Experts Blog

Fortalice Solutions

Fortalice Solutions continues to monitor a pro-Russia hacking group, known as “KillNet,” that is targeting U.S. hospital systems and executing distributed denial of service (DDoS) attacks. Fortalice wants to offer a follow-up advisory for our clients given that KillNet has significantly modified and escalated its approach and tactics. There are proactive measures to counter possible attacks that hospital systems across the United States can adopt immediately.

Fortalice Solutions

“KillNet” – a pro-Russia group known for distributed denial of service (DDoS) attacks in nations opposed to Russia’s invasion of Ukraine – attacked at least 14 websites of prominent hospital systems in the United States, knocking their public-facing websites offline temporarily. Impacted organizations have noted only short-term disruptions to their websites and no impacts to the targets’ operations. DDoS attacks can be caused when an organization’s websites are flooded with incoming network traffic, thereby overwhelming the system.

Jackie Monroy

Maintaining data privacy, or data security, involves the proper handling, storage, and dissemination of information. This doesn’t only apply to organizations, but to everyday internet users as well. If you have ever allowed location access, accepted cookies on a web page, or even posted a family picture on Facebook, you have left a digital footprint.

Virginia Roudabush

Fortalice Solutions has partnered as a Data Privacy Champion. With the goal of increased awareness about online privacy among individuals and organizations, one goal of Data Privacy Week is to help organizations understand why it is important that they respect the data of their users, employees and suppliers.

Fortalice Solutions

T-Mobile announced on January 19 that it was reviewing a November 2022 data breach, potentially impacting 37 million accounts through one of its APIs. This advisory is intended to help our clients understand the urgent need to understand and review their API security, while also summarizing recent T-Mobile breaches.

Fortalice Solutions

Annually, there are more than 55,000 electrical substations attacks in the United States. Recently, a targeted attack on two power substations in North Carolina knocked out power to more that 45,000 Moore County residents for nearly a week. The attack on critical infrastructure that darkened the Southern Pines area of North Carolina, is just the latest in a series of similar attacks stretching from Oregon to Florida. More ominously, it’s a threat that many experts believe is only getting bigger.

Fortalice Solutions

LastPass, a popular password management tool, enables its customers to store all their usernames and passwords for online accounts. LastPass disclosed that, as part of its investigation into an August breach, it had uncovered evidence that threat actors had successfully accessed unencrypted portions of LastPass customers’ vaults

Fortalice Solutions

The holiday shopping season is here. BUYER BEWARE – FRAUD LIES AHEAD! Cybercriminals and fraudsters have upped their game to trick even the cyber-savviest of online shoppers

TrackerPayton

Retailers are trying to understand why some customers abandon their online shopping carts before pressing “proceed to checkout” or “place your order.” To solve these riddles, retailers are increasingly turning to web tracking services and fine-tuning their targeting efforts. Organizations need to be aware of the ramifications of how they are using internet trackers.

Fortalice Solutions

Buyer beware: Scammers have set up shop on Facebook. Here's how to avoid falling victim to some common Facebook Marketplace scams.

Fortalice Solutions

There are many facets to preparing your organization for a major cyber incident. Incident response playbooks, proper network hardening, and multiple levels of employee cyber hygiene training are par for the course. In theory, these solutions should ensure you’re ready for any cyber threat. But how can you be sure all of that will pay off when you’re faced with a real-world scenario? Enter, tabletop exercises.

Fortalice Solutions

For a newly minted chief information security officer (CISO), the first 90 days are a time of both peril and possibility. If CISOs move too fast or push too hard, they risk alienating the organization. Move too slowly and new CISOs risk squandering their momentum and honeymoon period. Experienced CISOs tell Endpoint how they navigated their first few months on the job. Here’s how to navigate your new role.

Fortalice Solutions

Two vulnerabilities for hosted Microsoft Exchange servers (CVE-2022-41040, CVE-2022-41082) have been identified as currently being exploited in organization environments. The vulnerabilities only exist within hosted (on premise) exchange servers and Microsoft reports the Microsoft Exchange Online has protections in place. Many clients have migrated their user base to Exchange Online or Microsoft Office365 but there may still be Exchange servers operating in the environment, being used for mail relays and other IT functions.

Fortalice Solutions

Fortalice Solutions is proud to announce it has signed on as Champion for Cybersecurity Awareness Month 2022. At Fortalice Solutions, we believe preparation is the best strategy to protect organizations from cyber threats and crime. We transform a reactive security model into a proactive, results-based model of protection. Fortalice Solutions, led by the first woman to serve as White House Chief Information Officer, Theresa Payton, is comprised of passionate practitioners who provide organizations with clarity of priority, approach, and security design.

