ShadowMap – Tracking SSO Integrations

Key Features of ShadowMap – Tracking SSO Integrations & Threat Analysis Report

• Compatibility with: Google Workspace, Azure AD, Office 365, Okta, Cloudflare Access, Duo Security, Auth0, Amazon Cognito, Idento IAM along with internal SAML / OAuth implementations.
• Track account information behind each SSO Integration & Raise alerts for unauthorised shadow accounts.
• Automated best-practice checks of the SSO implementations to raise alerts for any privacy or security issues.
• Track Credentials Leaked on the Internet, Deep-Web & Dark-Web related to your SSO implementations.
• Have our Cyber Threat Police Experts available on-demand to investigate, analyse and mitigate these critical risks.

Importance of Ensuring Secure SSO (Single Sign-On) Implementation

A recent study on risks associated with SSO (Single Sign-On) implementations found:

• 25% of the S&P 500 and half of the top 20 most valuable public U.S companies have had at least one SSO credential for sale on the dark web in 2022.
• Shared credentials were the most common attack vector used by hackers and responsible for nearly 50% of all cyber attacks.
• Logon credentials are a major focus for external attackers (61% of data breaches involve credential data).
• With the average enterprise using over 250 cloud apps, the prospect of employees remembering unique, strong passwords for each of them is simply impractical.
• Brute force attacks accounted for 31% of all cyberattacks in 2021 and 89% of the organisations interviewed experienced phishing attacks over the past year.

Common Security Vulnerabilities in SSO (Single Sign-On) Implementations

• XML injection Attacks
• Timing or Expiration Based Attacks
• Signature Spoofing and Exclusion Attacks
• XXE and XSLT Attacks
• SSO Implementation Bypass / Authentication Bypass Attacks
• Access Token Misuse or Replay Attacks
• Credential Leakage via Referrer Header
• Client Secret Leakage
• Credential Leakage via Page Content

The post Tracking SSO Integrations Across The Organization appeared first on ShadowMap.

ShadowMap Executive Cyber Protection Demo

Key Features of Executive Cyber Protection

• Protect your Executive’s personal, corporate and family accounts from targetted data breaches.
• Get notified for any executives impacted by: third-party data breaches, data leaks, dark web mentions, news mentions, social media mentions, etc.
• Monitor the dark web, ransomware groups, social media for any chatter related to their emails, phone numbers, usernames, computer names, IP addresses.
• Receive a high priority alert as soon as one of your executives is part of a data breach or attack.
• Have our Cyber Threat Police Experts available on-demand to investigate, analyse and mitigate these critical risks.

Targetted Attacks Against Your CXO Executives?

A recent study on Data Brokers and Data Breaches found:

• 99% of our executives have their personal information available on more than three dozen online data broker websites, with a large percentage listed on more than 100.
• 70% of executive profiles found on data broker websites contained personal social media information and photos, most commonly from LinkedIn and Facebook.
• 40% of online data brokers had the IP address of an executive’s home network.
• 95% of executive profiles contained personal and confidential information about their family, relatives, and neighbours.
• On average, online data brokers maintained more than three personal email addresses for every executive record.

How to enable Executive Cyber Protection In your Dashboard?

Step 1: Add Executives To Your Dashboard

Add A New Executive

Step 2: Add Any Number of Monitoring Fields For Your Executives

Add Monitoring Fields For Executives

Step 3: In a few minutes, data will start getting populated for the executives and alerts will start triggering!

The post Executive Cyber Protection appeared first on ShadowMap.

After spending several days deep into this rabbit hole of vague corporations, a wide range of collection systems, some really interesting correlation use-cases – we’ve been able to put together a fairly comprehensive image of the Zhenhua Data operation.

While on the surface Zhenhua Data seems to be “just another” firm capturing, processing and selling publicly available information, the story changes rapidly once you look beyond the surface.

This blog post covers four key sections: Data Collection, Data Correlation, Identified Targets, Conclusion.

Zhenhua Data & Affiliates

According to the Zhenhua Data website (which has been taken offline, but is still accessible via ShadowMap) – “Zhenhua Data focuses on integrating overseas data and information to provide services for domestic institutions”. In-addition to Shenzhen Zhenhua Data Information Technology Co., Ltd. (china-revival.com) that has already received wide-spread coverage, we also found the involvement of Weiju (aggso.com) & SocialDataMax (socialdatamax.com).

