IR has repeatedly observed adversaries abusing VCAs in different ways during incident response engagements. These accounts are frequently leveraged for initial access and then used to move laterally through the organization’s network, especially when the victim hasn’t deployed multi-factor authentication (MFA). Since VCAs are usually given elevated permissions, theft of these credentials will often result in widespread damage to victim assets and could even be used to move along the initial victim’s supply chain.

VCA credential theft doesn’t always involve compromise of a username/password set. In at least one engagement, Talos IR observed an adversary leverage a stolen public key to breach the targeted organization. This demonstrates that, although adversaries tend to focus on obtaining valid usernames and passwords, they have willingly used other authentication methods in the name of easy access. Organizations with VCAs should consider this a key takeaway – protect keys and other authentication mechanisms with the same vigilance as protecting user account credentials. All organizations should have procedures in place to rotate these keys and revoke access for keys that may have been compromised.

As previously noted, VCA abuse is often used to achieve elevated permissions and expand access. In multiple engagements, Talos IR found that adversaries gained initial access through low-privilege accounts, but quickly pivoted to using VCAs to expand access and maximize impact.

Access and impact are often correlated, as demonstrated by two ransomware incidents investigated by Talos IR. In the first incident, the adversary gained access to a public-facing web server in the context of the web server service account. Privilege escalation attempts failed, pivot attempts failed, and the effects of the ransomware were limited to a selection of web server directories on a single server. In the second incident, the adversary compromised a VCA and modified the Active Directory Default Domain Policy, so domain-connected systems executed a ransomware binary from the domain’s SYSVOL folder. The adversary used this elevated access to detonate a ransomware binary on the victim’s ESXi host, affecting multiple virtual systems in the host’s datastore. The severity of the latter incident highlights the need for strict access controls around VCAs and the potential effects if they are compromised.

Strategies to protect against and reduce the impact of VCA abuse

Adversaries increasingly using vendor and contractor accounts to infiltrate networks

Understanding and acknowledging the level of risk your VCAs present is the first step in mitigating this threat. The challenge then becomes how to properly secure them. Fortunately, there are several strategies an organization can use to protect VCAs and mitigate the impact of a compromised VCA.

Some of the following recommendations are made with more than prevention in mind. They also enable incident responders to quickly understand the scope of which systems may be impacted by a compromised VCA, especially when your Active Directory is out of commission. It’s a good idea to audit VCAs and general user accounts, as permissions creep is all too common and problematic in an incident.

Disable VCAs when they’re not needed

One of the easiest steps an IT or infosec team can take to protect their VCAs is to disable them when they’re not needed. This might seem like common sense but it’s the type of activity that many organizations struggle to implement consistently, especially as vendors come and go. A dependable process should be established for vendors and contractors to access active accounts only when needed. Once this process is set up, conduct periodic audits to confirm that it is being followed.

There are limitations associated with this approach. If a vendor needs consistent access every one or two days, it’s probably not worth it to disable the account and then re-enable it multiple times per week. In situations like this, consider some of the other recommendations instead.

Validate logging and enforce security monitoring

Evaluate logging configurations, specifically around VCAs to ensure you have visibility into everything they do. Create alerts to identify suspicious or anomalous VCA activity. If a VCA accesses a system it shouldn’t need to access, you should know about it immediately.

Implement least privilege access

Effective access control is a common challenge in enterprise environments, and VCAs are no exception. Think about this concept in the context of physical security. If an HVAC vendor enters a high-security facility to perform maintenance, they won’t be allowed to roam around, peering in office windows and rattling door knobs. They’ll be given direct access to the specific set of rooms they need to do their job and nothing more. The same restrictions should apply for VCAs. Limit what they can access at the network or application layer. If they are supporting a specific application or product, only allow them to access those applications on the systems and ports you would expect.

Taking this concept a step further, isolate VCAs as much as possible via your network and security architecture. Isolating VCAs allows stronger security controls to be configured around these accounts and streamlines implementation of more aggressive remediation actions during incident response. Isolation can be achieved through a variety of means including, but not limited to, Network Access Control (NAC), network segmentation and Active Directory groups. Penetration tests and red team engagements can be used to better understand the extent of VCA access, and the potential effects of a compromised VCA.

Include VCAs in remote access health checks

You work hard to be sure your end user workstations are hardened and protected with a variety of host-based controls. Don’t let a vendor using an unrecognized, unpatched and unprotected personal device be the reason for a long and costly incident. Deploy and configure health checking and/or trusted device configurations for remote devices, either through integrated operating system functions or third-party tools. This is a great practice for the entire workforce but is particularly relevant for vendors who may not be using company-owned assets. Ask your vendors to share their security and compliance documentation to help understand security practices and baselines in their organization. Your organization is only as safe as the least protected system accessing your resources.

Use a jump box or dedicated vendor access application

One of the best ways to enforce vendor security requirements is to create a single point of entry through a jump box or dedicated vendor access application. This approach allows multiple security functions to be implemented through a single, specialized system (or group of systems). For example, a vendor access application can grant vendors access to the systems required to accomplish their tasks and nothing more. It can ensure proper logging and monitoring of activities performed by a vendor while connected. It can also provide system health checking capabilities, and some may even provide a degree of proxying or sandboxing of files transferred into or out of the organization’s environment using the VCA.

Adversaries are going to continue to abuse VCAs. It’s an established and effective way to obtain privileged access using accounts that blend in with other administrative accounts. If you’re reading this and you know you have a VCA with a customer, talk to them about it. Ensuring that your customers are prepared and protected before a supply chain attack might be the greatest value-add you can offer.

