Mar 15 2021 This Week's Read List - 07-13 MAR 2021

Malware, Campaigns and TTPs

Incident Response Blog: Exploitation of Microsoft Exchange Vulnerabilities - The Cyber Threat Alliance has put together a great listing of collected reporting for the Microsoft Exchange 0-day exploitation from across the cybersecurity community.

Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm - Red Canary Intel breaks down the multiple clusters of identified activity stemming from the disclosed Microsoft Exchange 0-days. Red Canary identified two distinct clusters of activity, and a third set which did not cluster. Red Canary also outlines the detection opportunities available for detecting these webshells.

Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells - Palo Alto Network's Unit 42 breaks down the China Chopper webshell and how it works and can be detected being used on Microsoft Exchange. A YARA rule is included as well as examples what its usage looks like.

Hafnium Update: Continued Microsoft Exchange Server Exploitation - Cisco Talos Intelligence details how they are hunting HAFNIUM using OSQuery, Oribital, and Cisco Secure IPS.

Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers - Picus Security breaks down the MITRE ATT&CK tactics and techniques and the tools for each tactic/technique used during the Microsoft 0-Day Exploitation. The post wraps up with countermeasures, detections and IoCs.

SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group - SecureWorks Counter Threat Unit (CTU) has attributed the SUPERNOVA backdoor discovered during SolarWinds breach investigations to SPIRAL. (SUPERNOVA is assessed to be deployed separate from SUNBURST) Based on previous activity, SPIRAL may be associated with China.

Bazar Drops the Anchor - The DFIR Report dissects how Bazar malware is dropped using a maldoc, launches Cobalt Strike Beacon, and then Anchor malware is dropped. The write up walks through the the MITRE ATT&CK techniques used, and closes with IoCs and detections for the activities.

Linux Systems Under Attack By New RedXOR Malware - RedXOR, named for its use of an XOR encryption algorithm in network traffic encoding, is a malware that is targeting legacy Linux systems. Researchers have possibly ties RedXOR to the Chinese Winnti group.

Blue Team Techniques

Exchange Webshell Detection - This script was designed to assist with detecting webshells deployed using the recently disclosed Microsoft Exchange 0-days. This script has apparently been flagged as being a webshell itself by MS Defender, however, there may be some value in leveraging the information or techniques here.

Cloud Federated Credential Abuse & Cobalt Strike: Threat Research February 2021 - Splunk walks through 2 of 7 analytics they have developed to address credential abuse and Cobalt Strike.

Government & Cybersecurity

Updates on Microsoft Exchange Server Vulnerabilities - CISA releases seven malware analysis reports, an alert advisory and remediation recommendations for Microsoft Exchange 0-day exploitation.

DevOps

cosign - cosign, developed as part of the sigstore, is a tool to sign and verify containers.

Open-Source App Lets Anyone Create a Virtual Army of Hackintoshes - Docker-OSX is a tool to help run OSX in a Docker container.

Top 20 Dockerfile Best Practices - A breakdown of Docker best practices, with practical examples.

Docker Security Cheat Sheet - The OWASP docker security cheat sheet.

Tools

Introducing ThreatFox Abuse.ch launches ThreatFox a free platform to share IoCs associated with malware among the cybersecurity community. IoCs can be exported in MISP events, JSON, CSV, Suricata Rulesets and more.

How to search URLs exposed by Shortener services - GrayHatWarfare announces the release of their URL Shortner to assist with searching for exposed shortened URLs.

Packet Strider - Packet Strider is a packet forensics tool to provide insight into the nature of SSH traffic.

Dalfox – An Automated XSS Finder - Dalfox is a tool for analyzing parameters, scanning for XSS vulnerabilities, and testing for sqli, ssti, open-redirects.

SophosLabs Offensive Security releases post-exploitation tool for Exchange - SophosLabs Offensive Security Team has released metasploit_gather_exchange a post-exploitation tool that simplifies the retrieval of mailbox data from compromised Exchange servers.

cysimdjson - cysimdjson is a Python library for JSON parsing. cysimdjson claims to be 7-12 times faster than the standard Python JSON parser.

Regexploit - regexploit is a tool to find regular expressions which are vulnerable to a Regular Expression Denial of Service.

Educational Resources

Reproducing the Microsoft Exchange Proxylogon Exploit Chain - Praetorian outlines the methodology they used to reproduce the ProxyLogon exploit chain for Microsoft Exchange. Although there are certain components not included to prevent unsophisticated actors from weaponizing the exploit, this is a great follow-along piece for those interesting in reverse engineering and exploit development.

Top 15 Essential Malware Analysis Tools SentinelOne Labs lists some essential malware analysis tools to keep in the toolkit.

Miscellaneous

Dolt - Dolt is a SQL database with version control and interactions similar to `git`.