End of the Year Wrap Post

Greetings fellow hackers! I hope everyone had a productive and prosperous year! This blog post is going to be pretty big and all over the place as I discuss what I have been up to over the past few months. It's been quite a ride :D. I am so grateful for this year and how much I've grown.

TLDR; DailyPay Okta breach, Malvertising and it's woes, security conferences, learning, GCP security, what's to come in 2024.

The first thing we will discuss is a security event that happen with a vendor called DailyPay. For those of you who don't know, “DailyPay is an American financial services company founded in 2015, which provides payroll services such as earned wage access.” The vendor was experiencing odd API requests coming from customer tokens (insert sweaty cat here). We started seeing notifications of odd logins and reached out. Apparently this was related to the Okta breach. Ultimately we rotated tokens, assured user logins all had 2FA (which they mostly did), and sat tight. A bit anticlimactic but we managed to avoid something bad from happening. It also taught me the value of actually calling up a vendor when you suspect something odd.

Malvertising is a TTP that is difficult for end-users to understand. It's hard to identify and easy to fall for. We work hard to train and explain these things in terms that end users can understand, but to get someone to actually remember to think with security in mind for their day to day is difficult and not realistic. For our organization, we need browser level security. We are a Google Workspace shop, so we could do some management at a browser level in Chrome, but that is limited and not ideal. ZScaler or a full fledged MDM is probably going to be the solution for us. In the past month we had an end user that fell for this TTP when they googled “Amazon” and clicked on an ad that redirected them to a phishing site. The phishing site is meant to trick you into thinking you had to call “Microsoft Support”.

I have also attended several security conferences this year! – PancakesCon (virtually) – BSides Harrisburg – BSides Philadelphia – Secure World Philadelphia – Defcon 31 – JawnCon – Cybersecurity Summit – Hardford, CT

Attending all of these conferences throughout the year has been such a fun and exciting learning experience. I've networked, learned new skills, learned lockpicking, and I have even started doing talks of my own at Penn State!

I have spent a lot of time reading whitepapers and learning the granular things that comes to writing malware and exploits. I have tested these exploits against the environment at work and have learned a lot about remediation! I've learned how to program in Python, Rust, and C! I've learned the classic VirtualAllocEx –> WriteProcessMemory and why not to use it in new malware that I write. I have learned the inner workings of process injection as well. By no means am I an expert, but my understanding in all of this has dramatically increased over the last year. I plan to continue to learn more about malware, about defense evasion methods and more.

We are Google shop and with that we inherit GCP. I am quite impressed with GCP security. There are several out of the box configs that aren't super great, but you are able to lock things down pretty easily. I had implemented things like terraform scans back when I first started, but now we are ingesting a lot of really interesting data into Datadog. With Datadog, I am able to get alerts in real-time on what our K8s are doing and so much more. We have also integrated Datadog alerting into various Slack channels.

The beginning of 2024 is going to be busy. We are deploying our new phishing campaign out to end users, I am building another IR tabletop to do by the end of January, among other things. I am actually utilizing a bit of AI into building the template for my IR tabletop. Due to CitrixBleed being so popular, I think that is what our topic is going to be about.

2024 is going to be having several major projects such as: – LLM build out for IR training and input (more to come) – 2 IR tabletops (one Citrix, the other pending) – Better coding and reverse engineering skills – New training for all employees – More blog posts that have more value

I am so excited for more blog posts and projects! LETS GO!