Logistics for a Remote Company

5 June 2023 at 22:00

Logistics and shipping devices across the world can be a challenging task, especially when dealing with customs regulations. For the past few years, I have had the opportunity to learn about these complex processes and how to manage them efficiently. As a Practice Manager at Doyensec, I was responsible for building processes from scratch and ensuring that our logistics operations ran smoothly.

Since 2018, I have had to navigate the intricate world of logistics and shipping, dealing with everything from international regulations to customs clearance. Along the way, I have learned valuable lessons and picked up essential skills that have helped me manage complex logistics operations with ease.

Logistics for a Remote Company

In this post, I will share my experiences and insights on managing shipping devices across the world, dealing with customs, and building efficient logistics processes. Whether you’re new to logistics or looking to improve your existing operations, my learnings and experiences will prove useful.

Employee Onboarding

At Doyensec, when we hire a new employee, our HR specialist takes care of all the necessary paperwork, while I focus on logistics. This includes creating a welcome package and shipping all the necessary devices to the employee’s location. While onboarding employees from the United States and European Union is relatively easy, dealing with customs regulations in other countries can be quite challenging.

For instance, shipping devices from/to countries such as the UK (post Brexit), Turkey, or Argentina can be quite complicated. We need to be aware of the customs regulations in these countries to ensure that our devices are not bounced back or charged with exorbitant custom fees.

Navigating customs regulations in different countries can be a daunting task. Still, we’ve learned that conducting thorough research beforehand and ensuring that our devices comply with the necessary regulations can help avoid any unnecessary delays or fees. At Doyensec, we believe that providing our employees with the necessary tools and equipment to perform their job is essential, and we strive to make this process as seamless as possible, regardless of where the employee is located.

Testing Hardware Management

At Doyensec, dealing with testing hardware is a crucial aspect of our operations. We use a variety of testing equipment for our work. This means that we often have to navigate customs regulations, including the payment of customs fees, to ensure that our laptops, Yubikeys and mobile devices arrive on time.

To avoid delays in conducting security audits, we often choose to pay additional fees, including VAT and customs charges, to ensure that we receive hardware promptly. We understand that time is of the essence, and we prioritize meeting our clients’ needs, even if it means spending more money to ensure items required for testing are not held up at customs.

In addition to paying customs fees, we also make sure to keep all necessary documentation for each piece of hardware that we manage. This documentation helps us to speed up further processes and ensures that we can quickly identify and locate each and every piece of hardware when needed.

The hardware we most frequently deal with are laptops, though we also occasionally receive YubiKeys as well. Fortunately, YubiKeys generally do not cause any problems at customs (low market value), and we can usually receive them without any significant issues.

Over time, we’ve learned that different shipping companies have different approaches to customs regulations. To ensure that we can deliver quality service to our clients, we prefer to use companies that we know will treat us fairly and deliver hardware on time. We have almost always had a positive experience with DHL as our preferred shipping provider. DHL’s automated custom processes and documentation have been particularly helpful in ensuring smooth and efficient shipping of Doyensec’s hardware and documents across the world. DHL’s reliability and efficiency have been critical in allowing Doyensec to focus on its core business, which is finding bugs for our fantastic clients.

We have a preference for avoiding local post office services when it comes to shipping our hardware or documents. While local post office services may be slightly cheaper, they often come with more problems. Packages may get stuck somewhere during the delivery process, and it can be difficult to follow up with customer service to resolve the issue. This can lead to delayed deliveries, frustrated customers, and ultimately, a negative impact on the company’s reputation. Therefore, Doyensec opts for more reliable shipping options, even if they come with a slightly higher price tag.

2022 Holiday Gifts from Japan

At Doyensec, we believe in showing appreciation for our employees and their hard work. That’s why we decided to import some gifts from Japan to distribute among our team members. However, what we did not anticipate was the range of custom fees that we would encounter while shipping these gifts to different countries.

We shipped these gifts to 7 different countries, all through the same shipping company. However, we found that custom officers had different approaches even within the same country. This resulted in a range of custom fees, ranging from 0 to 45 euros, for each package.

The interesting part was that every package had the same invoice from the Japanese manufacturer attached, but the fees still differed significantly. It was challenging to understand why this was the case, and we still don’t have a clear answer.

Overall, our experience with importing gifts from Japan highlighted the importance of being prepared for unexpected customs fees and the unpredictability of customs regulations.


Managing devices and shipping packages to team members at a globally distributed company, even with a small team, can be quite challenging. Ensuring that packages are delivered promptly and to the correct location can be very difficult, especially with tight project deadlines.

Although it would be easier to manage devices if everyone worked from the same office, at Doyensec, we value remote work and the flexibility that it provides. That’s why we have invested in developing processes and protocols to ensure that our devices are managed efficiently and securely, despite the remote working environment.

While some may argue that these challenges are reason enough to abandon remote work and return to the office, we believe that the benefits of remote work far outweigh any challenges we may face. At Doyensec, remote work allows us to hire talented individuals from all the EU and US/Canada, offering a diverse and inclusive work environment. Remote work also allows for greater flexibility and work-life balance, which can result in happier and more productive employees.

In conclusion, while managing devices in a remote work environment can be challenging, we believe that the benefits of remote work make it worthwhile. At Doyensec, we have developed strategies to manage devices efficiently, and we continue to support remote work and its many benefits.