App Control
To restrict inbound/outbound traffic of an application:
Individual machines world-wide are being hacked away at everday; we are generally only aware of those attempts that are successful. However, monitoring the failed attempts will help identify potential vulnerabilities.
In order to monitor Failed Login attempts, we can take advantage of the Windows Event 4625, which signifies that a login has failed to gain access to the pc. In combination with Event Scheduler, we can automate this process into a recurring alert that emails us as soon as a failed login is detected.
See the code and procedure below:
$EventId = 4625
$A = Get-WinEvent -MaxEvent 1 -FilterHashTable @{Logname = "Security" ; ID = $EventId}
$Message = $A.Message
$EventID = $A.Id
$MachineName = $A.MachineName
$Source = $A.ProviderName
Get-WinEvent -MaxEvents 1 | foreach {
$sid = $_.userid;
if($sid -eq $null) { return; }
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid);
$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
Write-Host $objUser.Value;
}
$EmailFrom = "from@email.com"
$EmailTo = "to@email.com"
$Subject ="Alert From $MachineName"
$Body = "EventID: $EventID`nSource: $Source`nMachineName: $MachineName `nMessage: $Message"
$SMTPServer = "mail.domain.com"
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, PORT_NUM)
$SMTPClient.EnableSsl = $true
$SMTPClient.Credentials = New-Object System.Net.NetworkCredential("username", "password");
$SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body)How to configure and run Audit_2025 Script (Automatic Alerts for Failed Login):
Setup Script:
Setup PowerShell:
Set-ExecutionPolicy RemoteSigned
Setup Task:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
*easiest to search/browse for file*
Setup Task Scheuler:
Test Script:
Known Bugs:
Last Tuesday’s Windows update for Windows 11 has brought more issues than fixes, with many users reporting Blue Screens of Death (BSODs) and other errors after successfully installing the update to their machine.
The update in question is KB5035853, which is part of the Windows 11 March 2024 Update(s). While said update includes notable improvements, the amount of issues being reported since release is starting to tip the scale the other direction.
Users that have been experiencing BSOD, are greeted by the error message THREAD STUCK IN DEVICE DRIVER, in addition to other messages, each time the screen is displayed. This error occurs immediately after user log on; it should be noted that BSOD can be attributed to many factors, including both hardware and software.
It is speculated that the underlying issue is related to Lenovo specific hardware and Bitlocker, according to the statistics of recent reports, despite other brands having experienced issues as well, including significant slowdowns and prolonged boot times.
While it is not fully known what the cause of the bad update is, there are a few steps that you can take to try to resolve it.
This is only the most recent occurrence in a string of bad updates from Microsoft, and it is expected that they will have a patch sooner rather than later. If you are having any issues related to this update, or other updates, feel free to contact Microsoft directly at their support page.
Since 2018, password-cracking botnets has been targeting WordPress sites. These botnets are made of infected WordPress sites that are then being repurposed to perform brute force attacks on other WordPress sites. The active threat-actors employ the use of the native XML-RPC interface of WordPress to brute-force username/password pairs; the end-goal is to gain access to privileged accounts, and then use the enslaved computer to repeat the process on other machines.
What is a botnet?
A botnet is a network of infected machines, that deploy tactics such as malicious code and remote access, to help spread the infection, while originating from a sole actor.
Russian Origins
The particular botnet in question, works by using a group of four command and control (C2) servers, sending server-side requests to over 14,000 proxy servers, provided by a Russian domain called best-proxies[.]ru. However, some digital-footprints point to server existence in Romania and the Netherlands as well.
These proxy servers are used to anonymize the C2 traffic. The requests are then sent to over 20,000 infected WordPress sites, which are running an attack script. This script attacks targeted WordPress sites by attempting XML-RPC authentication to access privileged accounts.
function createFullRequest($login, $passwords){
$xml = createRequestXML();
for($i = 0; $i < count($passwords); $i++){ $xml = addElementXML($xml, $login, $passwords[$i]); } $request = $xml->saveXML();
return $request;
}
The script itself generates passwords pulled from publicly accessible credential patterns; once a pattern is determined, it will apply said pattern in a brute force test. For instance, if the script is attempting to log on to example.com as the user Alice, it will utilize passwords such as Alice1, Alice2018, and so on. This tactic can be very effective when used at scale across a large number of targets.
The C2 system’s issuing instructions to the script can optionally define $startPass and $endPass variables, which tell the script to only attempt a subset of passwords on a given list, instead of running the entire set. This greatly increases the speed at which the whole system operates.