Weiju, started out as a “location-based, instant messaging application that enables users to chat with nearby strangers.”, however the last update on its website (in 2015) mentions “Public opinion monitoring and early warning”, “Communication analysis statistics”, etc.

There are also several mentions of the underlying platforms being developed by “Beijing Juwei Hezhi Information Technology Co., Ltd.”, which has a very limited public presence but is listed online as “Juwei Hezhi is a company that analyzes social media big data”.

Data Collection

Zhenhua Data has a large number of platforms that are used for data collection. These include platforms monitoring your standard social media platforms such as Twitter, LinkedIn, Facebook, TikTok, VK, Instagram etc. They also monitor a wide range of media outlets, news websites, news aggregators such as Reddit, etc.

In-addition to this, they also seem to have private sources of data such as near real-time movement of warships, satellite tracking, troop movements, etc. More so we were able to find references to private feeds that have access to data from “affiliate apps & websites”, but have not been able to discover or access these portals directly.

Some examples of the public data collection systems that are publicly accessible:

LinkedIn – This particular system is configured to continuously search LinkedIn for a range of keywords and then downloads the matching profiles, photos, etc.

Downloading LinkedIn Profiles By Keywords

TikTok – This particular system is configured to monitor specific target accounts and download all videos, comments, user relationships, etc in near real time. Another interesting note here, a lot of the accounts being monitored are related to US Army recruitment and active duty forces.

Monitoring TikTok Videos and Comments for Target Accounts

Reddit – This particular system is configured to monitor specific subreddits such as /r/politics to continuously track news stories, upvotes, users, etc.

Reddit News Politics Monitoring

Forum Discussions – This particular system is configured to monitor a wide range of internet forum discussions, actively scraping all posts being made, data about users along with the sentiment of the post.

Forum & BBS Monitoring

Databases of Key Individuals & Organisations – This particular system maintains a real-time list of key Mobile Applications, Media Organisations, Think Tanks, Social Media accounts, etc.

Zenhua Data – Database of Key Targets

Tracking Global Risk Events – This particular system is configured to track a number of global risk events such as Weapons of Mass Destruction, Extreme weather events, Climate change mitigation and response, Network Attack, etc.

Global Risk Event Data Center

Data Correlation

While some of the Data Collection systems may seem like they would be part of the scope of any average social media big data company, the use-cases and correlations that we have been able to discover are where it really gets interesting.

Internet Big Data Military Intelligence System

One of the early systems that our platform discovered that is directly linked to Zhenhua Data. This platform certainly tells a different story from the “social media monitoring” cover that has been used. The platform seems to have 4 modules: Internet Information Collection System, Big Data Cleaning & Processing System, Foreign Army Internet Intelligence System & Key Group Monitoring and Analysis System.

Zhenhua Data Internet Big Data Military Intelligence System

On digging further, we discovered another platform that leverages several of the private and public data collection systems to create actionable military intelligence.

Real-time War Ship Monitoring & Correlation Platform

This platform allows for tracking near real-time movements of both commercial and military naval ships. In-addition, it can correlate a wide range of information such as Social Media information of the crew on-board each vessel, photos and videos from individuals and official social media accounts, news stories, weapons manifests, historical location data, etc.

The strike chain functionality tracks key personnel as well, which are in-turn related with the much talked about OKIDB (Overseas Key Information Database), which allows you to get more relevant and correlated data about each individual target.

Zenhua Data Warship Monitoring

Strike Chain – Tracking Key Personnel

Correlating Social Media Data with OKIDB

Zenhua Data also has Social Media Relationship Query tools available to analyse target social media accounts, their relationships with other individuals and further allows you to access additional data stored about each individual in the OKIDB.

Each of the millions of members (a sample shown in the excel), have a “Character ID” and have a page in the OKIDB that contains more details about themselves, their social media accounts, their families, their businesses, their relationships, etc. The OKIDB contains data about politicians, royalty, business leaders, journalists, members of think tanks, research scientists, etc.

Zhenhua Data PMO India Social Media Relationship Query Tool

Zenhua Data OKIDB User Data

In-addition to these systems, there are hundreds of other such systems online that are secured behind login pages or have been taken offline since the media attention started and as such have not been accessed by ShadowMap.

Some of the other systems which are online but not accessible since they are behind login pages:

Identified Targets

The OKIDB has been covered in-depth by several media organisations that have dissected the list of targets in detail. Generally speaking the OKIDB seems to contain information about anybody that has any level of influence or is affiliated with any such person. The influence is determined on the basis of social media relationships, news mentions, face recognition in public photographs, etc.

