This Week's Read List - 17-23 JAN 2021
This Week's Read List (TWRL) is a collection of articles, blog posts, and other content that I've discovered throughout the last week. The collection may seem eclectic at times, but my hope is that you'll find these articles just as helpful and interesting as I have.
SolarWinds
Raindrop: New Malware Discovered in SolarWinds Investigation - Symantec's technical analysis of Raindrop (not to be confused with Teardrop) another Cobalt Strike payload delivery tool. The write up provides a comparison of Raindrop and Teardrop, as well as indicators and a Yara rule.
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop - Microsoft's analysis of the SolarWinds compromise detailing some of the intricacies of how the malware works and the sophistication of the adversary. Includes indicators and queries for use with Microsoft Defender for Endpoint hunting.
Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments - Malwarebytes, although not a SolarWinds user, believes that it was targeted by the same actors behind the SolarWinds breach. Malwarebytes has been able to confirm that it was targeted by an actor which abused applications with privileged access to Office365 and Azure environments, similar to other reported observed behavior associated with the SolarWinds breach actors.
Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 - The takeaway from this article is the actual white paper [PDF] which provides a detailed look at both adversary TTPs, but also the mitigations and technical implementations for those mitigations. FireEye also has a tool, Azure AD Investigator to help identify artifacts related to the potential compromise of an Azure environment.
Malware, Campaigns and TTPs
DNSpooq Flaws Allow DNS Hijacking of Millions of Devices - The popular opensource dnsmasq service has 7 different flaws, dubbed DNSspooq, which allows an attacker to perform cache poisoning and remote code execution attacks.
Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets - An interesting white paper on attribution (or at least an attempt) based on how malware is written/developed. Provides a "machine learning" approach with feature extraction to then classify binaries based on author.
Experts Detail A Recent Remotely Exploitable Windows Vulnerability - A vulnerability found in the Windows NT Lan Manager (NTLM) could possibly allow an attacker to achieve remote code execution. Patch was released in Microsoft's regular "Patch Tuesday" updates earlier this month.
RIFT: Analysing a Lazarus Shellcode Execution Method - The Research and Intelligence Fusion Team (RIFT) analyzes how the Lazurus group executes shell code using VBA scripts and the Windows API.
Tools
Snort 3 officially released - Snort 3 has been officially released! I'm excited to see some of the new features in this version of Snort that have been built into Suricata already, as well some new ones.
Emulation of Kernel Mode Rootkits With Speakeasy - A FireEye blog post detailing how you can use Speakeasy to emulate a rootkit for analysis.
Subfinder – A Subdomain Discovery Tool - Subfinder is a new Go-based command line tool to scan for subdomains of a specified domain.