Bluepurple Pulse: week ending January 1st
Discover more from Cyber Defence Analysis for Blue & Purple Teams
Bluepurple Pulse: week ending January 1st
Happy New Year everyone..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week not much beyond the usual background noise.
In the high-level this week:
Cyber attacks set to become ‘uninsurable’, says Zurich chief - Unlikely to be true, but underwriting will become more data driven. We have covered some of the loss ratios in cyber for the US based underwriters previously. For those interested in cyber insurance I recommend the bi-weekly podcast Cyber Leaders & Insurance Leaders which is hosted by Anthony Hess.
Cyber Risk Insight Index - The largest claims category in Q3 2022 is fraudulent funds transfers. Ransomware accounts for only 15% of total claims - compared to 34% in Q3 2022. This is in of itself interesting given the headline previously.
Cybersecurity: EU holds 8th dialogue with the United States - from December 16th 2022 - the headlines are: build more capacity, hold states accountable to ensure a stable cyberspace and build more resilience.
Chinese Approach to International Law with Regard to Cyberspace Governance and Cyber Operation: From the Perspective of the Five Principles of Peaceful Co-existence. The five principles China uses to explain its various activities are:
mutual respect for sovereignty and territorial integrity
mutual non-aggression
noninterference in each other’s internal affairs
equality and mutual benefit
and peaceful coexistence.
No-limits relationship? China’s state hackers scoop up intelligence on Ukraine… and Russia - High-level narrative from Intrusion Truth on Chinese activity in and around Ukraine/Russia.
For Sale on eBay: A Military Database of Fingerprints and Iris Scans
- German security researchers studying biometric capture devices popular with the U.S. military got one on eBay for $68 with data still intact.
No I in Team - Integrated Deterrence with Allies and Partners - Integrated deterrence seeks to integrate all tools of national power across domains, geography, and spectrum of conflict, while working with allies and partners. But what integrated deterrence entails in practical terms remains unclear, particularly to the very allies and partners Washington wants more from. - cyber is a component!
The Israeli Firm Selling ‘Dystopian’ Hacking Capabilities - The company sells technologies that allow clients to locate security cameras or even webcams within a given perimeter, hack into them, watch their live feed and even alter it – and past recordings – according to internal documents obtained by Haaretz - if this exists for CCTV you have to wonder about other physical security products.
DHS Small Business Innovation Research Solicitation - for our US small business readers - various cyber topics up for grabs including Accurate and Real-time Hardware-assisted Detection of Cyber Attacks etc.
Do Users Write More Insecure Code with AI Assistants? - finds that developers seem to write less secure code with AI assistants.
Operational Feasibility of Adversarial Attacks Against Artificial Intelligence - from RAND, the overriding takeaway is not to panic, then there is:
Adversarial attacks designed to hide objects from AI pose less risk to DoD applications than academic research currently implies.
In the real world, such adversarial attacks are difficult to design and deploy because of high knowledge requirements and infeasible attack vectors; there are often less expensive, more practical, and more effective nonadversarial techniques available.
Fusing data and predictions across sensor modalities, signal-sampling rates, and image resolution can further mitigate the risk of adversarial attacks against AI.
Reflection this week stems from the fact I got a heat pump installed and it is like the 1990s wants its cyber security back.
The controllers which allow you to instruct something that makes things very cold or very hot are a further example of insecurity - default passwords (read: none), no TLS, no signed firmware updates etc. In the wrong (or right?) situation who can guess the potential impact given the ability to control the physical environment?
So it appears what I wrote in 2011 in a post titled ‘Breaking the Inevitable Niche/Vertical Technology Security Vulnerability Lifecycle’ still holds. I would hypothesize that not enough/any researchers have seen these devices and the vendor hasn’t felt enough pain quite yet...