We also found several target keyword lists that are actively being used as part of the data collection platforms and seem to be focusing on a wide range of keywords related to Hong Kong. These include key events such as “2019 Prince Edward station attack”, famous protestors such as “Black super brother”, phrases such as “Trying to decrypt” and hundreds of political individuals on both sides.

Conclusion to the Zhenhua Data Story

After studying the ShadowMap reports for Zhenhua Data, we are reasonably certain that everything we have seen so far is only scratching the surface of the Data Collection and Internet Intelligence Systems in place.

While most folks brush off concerns around social media monitoring, as the “price of admission”, privacy and security professionals understand the true risks and have been raising warnings for years. From something as simple as when Fitbit tracking app Strava disclosed the location of secret US army bases, to modernising and automating the process of gaining “kompromat” on a target.

The technology and capabilities we have seen with Zhenhua Data show us that the dystopian future that George Orwell’s 1984 warned us about, is here to stay. From silencing political opponents, quashing protests, spreading misinformation to influence elections or attacking enemy militaries – Big Data Surveillance systems will continue to have a significant role to play in geo-politics.

The post Investigating Chinese Intelligence Firm Zhenhua Data appeared first on ShadowMap.

• As stated to us, the code that was published on Github was a test backend code and not the production code.
• As mentioned in our original post, we flagged the issue on June 23rd and the NIC and NIC CERT teams were able to fix the issues promptly in under 24 hours. This in itself is commendable and is significantly better than the industry average of 36 days to fix reported issues.
• As mentioned in our original post, we had taken great care to ensure that absolutely no data was accessed as part of this process. Further, since the code was not the production code, it was not possible to access any user data or backend services. We can unequivocally state that no data was breached nor could it have been.
• As a final note, we have been reassured that the data of citizens inside the Aarogya Setu application is safe and the platform continues to be safe and secure.

Our intent has always been and always will be to help safeguard our national interests.

The post Update on Our Aarogya Setu Blog Post appeared first on ShadowMap.

Monitoring The Dark Web & Discovering The Breach

As part of our continuous monitoring of 4000+ Surface, Deep & Dark Web Forums for data breaches, we discovered this data being traded early last week, while it has been openly published for public consumption on the 5th of August 2020.

The data contains 29,186,600 rows of user data and the hacker has suggested that the initial breach took place in January 2020.

Zoosk Data Breach Published on Dark Web Forums

Inside The Zoosk Data Breach

The data contains two tables:

User Table
id, first_name, last_name, user_nicename, user_email, email_status, user_status, widget_guid, sex, interested_in, relationship, birthday, location_id, latitude, longitude, zipcode, country, discoverable, user_activation_key, media_request_id, user_registered, last_login, lastdailable_flatched migrated, height, ethnicity, education, religion, politics, children, smoking, drinking, bodytype, income, pets, settings, currency_id, balance, provider_map, photo_source, photo_count, locale_id, timezone_id, source, is_remarketed_to, dscore, rscore, sscore

Tig Users Table
uid, user_id, sha1_user_id, user_pw, last_login, last_logout, online_status, failed_logins, account_status

General Recommendations

Even though passwords were not leaked, threat actors can use the email addresses to send spam, phishing emails, and launch other online scams.

So, as a rule of thumb:

• Use strong passwords.
• Enable multi-factor authentication for all your online accounts.
• Don’t open unsolicited email attachments and links, especially from senders you don’t recognise.
• Don’t share OTPs with third-parties.
• Review online accounts and financial statements periodically.
• Regularly update your apps and any other software you use.

The post Zoosk Data Breach Published on Darkweb Forum – 29 Million Users Impacted appeared first on ShadowMap.

About the CVE-2019-11510 Pulse VPN Server Vulnerability

The critical vulnerability (CVE-2019-11510) in Pulse Secure Pulse Connect Secure, allows an unauthenticated remote attacker to arbitrary read files stored on the PCS device. The vulnerability affects versions 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 of the platform.

ShadowMap’s Cyber Threat Intelligence modules have checks integrated for this vulnerability since May 2019 and will have corresponding alerts for any vulnerable servers.

Timeline

• April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.
• May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.
• July 31, 2019 – Full use of exploit demonstrated using the admin session hash to get complete shell.
• August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.
• August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.
• October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.
• October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.
• January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware.

