Apr 04 2021 This Week's Read List - 21 Mar 2021 - 03 APR 2021

Malware, Campaigns and TTPs

Purple Fox Rootkit Now Propagates as a Worm - Guardicore outlines their analysis of the Purple Fox root kit, which has been targeting Windows hosts. They have identified a new infection vector which takes advantage of weak SMB password by brute force attacking them. Link to a GitHub repository of IoCs is included.

New ICS Threat Activity Group: STIBNITE - Dragos unveils a new threat group STIBNITE which has focused on targeting wind generation and government entities in Azerbaijan.

Analyzing attacks taking advantage of the Exchange Server vulnerabilities - Microsoft provides analysis of some of the observed attacks related to the exploitation of Exchange servers. Microsoft takes a look at the DoejoCrypt ransomware, Lemon Duck botnet, and Pydomer ransomware.

Update on campaign targeting security researchers - In Google's update on the campaign they identified as targeting security researchers, they announced that the North Korean hackers established an entirely fake security company called SecuriElite. The elaborate setup included a full website, emplyee Twitter and LinkedIn profiles, and email addresses.

Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack - QNAP NAS devices are on the chopping block again with two critical 0-day bugs exposing devices to remote authentication attacks.

APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign - A41APT (not to be confused with APT41) is a campaign discovered in 2019 which took advantage of Pulse Connect Secure vulnerabilities to hijack VPN sessions which has been attributed to APT10. Ecipekac, a particular piece of malware from this campaign, is a multi-layer loader module capable of delivering multiple payloads. This article provide a technical breakdown of Ecipekac and includes IoCs at the end.

The Unseen One: Hades Ransomware Gang or Hafnium - AWAKE from ARISTA takes an in depth look at the Hades Ransomware Gang or Hafnium (Microsoft's name) regarding their analysis base on their engagements in comparison to what some other security companies are reporting regarding the group.

Yet Another Cobalt Strike Stager: GUID Edition - Would it be a week in cybersecurity without Cobalt Strike? Guidepoint Security takes a look at how Cobalt Strike uses GUIDs to obfuscate shellcode.

Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service - FireEye breaks down how an attacker can use the Windows Background Intelligent Transfer Service (BITS) to upload and download files from a host.

Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool - Palo Alto's Unit42 takes a look at Hancitor's attack methodology. IoC's included.

Blue Team Techniques

Secure containerized environments with updated threat matrix for Kubernetes - Microsoft releases their second version of an ATT&CK-like matrix for Kubernetes. The updated version add new techniques, and deprecates others, while also adding a new tactic taken from the ATT&CK collection.

Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting - WARNING: A lot of math principles. Microsoft outlines some of their mathematical/ statistical approached to hunt and track adversaries.

Government & Cybersecurity

NSA Issues Guidance on Zero Trust Security Model - The NSA has published their guidance on adopting and deploying a Zero Trust security model.

Webshells Observed in Post-Compromised Exchange Servers - CISA has released multiple malware analysis reports regarding the China Chopper webshell in relation to its use on compromised Exchange servers. In total CISA has released 9 different malware reports for China Chopper.

Tools

Solitude - NCC Group released Solitude a privacy analysis tool for anyone to evaluate user privacy. Solitude leverages an HTTP Proxy and Yara rules to identify personal information.

nzyme - nzyme is an IDS for for WiFi. It specifically scans for rogues access points and known WiFi attack platforms. Traffic is parsed and sent to a Graylog server for forensics and incident response.

Trapdoor - Trapdoor is a serverless honeytoken framework built on top of AWS for creating and alerting on honeytokens.

Yara Manager - Yara Manager allows you to store your Yara rules in a database which allows you to search the rules and their descriptions, cluster rules, set defaults in some of the meta fields, and also backup and share your rules.

Tracee - Another eBPF based tool. Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

Educational Resources

A Crash Course On Sniffing Bluetooth Low Energy (BLE) - A 3-part series of videos to get started with sniffing and reversing BLE.

Become a Microsoft Defender for Endpoint Ninja - A curated list of resources, organized on a course-like format to help people become trained on Microsoft Defender for Endpoint. The courses focus on the roles of "Security Operations" and "Security Administrator".

Building a full-text search engine in 150 lines of Python code - An excellent tutorial if you are interested in building a search engine, parsing text, or just learning some new functionality in Python.

Your All-In-One Guide to Setting up pfSense and Suricata in Splunk - Another great tutorial an home network monitoring. pfSense, Suricata, and Splunk (limited daily ingest) are all free and a great place to start with home network security.

Wireshark Tutorial: Decrypting RDP Traffic - Palo Alto's Unit42 has put together a Wireshark tutorial on how to decrypt Remote Desktop Protocol (RDP) complete with environment setup.

Miscellaneous

APT Encounters of the Third Kind - An interesting read about finding a adversary in a network in someways by mistake.