Similar Attacks
As recent as February 2024, similar attacks have been seen injecting custom malicious JavaScript into WordPress sites unknowingly, causing site visitors to be silently redirected in the background. The hidden redirection points the visitor to a malicious clone of the site, reporting a user name and list of passwords to a getTask method; as a result, the hackers are given a list of credentials that are tried against said accounts; the cycle then continues with other machines, so on and so forth, in a never ending loop of credential requests and results.
const getTaskUrl = 'hxxps://dynamic-linx[.]com/getTask.php';
const completeTaskUrl = 'hxxps://dynamic-linx[.]com/completeTask.php';
It is not yet known where the source of this modern take on the Botnet attack originates from, as the botnet is already quite large, amassing a list of approximately 1,200 effected IPs in just under four days. However, Security Specialists are working toward a solution.
Learn more about this from ars Technica!
It’s generally no small task to determine if you’ve been infected, much less the source of infection, as malware by design hides itself thoroughly. The first place to look for infection, with regards to WordPress, is your server/site logs, generally defaulted to the location: C:\inetpub\logs.
Additionally, check within your installation’s Web-Admin, Content and User folders for any recent or suspicious changes.
To protect your WordPress site from this type of attack, it’s important to take the following steps:
We recommend the free plugin Loginizer, which includes brute-force protections and failed login attempt alerting
The recent WordPress password-cracking botnet is a serious threat to WordPress sites. However, that is only the tip of the security iceberg. As more and more computers become infected, from seemingly ‘normal’ websites, malware can travel stealthily behind the scenes. By taking proper precautions, you can protect yourself from this type of attack, as well as countless others.
The Lazarus group, a North Korean collective known for cyber-system sabotage, has recently been exploiting a Windows kernel privilege escalation vulnerability (CVE-2024-21338) in the form of a zero-day. This vulnerability is found within appid.sys, the core driver of AppLocker, Microsoft’s application whitelisting app; this newly discovered vulnerability earned a score of 7.8 out of 10 on the CVSS scale.
Lazarus has taken advantage of the vulnerability with the use of the FudModule rootkit, a data-only rootkit that accesses kernel read/write privileges through your machine’s drivers; the ultimate goal – bypass Windows security mechanisms.
Prior to the most recent iteration of this exploit, attackers would expose read/write privileges by attacking known vulnerabilities in third-party drivers. However, with the FudModule rootkit, hackers can deliver a special handle table entry manipulation technique to suspend PPL (Protected Process Light) protected processes.
Those AV Programs effected include, but are not limited to, Microsoft Defender, CrowdStrike Falcon, and HitmanPro.
The FudModule rootkit itself is a frighteningly versatile piece of malware; it leverages kernel level read/write access to disable important features that security products rely on to detect suspicious behavior. This includes register callbacks, object callbacks, and process, thread, and image kernel callbacks.
It also is capable of removing file system minifilters used by AV Programs to monitor file operations.
This behavior is used by AV Products to find and block effected drivers; keep in mind that not all updates applied to an effected driver necessarily remove the instances of the old versions, thus leaving those weak spots open to attack.
Another additional rootkit behavior targets specific AV’s altogether, as mentioned earlier, rendering their security bypassed and non-functional.
The Lazarus Group is one of the most well-known and persistent threats to cybersecurity. The FudModule rootkit is only the most recent display of there technical prowess.
It is important for organizations to stay vigilant in their security; this includes taking proper precautions, addressing potential leaks/weaknesses in infrastructure, and regularly applying updates. Additionally, having monitors in place will help spot suspicious behavior before anything malicious occurs.
Staying educated, up to date, and aware will serve your system’s security in the long-term.
Often included alongside HTML and CSS, JavaScript (or JS) is known as the “language of the World Wide Web”. Being used to add functionality and dynamic behavior to otherwise static webpages.
As of 2023, 63.61% of client-side pages and webapps utilize JS in their source worldwide.
As of 2023, 49.28% of developers around the world use Python.
Originally signifying “personal homepage”, PHP stands for Hypertext Preprocessor. A server-side HTML-embedded script language designed to help create more dynamic webpages. PHP is open source, leaving support up to the community to maintain.
As of 2023, 18.58% of the world utilizes PHP on its webpages.
Similar to C in syntax, Go is a compiled, high-level programming language invented by developers at Google. Notable features include, memory safety, garbage collection, and structural typing, making it an ideal choice for networking and infrastructure application.
As of 2023, 13.24% of the world’s developers use GO.
Follow these guidelines and you will be on your way to peace of mind and Fort Knox level security!
Want to create a strong password?
Try Passwordmonster