Matthew Creel

Discussion of environments susceptible to lateral movement through resource-based constrained delegation (RBCD) attacks, prompting me to take a deeper dive into the topic

Fortalice Solutions

Fortalice Solutions CEO and Founder, Theresa Payton has announced the promotion of Bridget O’Connor and Melissa O’Leary to the position of Partner of Fortalice Solutions.

Matthew Creel

Last month Fortalice open-sourced BOFHound, an offline BloodHound ingestor for raw ldapsearch results. Along with BOFHound, we released a companion tool for it, pyldapsearch, and submitted a pull request to TrustedSec's CS-Situational-Awareness-BOF modifying the ldapsearch BOF to include the nTSecurityDescriptor attribute. Adam Brown wrote a post accompanying the release, which covered much of the tool's background, including blue team strategies for detecting BloodHound useful and the red team's reversion to more manual LDAP querying techniques. This blog will serve as a follow-up to that post, covering some usage strategies for ldapsearch + BOFHound and going into the updates that were recently pushed to BOFHound in version 0.1.0.

Adam Brown

BloodHound has helped offensive and defensive teams since then conduct efficient and thorough auditing of Active Directory environments. For a while, reviewing Active Directory environments without BloodHound became almost unimaginable, and certainly unattractive. As the tool has evolved and grown, it has become a staple of the offensive tester's toolkit while simultaneously becoming an increasingly desired detection point for defensive teams. Several detection strategies have surfaced over the past 7 years. This post will cover a few helpful detection strategies. Some you may know of, and others, maybe not. Then we'll wrap by introducing two new tools which aim to give red teams a chance at avoiding detection when necessary.

Matthew Creel

Back in when I was getting started as a junior pentester, I vividly remember reading @byt3bl33d3r's 2017 post: Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). I still recommend checking this out if you haven't already - it will cover the basics of NTLM relaying and background on some of the confusing pieces ([Net]NTLMv1/2 anyone?) that there's no need for me to repeat here. There's also a plethora of other great NTLM relay blogs and resources that I'll try to link to throughout this post, while I attempt to touch on the ever growing library of NTLM relay uses after 2021 introduced several new relay vectors.

Matthew Creel

ADCS has been a treasure trove for recent offensive operations while organizations are still catching up to the research released by Will Schroeder and Lee Christensen back in June. Amazingly, enough escalation vectors were dropped that 5 months later I still haven't found time to test and explore every one of them (suppose that means I'm still catching up too). Luckily, an ESC4 scenario prompted some digging into abusing ACL permissions to create vulnerable template states.

Matthew Creel

Active Directory Certificates and PKINIT are hot topics these days and our operators at Fortalice have been doing their best to stay on top of the new research and tools. My previous blog touched on PyWhisker and referenced one of its resources available on https://thehacker.recipes. While reading through the documentation there, a note near the bottom caught my eye, which stated: User objects can't edit their own msDS-KeyCredentialLink attribute while computer objects can.

Matthew Creel

On a recent red team engagement, our team was tasked with focusing on Active Directory Certificate Services (ADCS) exploitation. The objective was to identify certificate template misconfigurations and potentially achieve privilege escalation by abusing them. The concepts and attacks used were based around the work and whitepaper by Will Shroeder (@harmj0y) and Lee Christensen (@tifkin_).

Adam Brown

Domain fronting is a generic technique based on HTTPS that allows an actor to hide the true destination of a communication from network equipment in the path. While domain fronting has been used in offensive engagements for several years now, the number of frontable cloud services continues to dwindle. Today, Fortalice is publicly adding another service to that list: Azure Front Door.

Blue Team

Fortalice's Threat and Incident Response Team is providing this advisory video to partners on recent developments associated with the HAFNIUM Threat Activity and Microsoft Exchange. The information is current as of March 2021.

Blue Team

The notification provided to Mimecast from Microsoft indicated that several certificates issued by Mimecast had been compromised by a sophisticated threat actor.

Blue Team

If your organization currently uses SolarWinds Orion products (versions 2019.4 through 2020.2.1 HF1), we recommend disconnecting all affected devices immediately.

Fortalice Solutions

Fortalice Director of Offensive Cybersecurity Operations (OCO) Matt Shirley talks the red team's perspective on addressing cyber threats on behalf of our clients. 

Fortalice Solutions

Fortalice CEO & Founder Theresa Payton spoke to Julie Mason about cybersecurity - Host of the Press Pool on SiriusXM - following the historic 2020 election.

Fortalice Solutions

Fortalice Director of Custom Solutions Alise Brzezinski talks third-party risk management in the COVID-19 era.

TrackerPayton

Fortalice CEO & Founder Theresa Payton discusses the Fortalice difference and her new book, Manipulated Inside the Cyberwar to Hijack Elections and Distort the Truth.

TrackerPayton

Fortalice delivers fortified security through the following four pillars: Preparation, Response, Education, Partnership