This Week's Read List - 07-13 FEB 2021

This Week's Read List (TWRL) is a collection of articles, blog posts, and other content that I've discovered throughout the last week. The collection may seem eclectic at times, but my hope is that you'll find these articles just as helpful and interesting as I have.

Malware, Campaigns and TTPs

Extracting the Cobalt Strike Config from a TEARDROP Loader - A technical walk through for extracting a Cobalt Strike configuration from a TEARDROP sample used during the SolarWinds breaches using PEStudio, x64dbg and a Python-based Cobalt Strike Parser from SentinelOne.

New phishing attack uses Morse code to hide malicious URLs - Hackers pull out an old communication technique, Morse Code, to obfuscate their code. The Morse Code decodes to a a hex string, which further decode into Javascript.

Reverse engineering Emotet – Our approach to protect GRNET against the trojan - A lengthy write up from the National Infrastructures for Research and Technology (GRNET) CERT in Greece on how they reverse engineered Emotet. The post is broken down into chapters for each "phase" of their investigation.

Blocking SolarMarker Backdoor - NOT ASSOCIATED WITH SOLARWINDS Crowdstrike takes a look at detecting SolarMarker, a multistage, heavily obfuscated PowerShell loader which leads to a .NET compiled backdoor, using their Falcon next generation anti-virus (NGAV). IoCs included.

After Lightning Comes Thunder - CheckPoint Research and Safebreach Labs look at Infy, an Iranian operation which appears to demonstrate a resurgance with new second stage malware, a more mature family of the original Infy malware, and recent sitings of associated C2 infrastructure.

BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech - PAN Unit 42 breaks down the technical details of BendyBear which uses some anti-analysis and signature block verification techniques. IoCs included.

BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs - BazarBackdoor malware bypasses security by not including a malicious payload in the phishing e-mail. Instead, when users go to look at how to cancel the order from the attached e-mailed invoice, they are instructed to download a malicious document needed to cancel their fake order.

Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies - Anomali details the Iranian campaign against the UAE and other middle-eastern countries leveraging OneHub storage, and ScreenConnect software by posing as the Kuwaiti Ministry of Foreign Affairs.

Web shell attacks continue to rise - A report from Microsoft's Detection and Response Team (DART) about webshells. The report provides some interesting statistics as well as how webshells are being used and some detections techniques.

Emerging Techniques?

Digital forensics and incident response: A new type of User access log - KPMG Cyber Response Services team reveals a potential new log source that can be used during incident response: the Microsoft User Access Logs.

Government & Cybersecurity

Malware Analysis Report (AR21-039A) - SUNBURST - CISA's malware analysis report on SUNBURST.

Malware Analysis Report (AR21-039B) - TEARDROP - CISA's malware analysis report on TEARDROP.

Following Oldsmar attack, FBI warns about using TeamViewer and Windows 7 - After hackers gained access to a water treatment facility, the FBI releases a warning about using outdated Windows 7 PCs, weak passwords, and TeamViewer. Just another example of where following security best practices could have prevented an incident.

Tools

Open-source tool BlobHunter helps pinpoint public Azure blobs that might contain sensitive files - BlobHunter from CyberArk helps organizations find Azure blobs that may contain sensitive files inadvertently made public.

CyCAT.org - The Cybersecurity Resource Catalogue - While its hard to tell whether this site will go anywhere, the concept of a cybersecurity resource catalogue is a great idea. A one stop shop to get everything (or at least a link to everything) would be really useful. This is one site to keep an eye on.

Learn Pipe Fitting for all of your Offense Projects - A tiny explanation and look into Cobalt Strike's usaged of named pipes.

Open Source Vulnerabilities - OSV is a database for for vulnerabilities in open source projects. Its goal is to help maintainers and developers triage vulnerabilities in open source projects.

An SQL solution for Jupyter - xeus-sql: A xeus-sqlite sequel - Jupyter announces xeus-sql a general-purpose database access tool for Jupyter, which allows you to make SQL queries on many different databases. Xeus-sql comes with support for any ODBC-supported database.

Haxe - Haxe is an open source high-level strictly-typed programming language with a fast optimizing cross-compiler. Haxe can build cross-platform applications targeting JavaScript, C++, C#, Java, JVM, Python, Lua, PHP, and Flash. Haxe has its own VMs (HashLink and NekoVM) but can also run in interpreted mode.

Fuzz Testing for JVM is now Open Source - Code Intelligence open ources Jazzer - the core of their JVM fuzzer.

PE Tree - PE Tree is a Python tool from Blackberry for viewing PE files. PE Tree also has the ability to tie into IDA and Rekall.

Flameshot - Flameshot is a screen capture tool with a lot of additional functionality. Its great for documenting analysis and creating pretty diagrams/figures/photos to include in a final report.

Educational Resources

A visual guide to SSH tunnels - A great guide to better understand SSH tunneling and some of the associated configuration parameters, as well as the CLI syntax for each.

Web Scraping 101 with Python - A quick down and dirty on how to get started with web scraping using Python, specifically `socket`, `re`, `urllib3`, `lxml`, `requests`, `beautifulsoup`, `grequests`, `scrapy`, and `selenium`.

Educational Heap Exploitation (How2Heap) - How2Heap is a repository dedicated to different heap exploitation. The repo includes various exercises, a list of tools, and additional links to other resources.

Auditd CVE 2021-3156 - This post provides an excellent look at how to use `auditd` to hunt for malicious activity on a linux host. This post specifically looks at CVE 2021-3156, a vulnerability in `sudo`.

Introduction to Ghidra Scripting for Embedded ELFs and UPX - A tutorial on how to set Ghidra up with some custom scripts oriented at attacking embedded ELFs and UPX packing.

Rust Cookbook - A cookbook of things to do in Rust if you are looking for a place to start.

SerenityOS - Writing a full chain exploit - A walk through of how the author chained together a few exploits against SerenityOS.

LetsDefend - LetsDefend is a blue-team training platform offering a simulated SOC environment to defend cyber attacks.

Miscellaneous

Browser fuzzing at Mozilla - An interesting look into how Mozilla fuzzes Firefox during testing.

Cubox-M Aims To Be Your Raspberry Pi Alternative - A tiny 2-inch cube capabale of competing with your Raspberry Pi. Need a small dropbox for a pentest? This might be what you're looking for.