Jan 16 2021 This Week's Read List - 10-16 JAN 2021

SolarWinds

Robust Indicators of Compromise for SUNBURST - Some great clarification about SUNBURST indicators to determine whether or not your organization was targeted, as opposed to having a compromised version of SolarWinds.

SUNSPOT: An Implant in the Build Process - CrowdStrike breaks down their discovery and analysis of the SUNSPOT malware discovered during their investigation into the SolarWinds Compromise.

Sunburst backdoor – code overlaps with Kazuar - Kaspersky identifies that pieces of the SUNBUSRT code overlap with Kazuar, malware discovered by Palo Alto in 2017, and tentatively tied to the Turla group.

Password Guessing Used as a Weapon by SolarWinds Hackers to Breach Targets - An advisory about some of the post-exploitation actions, including password guessing and password spraying, of the SolarWinds compromise.

New Findings From Our [SolarWinds] Investigation Of SUNBURST - Press release from SolarWinds regarding the recent compromise. A timeline of the attack is included.

SolarLeaks site claims to sell data stolen in SolarWinds attacks - The SolarLeaks website claims to be selling source code from multiple companies compromised during the SolarWinds compromise.

Malware, Campaigns and TTPs

Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks - A quick look into newly discovered TTPs and malware attributed to Winnti (APT41). Interestingly, the MO (modus operandi) shares similarities with the Korean group, Higaisa. Parts of the payloads included Cobalt Strike's Beacon.

Higaisa or Winnti? APT41 backdoors, old and new - A more in depth look at at the newly discovered TTPs and malware attributed to Winnti (APT41), and the distinctions made between the he Korean group, Higaisa. List of indicators and MITRE ATT&CK mapping provided.

Abusing cloud services to fly under the radar - A breakdown of a Chimera group cloud attack mapped to the MITRE ATT&CK matrix with a list of IOCs at the end.

Introducing the In-the-Wild Series - The first of a 6 part series by Google's Project Zero team in which they detail a set of vulnerabilities being exploited in the wild. The series encompasses 2x Chrome, 2x Android and 1x Windows vulnerability.

Mimecast Certificate Hacked in Microsoft Email Supply-Chain Attack A Mimecast certicate was compromised allowing attackers access to to Microsoft Office 365 accounts. The extent of the compromise would allow attackers to intercept traffic and possibly also steal information.

Cloud Threat Hunting: Attack & Investigation Series- Lateral Movement – Under the Radar - A detailed look at how a threat actor can exfiltrate data from an AWS account once they have compromised a pair of AWS access keys.

FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts - A breakdown of the the MacOS.OSAminer (cryptominer) run only Apple scripts, as well as a look at the MacOS.OSAminer campain. IOCs included at the end.

Darkside Ransomware Decryption Tool - BitDefender labs has released a decryption tool for the Darkside ransomware.

Meet Oski Stealer: In-depth Analysis Of the Popular Credential Stealer - Oski Stealer is a credential theft tool being sold on Russian underground forums. Oski Stealer can also function as second stage downloader.

TeamTNT botnet now steals Docker API and AWS credentials - TeamTNT cryptomining botnet now scans infected Docker and Kubernetes containers looking in common locations for unencrypted credentials and configuration details.

Breaking The Browser – A tale of IPC, credentials and backdoors - A look at how an attacker could exfiltrate data from a browser using named pipes. This article looks specifically at the Chrome browser, providing a detailed approach with code and tutorial to exploiting the browser.

xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement - Analysis of the Bumblebee Webshell used during the xHunt campaign targeting Microsoft Exchange services.

Government & Cybersecurity

NSA warns against using DoH inside enterprise networks - Are you using DNS over HTTPS (DoH) in your network? Does it make you feel secure? The NSA warns that this might be a false sense of security, as it allows adversaries to hide in your network, and possibly (depending on your network and tools) might limit your visibility as a defender.

Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services - CISA analysis and guidance on how to adjust your organization's cloud services configurations to secure it against attackers.

DevSecOps

Hardening Docker and Kubernetes with seccomp - This was new to me. I'd never heard of seccomp before. A good "down and dirty" on how to use seccomp if you are interested in more granular security controls for containers.

Emerging Techniques?

Hiding execution of unsigned code in system threads - A non-conventional find since this relates to gaming and anti-cheat mechanisms, but it does pose some interesting issues for attackers who could attempt to leverage similar mechanisms and means in an attack or malware execution.

Waver - An interesting project that allows the transmission of text messages using sound waves. This poses an interesting solution for compromising air gapped networks and executing command and control channels using sound waves.

BitMessage - A peer-to-peer communications protocol for sending encrypted messages in a decentralized manner.

Cabal - Cabal is an experimental peer-to-peer community chat platform.

Tools

Microsoft Sysmon now detects malware process tampering attempts - New functionality for Sysmon to detect process hollowing and herpaderping. Includes a tutorial for setting up the new functionality. Based on testing, the new functionality appears to be hit or miss, triggering on benign processes, and not triggering on known malware samples.

Microsoft releases Linux endpoint detection and response features - Microsoft Defender for Endpoint is now generally available for Linux users.

Set up your own malware analysis pipeline with Karton - Karton provides an analyis framework and pipeline for automated malware analysis. It's a microservice architecture with multiple parts and plugins for some other common tools such as MISP, Yara, and Drakvuf.

Melody - Melody is transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.

USBQ Toolkit - A Python-based programming framework for monitoring and modifying USB communications.

Log Pattern Recognition: LogMine - LogMine is a tool to provide automatic log pattern recognition. A detailed approach to the ins and outs of LogMine. An interesting tool that could have cool implications for unstructure/unknown log formats, as well as some potential for machine learning applications related to logging.

Educational Resources

OpenLearn Free E-books - A lot of different free content with a broad range in topics. A few cybersecurity and STEM related topics if you are looking to dabble in something new.

Algorithms For Decision Making - A free book on algorithms for decision making under uncertainty.

Foundations of Embedded Systems - A course about computing systems that interact with the physical world. Covers a lot of theory related to cyber-physical systems, as well as architectures, I/O and many other topics.

MDSEC Insights - MDSEC Insights is a blog that has quite a few writeups detailing everything from CVE analysis to exploitation techniques to lab design.

OpenSource

Openbase wants to be the Yelp for open source software packages - Looking for a package, but aren't sure which to use? OpenBase provides reviews of different software packages to help you decide. Interesting concept, worth checking out if you don't know what you want.

Elasticsearch and Kibana are now business risks - Are you using Elasticsearch or Kibana? Will you continue to use it after Elastic has changed its licensing model, which could force you to release your intellectual property? Elastic switched to the Server Side Public License (SSPL) license from the Apache v2 license, which some consider to be a "hostile proprietary license in open source clothing."