Ikechukwu135/THREAT-INTELLEGENCE-PROJECT

# THREAT-INTELLEGENCE-PROJECT This threat intelligence project is centered on NHS Tayside (nhstayside.scot.nhs.uk) which is an NHS Board located in Scotland United Kingdom. The project is aimed at investigating NHS Tayside website to find out vulnerabilities susceptible to potential attack. Tools used for passive reconnaissance are Censys and theHarvester. A passive reconnaissance on NHS Tayside website using Censys showed that NHS Tayside website returned 400 Bad Requests from 25 different endpoints both on HTTP/HTTPS. While a 400 Bad Request error is a security mechanism designed to indicate that the server cannot understand the given request, malformed or intentionally broken requests can be used to probe, disrupt or breach web application. For instance, attackers can perform a reconnaissance on NHS Tayside website using 400 Bad Request by deliberately sending invalid or malformed data, over-sized cookies, or unexpected headers just to trigger a 400 Bad Request response. The attacker will then look out for information such as web server version, database structure, internal file paths that might accompany the Bad Request response. Based on this leaked information, the attacker will then tailor specialized attacks on the website. Censys also showed that NHS Tayside website runs on a valid Let’s Encrypt SSL certificate. But the interesting thing here is that the certificate expires June 2026. What this means it that attackers can take advantage of this and conduct a clone phishing attack, obtain a valid SSL certificate for a fake site and register a domain visually similar to the legitimate site to lure users of main original site to their fake website. Attackers can also conduct man-in-the-middle attacks on the about-to-expire website to intercept sensitive data such as login details and personal information since the encryption on those data has been compromised. theHarvester showed three Autonomous System Numbers (ASNs) which are linked to Vodafone as a network provider. Using this information, Orangeworm as a threat actor can compromise this trusted relationship between NHS Tayside and Vodafone by conducting an attack on Vodafone and move laterally into NHS Tayside’s network. Attackers can also conduct a denial-of-service (DoS) attack using 400 Bad Requests. They do this by flooding the server with series of malformed requests to overwhelm the server, consuming CPU, memory and bandwidth, leading to system crash to make the site unavailable to legitimate users. After performing a reconnaissance using 400 Bad Requests, attackers can also use HTTP for C2 (command and control) to conduct an attack on NHS Tayside website because it allows them to mimic legitimate HTTP/S traffic and be able to hide beneath high-volume web traffic to initiate a communication. They can do this by leveraging on the malware on the compromised host system which acts as an initiator, sending periodic HTTP requests (beacon) to the attacker’s C2 server thereby acting as a heartbeat. The heartbeat tells the attacker that the host is still infected, active and available for exploitation. The attacker’s C2 then replies with a command, telling the malware on the host end to either download file, execute a command or exfiltrate data. The malware executes the command and sends results back in a subsequent HTTP request. THREAT ACTOR PROFILING – ORANGEWORM Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe and Asia since 2015, basically for the purpose of corporate espionage. Software used by orangeworm: Orangeworm uses a couple of software including; Kwampirs (S0236): This is the major software Orangeworm uses. It is a backdoor remote access Trojan designed to allow to gain remote, persistent access to compromised computer systems to steal data and execute commands. Orangeworm infect X-Ray and MRI machines with Kwampirs mostly when these devices are being set up on a hospital network. Kwampirs has been reported to have multiple technical overlaps with Shamoon which is a wiper malware that was first used by an Iranian group known as the Cutting Sword of Justice in 2012. Cmd (S0106): This is a windows command-line interpreter that can be used to interact with system and execute processes and utilities. Ipconfig (S0100): This is a windows utility used to find information about a system’s IP, DNS, DHCP and adapter configuration. Netstat (S0104): is an operating system utility that displays active TCP connections, listening ports, and network statistics. After gaining initial access, Orangeworm uses netstat to map out active TCP connections on the compromised machine, enabling them to understand the network topology. They also use netstat to cover up their tracks through a technique known as “living off the land”, which enables them to avoid triggering security alert when they upload custom scanning tools. DEFENSE RECOMMENDATIONS o Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information. o Enable DNSSEC and use WHOIS privacy protection. o Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools. o Network segmentation should be used to isolate infrastructure components that do not require broad network access to avoid free lateral movement within the network environment. Also, implement MFA across all critical systems and services to ensure robust protection against account takeover and unauthorized access. o Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. o Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. o Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures. o Enable behavior prevention on endpoint. For instance, on Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system. On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers. o Ensure the authenticity and integrity of software by digitally signing executables, scripts, and other code artifacts. o Always monitor certificate renewal automation status. o Use of Network Intrusion Prevention System (NIPS) which helps to monitor network traffic for suspicious activity and block malicious traffic. o Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. o Train employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Train employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques.