Feb 27 2021 This Week's Read List - 21-27 FEB 2021

Malware, Campaigns and TTPs

Gamaredon - When nation states don’t pay all the bills - Cisco's Talos Intelligence group provides a list of updated IoCs tied to the Gamaredon group.

LazyScripter: From Empire to double RAT - Malwarebytes introduces a new APT, LazyScripter. Based on their analysis, LazyScripter can be traced as far back as 2018. Currently LazyScripter is assessed to be targeting the International Air Transport Association (IATA) and airlines.

Hackers Tied to Russia's GRU Targeted the US Grid for Years, Researchers Warn - Wired's article detailing the overview of campaigns against the US grid brought to light over the past few years and most recently in Dragos' Annual Report.

CrowdStrike Adversary Universe - CrowdStrike's Adversary Universe provides a way to explore adversary's their background and targeted industries.

Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique - An interesting look at CNAME Cloaking from a tracking perspective. The techniques used here, are very similar to the techniques used in the SolarWinds breach for C2 communications.

Lazarus targets defense industry with ThreatNeedle - A look at the Lazarus group's ThreatNeedle malware and their campaign against the defense industry. IoCs included.

Kaiji Goes Through Update but Code Reuse Detects It - Kaiji is a Linux malware that targets cloud servers and spreads through SSH brute forcing. Intezer looks at detection malware through code reuse, which demonstrated that a recent rewrite of Kaiji, still contained 8% code reuse.

Blue Team Techniques

Finding Forensic Goodness In Obscure Windows Event Logs - With so many Windows Event IDs, how do you know which ones to pay attention to? This post take a look at some of the more obscure Windows Event IDs that could prove very useful during an investigation.

Your AV is Trying to Tell You Something: VBN's Part 1 - Ever wondered what little nuggets of information could be gathered from a commercial anti-virus? This blog post takes a look at Symantec EDR's quarantined files and demonstrates what information can be obtained from them. If you found this post interesting, take a look at Forensic Artifacts — Symantec EDR “localdatastore” Folder for more data related to Symatec EDR.

How DNS History Contributes to Threat Investigations - 3 ways to leverage DNS as part of a threat investigation.

Microsoft open sources CodeQL queries used to hunt for Solorigate activity - Microsoft has open sourced their CodeQL queries to search for activities related to the SolarWinds breach. CodeQL is Microsoft's code analysis engine which has been integrated in to Github.

Cracking Password Protected Payloads - InQuest shares some techniques for cracking password protected payloads. As it turns out, the password might just be embedded somewhere else in the accompanying document or e-mail.

Government & Cybersecurity

CISA Releases Joint Cybersecurity Advisory on Exploitation of Accellion File Transfer Appliance - CISA's joint release includes not only the Cybersecurity Advisory, but also the malware analysis report for a PHP webshell uploaded to the Accellion appliances.

DevOps

Best practices for REST API design - With REST APIs becoming the standard, every developer should know what the best practices they should follow and what design principles should be adhered to when implementing a REST API. This post highlights 9 different practices for designing a REST API.

Modules, monoliths, and microservices - An excellent discussion of modules, monoliths and microservices. What each is, how they are different, and when to use them.

Tools

Social Analyzer - Looking for an OSINT tool to analyze and search for a person on social media? Social Analyzer boasts having 300+ social media sites which it will search across.

Multipass - If Ubuntu is your preferred Linux distro for VMs, you may want to consider Multipass. Multipass provides Ubuntu VMs on demand for both Windows, MacOS and Linux.

MaaS - Looking to build a lab or host your own cloud or data center? Metal as a Service (MaaS) from Canonical could help. MaaS helps you provision your bare metal servers with CentOS, RedHat, Ubuntu, Windows, or VMWare ESXi.

traitor - traitor makes Linux privilege escalation on a host easy by exploiting low hanging fruit to pop a shell.

Sysdig contributes Falco’s kernel module, eBPF probe, and libraries to the CNCF - Sysdig, an introspection tool with native support for containers, contributes Falco, a Cloud Native Runtime Security monitor, to the Cloud Native Computing Foundation. Sysdid and Falco can be used for security monitoring and alerting in container and cloud environments.

Educational Resources

Decompiling Excel Formula (XF) 4.0 malware - An interesting look at Excel Formula (XF) malware. Maldocs are popular within the Microsoft Office ecosystem and XF is an interesting way to embed malicious code that may get past security products.

macOS Malware Researchers | How To Bypass XProtect on Catalina - If you are experimenting or analyzing malware targting MacOS, this article might help you figure out why you can't run some of the malware, and also help you bypass the XProtect security features preventing you from doing so.

Network Graph Analysis for Suricata and Zeek using Brim and NetworkX - An excellent tutorial on using Brim and NetworkX within a Jupyter notebook to conduct graph-based analysis of network data generated from Suricata and Zeek.

Malware of the Day - Malware of the Day is a series from Active Countermeasures that picks a real-world malware sample and walks through conducting basic dynamic analysis on the sample.

XSS Attack Examples and Mitigations - An excellent overview of how Cross Site Scripting (XSS) attacks occur, the different types of XSS attacks, and also the mitigations that can be taken to prevent them from being exploited.

Miscellaneous