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Thursday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
APT41 — The spy who failed to encrypt me
Chinese ransomware operations by a state aligned actor discussed in this reporting. A question on this very topic was asked when we gave our oral evidence to the Joint Committee on the National Security Strategy at the start of the month. That is are China doing ransomware operations..
one of APT41’s operations against an unnamed German company from the financial sector. The company contacted us in March 2022 after discovering a ransom note (as presented below) on several of its servers. The threat actor tried to encrypt multiple workstations in the client’s environment which was thwarted by Microsoft Defender for Endpoint (MDE)
The threat actor gained initial access in March 2021 by exploiting a chain of vulnerabilities known as “ProxyLogon” (
CVE-2021–26855,CVE-2021–27065).The tactics, techniques and procedures (TTPs) observed in this case align with several publicly disclosed security incidents that were attributed to APT41 with medium-high confidence.
https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant
Further reporting on recent Chinese activity, this time with an espionage focus. Tradecraft is very run of the mill.
During the 3-month period from September through November 2022, RedDelta has regularly used an infection chain employing malicious shortcut (LNK) files, which trigger a dynamic-link library (DLL) search-order-hijacking execution chain to load consistently updated PlugX versions. Throughout this period, the group repeatedly employed decoy documents specific to government and migration policy within Europe. Of note, we identified a European government department focused on trade communicating with RedDelta command-and-control (C2) infrastructure in early August 2022. This activity commenced on the same day that a RedDelta PlugX sample using this C2 infrastructure and featuring an EU trade-themed decoy document surfaced on public malware repositories. We also identified additional probable victim entities within Myanmar and Vietnam regularly communicating with RedDelta C2 infrastructure.
RedDelta closely overlaps with public industry reporting under the aliases BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte.
Stolen certificates in two waves of ransomware and wiper attacks
Reporting on Iranian use of stolen Windows code signing certificates against Albania etc. The interesting aspects are firstly that they have started to sign their code and secondly that they had access to one belonging to the Kuwait Telecommunications Company. Unclear how they achieved that..
We compare the first and second waves of ransomware and wiper malware used to target Albanian entities and detail connections with previously known ROADSWEEP ransomware and ZEROCLEARE variants.
The threat actors used certificates from Nvidia and Kuwait Telecommunications Company to sign their malware; the former was already leaked, but we’re not sure how they got their hands on the latter.
We identified potential cooperation between different attack groups speaking different languages, and the possible use of AnyDesk as an initial entry point to start the ransomware/wiper infections.
The changes implemented to automate and speed up wiping in the second wave of attacks are reminiscent of the notorious Shamoon wiper attacks in the Middle East.
https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350/
North Korea
South Korean police press release
South Korean police attribute a recent campaign to North Korea. The value in this reporting is not only fact of, trade-craft and the TTPs but also details of the scale.
The case of sending impersonated e-mails to reporters and members of the National Assembly was confirmed as being carried out by a North Korean hacking organization
The North Korean hacking organization secured the basis for cyber terrorism by taking control of 326 server computers in 26 countries (87 in Korea) through indiscriminate hacking at home and abroad, and it was a waypoint for washing IP addresses to avoid tracking by investigative agencies.
49 people in the fields of diplomacy, unification, security, and national defense who accessed the phishing site and entered their IDs and passwords were identified. It was found to have been removed.
Threat Actor Activity Highlights: North Korea
Another year in review / greatest hits of 2022 from North Korea. Shows increasing capability on various fronts.
This report provides highlights of activity perpetrated by North Korea-based threat actors in 2022.
Threat actors featured in this report include Lazarus Group, BlueNoroff, Reaper, Andariel, Kimsuky, Gwisin, and H0ly Gh0st.
PolySwarm tracked malware associated with multiple North Korea nexus threat actors in 2022.
…
In late 2022, Lazarus Group was observed using signed MacOS malware to target individuals searching for jobs in the IT industry. The malware used in the campaign targets both Intel and Apple silicon. The malware masquerades as a PDF with information on Coinbase jobs.
