Teamspeak Vulnerabilities
Faustina Bartsch
Remote work and corporate digitization initiatives drive productivity gains across the supply chain. These new workflows depend on functionality across numerous critical applications and data repositories. Each of these connections becomes a potential point of exposure, disruption, and loss. Manufacturers integrate internal security teams to help build a defense against downtime caused by cyber attacks. They are known as blue teams.
This article explains blue teams, their role within an organization, how blue teams enhance cybersecurity, and how blue team exercises further help blue teams protect against cyber attacks that can cause business disruption and financial loss. We will also explain the purple team and what happens during a purple team assessment.
Like a red team, blue teams comprise a group of individuals who assess a network to identify any potential vulnerabilities that affect devices or critical systems a business owns. Unlike a red team that will exploit the identified vulnerabilities, the blue team seeks viable means to improve the ability to avoid, deter, resist and respond to probable threats that are likely to become loss events. The role of the blue team is to serve as the defender for all electronic assets owned by an organization, whether internally or externally hosted.
Many manufacturers and producers use automated security tools to help identify and remediate vulnerabilities to protect against cyber attacks. However, if a business does not use policies, controls, monitoring, logging, patching, incident management, you will be forced to react to incidents blindly.
Blue teams are responsible for monitoring, detecting, and reacting to security threats. We find that many manufacturers are completing some of these requirements, which is why cyber criminals continue to focus on manufacturers. No one is responsible for performing these essential roles. During a breach, blue teams are instrumental. They will follow the policies and protocols to isolate compromised systems to prevent escalation of attacks, such as ransomware, from spreading throughout the business network.
At the end of the blue team exercise, the red team will discuss the attack methods and their actions afterward. The blue team later uses this information to evaluate and prioritize changes required to prevent a similar attack from being successful again. In some cases, red teams and blue teams will directly interact during the simulated attacks, measure the effectiveness of attack response and provide help with how to deal with the threat if the blue team experiences any difficulty. These types of assessments are generally known as purple team exercises.
While red and blue teams work with manufacturers and producers to help improve their cybersecurity, there are substantial differences between them. The first difference between the red and blue teams is their specialty and background in cybersecurity. Red team members often specialize in offensive security practices, where their focus is finding vulnerabilities that can affect a business and developing custom exploits and tools to use during engagements.
On the other hand, blue teams focus on using their background in cybersecurity to help protect companies by identifying vulnerabilities, applying required security patches, and developing custom tools and filters to detect attacks. Blue teams also specialize in developing security practices and policies that evolve based on the needs of the business and the current state of cyber threats.
Blue team members also use specialized tools to monitor network traffic and create specific filters to identify attacks that are taking place. Some of the tools used by blue team groups include intrusion detection and prevention, packet analysis, log and packet aggregation, active endpoint detection and response, and honeypots.
Intrusion detection and prevention tools serve as the first line of defense for identifying and preventing attacks from outside the network. Blue teams can utilize these tools to determine what assets are targeted and help identify potential machines actively targeted. Blue team members could use this information to investigate later if the targeted devices had any vulnerabilities that could have resulted in a successful breach.
Active endpoint detection and response (ActiveEDR) is essential to blue teams. It solves the problems of EDR as we know it by tracking and contextualizing everything on a device. ActiveEDR can identify malicious acts in real-time, automate the required responses, and allow for easier threat hunting by searching in a single console. ActiveEDR has some similarities to other EDR solutions, but it does not rely on cloud connectivity for detection. This offline functionality effectively reduces dwell time to run time. The agent uses AI to decide without depending on cloud connectivity. The ActiveEDR continuously draws stories of what is happening at the endpoint. Once it detects harm, it can mitigate malicious files and operations and the entire storyline.
Red team members will use various tools and techniques to emulate targeted cyber attacks. Evaluation of the blue team based on their capabilities for responding to and defending against these attacks. Due to the limited interaction between these two teams during the engagements, there is potential that important lessons or information could be missing from either team. Purple team assessments allow the red and blue teams to share important information and increase shared understanding.
At the end of the assessment, both teams will discuss their observations during the purple team assessment, which allows both groups to learn about the detection methods of the attacks for future reference. The red team will use the captured data to produce an actions report covering the assessment results.
As a proud supporter of American companies, Certitude Security is working diligently to inform leaders and facilitate essential asset protection priorities for manufacturers and supply chains throughout the United States.
Mirai is an IoT botnet (or thingbot) that F5 has discussed since 2016. It infamously took down large sections of the Internet in late 2016 and has remained active ever since. Its source code was released online in September 2016, allowing unskilled attackers to create a malicious botnet with relative ease. Mirai continues to target IoT devices using the same tactics as before to attack and harness the collective power of millions of unprotected devices to launch DDoS attacks. It does not usually spread through traditional phishing attempts but acts as a self-propagating worm that searches for and attacks vulnerable servers. Although small changes have been made to this malware, malicious actors now appear to have taken advantage of public interest in the coronavirus (COVID-19) by naming their latest variant file covid. This sample, which is detailed below, is publicly available.
After F5 researchers detected this new Mirai variant, it appears that the authors did not remake the malware or create new exploits. This sample was spotted with two different hashes that multiple antivirus engines detected and identified. Both samples are named covid and have different file extensions. For a table of the indicators of compromise (IoCs) for this sample, see the COVID-19 Fails to Slow Down Hackers section of this article.
Threat monitoring tools noted that the IP address hosting this malware is a Hostwinds domain. It is currently still active and the Whois information is hidden. Those seeking to perform additional analysis can use the following path to find the sample:
Neither of these targets is unique and both have long been Mirai and Bashlite targets.1 Mirai focuses on both TeamSpeak and Huawei because these systems have historically had vulnerabilities associated with default passwords. TeamSpeak is a choice target because its responses are larger than the requests made to it and can be used to conduct a volumetric amplification DDoS attack.
Enterprises and individuals should consider implementing the following security controls, depending on their specific circumstances (for a longer list of IoT hardening suggestions, see the conclusion of Hunt for IoT volume 4):
Working at F5 for 5 years, Doron handles and analyzes cyber threat investigations for most of the major banking malware families in recent years. Doron holds a Bachelor of Science focused in Computer Science.
The aim of this blog is to provide a review of the software vulnerabilities reported by Flexera, in this case for the period from March 28 to April 25. We analyzed the vulnerabilities, vendors and software that have new security risks. I will explore the data to look at it from different perspectives, in order to see the big threat picture that is being introduced. And I will try to answer the following questions:
Secunia Advisory ID is a proprietary security advisory bulletin issued by Flexera in the event a new software vulnerability is discovered by Secunia Research, or reported publicly by the corresponding affected vendor, another third-party security team, researcher or reporter.
SAIDs are synonymous with world-class vulnerability research and human-curated vulnerability intelligence. After enabling the optional Threat Intelligence module to Software Vulnerability Manager and Software Vulnerability Research solutions, threat score will also be included within SAIDs.
Between March 28 and April 25, Flexera released total of 469 Secunia Advisory IDs, without counting advisories released as Rejection Notice." About 55% of the vulnerabilities reported in 469 SAIDs have been associated with a known threat and more than half of all advisories reported on multiple vulnerabilities. Here is summary of the 55% with a known threat:
We would have to discard 45.7% of the newly reported vulnerabilities if we are to follow this practice. I will be overlooking important threats which only become apparent after analyzing the discarded data with Threat Intelligence. Here is an example of three specific advisories that would have been ignored:
c80f0f1006