Mar 08 2021 This Week's Read List - 28 FEB 2021-06 MAR 2021

Malware, Campaigns and TTPs

HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft details HAFNIUM's exploitation of the the zero-day vulnerabilities in Microsoft Exchange. IoCs included.

Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities - Volexity's report on the recent exploitation of multiple zero-day vulnerabilities in Microsoft Exchange. IoCs included.

Microsoft Exchange Server Vulnerabilities Mitigations - The Microsoft Security Response Center (MSRC) outlines the mitigations for the active exploitation of four 0-day exploits against Microsoft Exchange servers.

Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities - FireEye details some of their observed indicators and intel regarding the 0-day attacks on Microsoft Exhange

Threat Advisory: HAFNIUM and Microsoft Exchange zero-day - Cisco's Talos Intelligence releases their take on the Microsoft Exchange 0-days. IoCs included.

Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server - Palo Alto's Unit 42 also weighs in on the Microsoft Exchange 0-days and how to detect them using their suite of tools.

GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Threat Intelligence Center (MSTIC) names the adversary behind the SolarWinds breach NOBELIUM. Additionally they are revealing their analysis of three new malware samples identified: GoldMax, Sibot, and GoldFinder. IoCs included.

New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452 - FireEye has also released some initial analysis of SUNSHUTTLE a new backdoor discovered in the SolarWinds breach. IoCs included.

Malware Loader Abuses Google SEO to Expand Payload Delivery - Gootloader, the malware loader previously known for distributing Gootkit malware, REvil ransomware, the Kronos trojan, and Cobalt Strike, is leveraging search engine optimization (SEO) to help increase the page rank of attacker-controlled websites. This draws more attention the websites which contain links that lauch the Gootloader attack chain.

Malware attack that crippled Mumbai's power system came from China, claims infosec intel outfit Recorded Future - Recorded Future's APT dubbed RedEcho is the Chinese group responsible for carrying out the malware attack against India's eletric grid. RedEcho shares TTPs and infrastructure with APT41 and Tonto Team.

Working Windows and Linux Spectre exploits found on VirusTotal - The Spectre vulnerability discovered in 2018 by Google Project Zero researchers now has exploit for both Windows and Linux. It appears that the exploits were uploaded to VirusTotal as part of Immunity Canvas penetration testing and security toolkit.

Two ransomware strains target VMware’s ESXI hypervisor through stolen vCenter creds - CrowdStrike ransomware strains, CARBON SPIDER and SPRITE SPIDER, are targetting VMware ESXi servers to encrypt virtual machines. Each strain relies upon having credentials to the vCenter server to execute its attack.

Shadow Attacks Allow Meddling With Content In Digitally Signed PDFs - Researchers from Ruhr University Bochum in Germany have come up with multiple attack techniques that allow modification of the content within digitally signed PDFs. These attacks exploit the legitimate features that keep the target documents compliant with the PDF standard. The techniques outline the ability to hide content, replace content, or a combination of hiding and replacing content.

New ICS Threat Activity Group: KAMACITE - Dragos details the activity of the the KAMACITE group first disclosed in their Cybersecurity 2020 Year in Review report. KAMACITE specifically targets ICS operational networks, not the industrial organzation network.

D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant - A variant of the Gafgyt botnet is targeting vulnerable D-Link and IoT devices. It relies on the TOR network to obfuscate its C2 communications.

Windows DNS SIGRed bug gets first public RCE PoC exploit - A working proof-of-concept (PoC) exploit is now publicly available for the critical SIGRed Windows DNS Server remote code execution (RCE) vulnerability. The PoC has successfully been tested against unpatched 64-bit versions of Windows Server 2019, 2016, 2012R2 and 2012.

Blue Team Techniques

Awesome-CobaltStrike-Defence - Another awesome-list of detections and hunting resources for Cobalt Strike.

Detecting MITRE ATT&CK: Privilege escalation with Falco - Last week I uncovered Falco. This week Sysdig has a write up on how to leverage Falco for hunting privelege escalation.

Government & Cybersecurity

NSA and CISA Jointly Issued Guidance On Protective DNS Services - Protective DNS Services (PDNS) uses DNS protocols to and its structure to analyze queries and mitigate threats. PDNS presents threat prevention measures against network exploitation and provides insights into phishing attacks, malware distribution, domain generation algorithms, command and control and content filtering.

DevOps

Keeping Infrastructure as Code Secure (KICS) - KICS is static analysis tool to help developers write more secure infrastructure as code (IaC). KICS is designed to detect vulnerabilities, hard-coded keys and passwords.

Tools

Bastion - Bastion is a highly-available, fault-tolerant runtime system with dynamic, dispatch-oriented, lightweight process model written in Rust. It supplies actor-model-like concurrency with a lightweight process implementation and utilizes all of the system resources efficiently guaranteeing of at-most-once message delivery.

Pyroscope - Pyroscope is a continuous profiling platform designed to help developers find performance issues in code, resolve issues with high CPU utilization, understand the call tree of an application and track changes over time.

YarIx - YarIx is a scalable method of running Yara rules. The white paper YarIx: Scalable YARA-based Malware Intelligence [PDF] provides the basis for this project.

Educational Resources

Splitting the ping - This blog posts looks at ICMP pings and challenges commonly made assumptions about latency measurements.

Fast Flux 101: How Cybercriminals Improve the Resilience of Their Infrastructure to Evade Detection and Law Enforcement Takedowns - Palo Alto's Unit 42 breaks down how DNS fast flux works, and how it has been used in real-world scenarios. Some IoCs included.

A Guide to Ghidra Scripting Development for Malware Researchers - SentinelOne Labs did a great job on this piece. It provides a walk through of the development environment setup using Eclipse, dissecting some existing Ghidra scripts, and also providing links to some existing scripts that are likely to commonly be used.

An Exhaustively-Analyzed IDB For FlawedGrace - A write up on analysis of FlawedGrace which is a fully featured RAT written in C++ first observed in late 2017.

Miscellaneous

Hacking Super Monkey Ball Part 2 – Decompilation with Ghidra - Gamers have got to be pretty close to the original hacker. This post takes a look at how to use Ghidra to find some cheats and other methods to get ahead in the game.