Monitoring The Dark Web & Discovering The Breach

The initial disclosure of the breach was made by Pulse Secure through an advisory in April 2019. This vulnerability was found to be mass exploited over the last 8-9 months with a large number of vulnerable servers found to be publicly open. As part of our continuous monitoring of 4000+ Surface, Deep & Dark Web Forums, around the 4th of August, we picked up posts on various Deep & Dark Web forums where attackers had published a dump of 1800 vulnerable servers along with several sensitive details.

Inside The 1800 Vulnerable Pulse VPN Servers

On analysing the data set, we found that the leak includes the following details for each of the 1800 IP addresses listed:

• IP addresses of Pulse Secure VPN servers
• Pulse Secure VPN server firmware version
• SSH keys for each server
• A list of all local users and their password hashes
• Admin account details
• Last VPN logins (including usernames and cleartext passwords)
• VPN session cookies

On further analysis, we found several Indian entities that were a part of this breach.

Multi Commodity Exchange (MCX India)

The compromised VPN server was running the vulnerable firmware version 8.3.3.59199  included 8 internal users and 6 active sessions at the time of the breach.

MCX India Data Leak Vulnerable Pulse VPN Servers

ICRA

The compromised VPN server was running the vulnerable firmware version 9.0.3.64015 and included 4 internal users and 6 active sessions at the time of the breach.

ICRA Data Leak Vulnerable Pulse VPN Servers

Panasonic owned Anchor Electricals

The compromised VPN server was running the vulnerable firmware version 8.3.7.65013 and included 665 internal users and 374 active sessions including both internal users and several third party consultants as well.

Anchor Panasonic Data Leak Vulnerable Pulse VPN Servers

General Recommendations

• Apply the patch as recommended by Pulse Secure.
• Review your patch management process to identify & address gaps
• Implement a hardware token, OTP or certificate based authentication to add a second factor check
• If you are a ShadowMap customer, review your Threat Intelligence alerts to identify all currently open vulnerabilities that need to be mitigated.

The post Hackers Publish 1800 Vulnerable Pulse VPN Servers – Includes MCX India, ICRA & Panasonic appeared first on ShadowMap.

Monitoring The Dark Web & Discovering The Breach

The initial disclosure of the breach was made by Dunzo it self on the 11th of July 2020. As part of our continuous monitoring of 4000+ Surface, Deep & Dark Web Forums for data breaches, we discovered this database being sold on DarkWeb forums around the first week of July 2020.

The forum post claims that the data contains 8,493,681 rows of user data and the hacker has suggested that the initial breach took place in June 2020. On analysing the breach data, we found there were 5,969,986 rows of data published as part of this leak and the breach itself took place around the 20th of June 2020.

Dunzo Data Breach Published on Dark Web Forums

Inside The Dunzo Data Breach

The database contains a single table: Users_DunzoUser

id, password, last_login, is_superuser, uuid, first_name, last_name, email, phone, country_code, type, status, device_token, phone_type, phone_make, date_joined, last_updated, secret_key, app_version, registered_on, registered_platform character, send_logistics_pricing, send_logistics_pricing_image_format, last_pricing_version_shared, preferred_mode_of_payment, credit_amount, credit_score, maximum_retries_count, profile_data_updated_on_firebase, merchant_id, permission_role, user_status, flow_version, extra_data_json, city_id, current_runner_task_id, source, first_known_location, last_known_location, referral_code, referred_by_code, advertising_id, device_id, bucket_id

The passwords in the database seem to be stored using Django Password Hashes (Salted SHA 256 hash with 20000 iterations), while some users don’t have a password string in the database since they are most likely using social or OTP based login. In-addition to the email addresses, mobile numbers, IP addresses & password hashes the GPS locations of the users while they installed and last used the application along with details about their phone devices are also available.

Dunzo Data Breach

General Recommendations

Since the password hashes have been leaked, there is a significantly likelihood of password stuffing attacks taking place against various platforms where the same email / mobile and password are being used. In-addition to this, threat actors can use the email addresses to send spam, phishing emails, and launch other online scams.

So, as a rule of thumb:

• Use strong passwords.
• Enable multi-factor authentication for all your online accounts.
• Don’t open unsolicited email attachments and links, especially from senders you don’t recognise.
• Don’t share OTPs with third-parties.
• Review online accounts and financial statements periodically.
• Regularly update your apps and any other software you use.

The post Dunzo Data Breach Published on DarkWeb Forum – 6 Million Users Impacted appeared first on ShadowMap.