The group was also observed using fake cryptocurrency apps to deliver a fresh variant of AppleJeus malware. The campaign targets cryptocurrency users and organizations.
https://blog.polyswarm.io/polyswarm-2022-recap-threat-actor-activity-highlights-north-korea
Our In-Depth Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users
The product pitch in this blog is a little thick. That not withstanding there are two standout aspects of this reporting beyond the phishing activity itself as highlighted below.
We even discovered a DeFi platform run by North Korean hackers.
..
we found that North Korean hackers and Eastern Europe seem to be cooperating to phishing NFT users. What do you think?
Lazarus APT's Operation Interception Uses Signed Binary
Mellvin S provides further reporting on a historic campaign where the Hermit Kingdom was able to obtain code signing certificates for macOS. This certificate was issues in February and revoked in August. There are various strong TTPs in their document generation which will help defenders.
Malware authors have regularly used signed binaries to bypass the Apple security mechanism and infect macOS users. We came across one such sample and this time they are baiting users with job vacancies at Coinbase while silently pushing a signed binary in the background and doing their malicious activity. This is an instance of Operation In(ter)ception by Lazarus.
The malware is a signed executable. The developer id belonged to Shankey Nohria but it has been revoked as of now
https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/
BlueNoroff introduces new methods bypassing MoTW
Seongsu Park provides reporting which shows that North Korea is able to read, consume and apply trade-craft discussed on Twitter and blogs. It must be stressed that these techniques are new to NK trade-craft and not generally. We have seen various other state and criminal actors use these file formats in very similar ways.
The first new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security measure whereby Windows displays a warning message when the user tries to open a file downloaded from the internet. To do this, optical disk image (.iso extension) and virtual hard disk (.vhd extension) file formats were used. This is a common tactic used nowadays to evade MOTW, and BlueNoroff has also adopted it.
In addition, the group tested different file types to refine malware delivery methods. We observed a new Visual Basic Script, a previously unseen Windows Batch file, and a Windows executable. It seems the actors behind BlueNoroff are expanding or experimenting with new file types to convey their malware efficiently.
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
Operation Dragon Dance
The sword of Damocles hanging over the gaming industry
This reporting is interesting, although the time frames are not more specific than “Since 2015, it has used multiple 0d ay vulnerabilities” and “This article introduces two 0 day vulnerabilities of the same type that have been captured in recent years”. The interesting aspect is that the actor is exploiting Cross-Site Scripting in Electron based chat apps used by customer service. This shows at least a degree of vulnerability research and exploit development capability.
In this article, we will give the details of two 0day vulnerabilities and a complete attack event analysis. All IOCs are inaccessible and will not be provided for now.
Despite the above there are lots of technical detail provided and thus worth a read.
Hidden Fangs in South Asia
Indian state activity outed in reporting from China which identifies Microsoft Office vulnerabilities from 2017 being exploited in the guise of CVE-2017-11882.
Samples use Pakistan-related schools or the army as bait to carry out harpoon attacks, and its attack techniques and tactics (TTP) use the DotNetToJScript tool to generate JS code to load .NET programs. In the recent attack activities, we summarized the characteristics of the attack methods of the Sidewinder organization:
(1) Make good use of social engineering and use more appropriate bait, even the bait comes from real documents;
(2) Multi-stage download and obfuscation of subsequent loads;
(3) Use a lightweight remote Shell backdoor, and continue to use related C2 even after being exposed.
Analysis of recent attack activities of APT-C-36 (Blind Eagle)
A threat actor suspected of originating from Colombia by some in open source discussed in this reporting from China. Points of note here include the active use of AMSI bypasses in an attempt to avoid detection combined with common off the shelf implants.
An APT organization suspected to be from South America. Its main targets are located in Colombia and some areas in South America, such as Ecuador and Panama.
APT-C-36 often uses harpoon attacks recently, using PDF files as entry points to induce users to click malicious links in the documents to download RAR compressed files. Most compressed files need a password to decompress. The password is basically a 4-digit pure number. After decompression, it is a VBS script disguised as a PDF file name. After the VBS script is clicked and executed by the user, it will start a complex and multi-stage fileless attack chain. The final loader is an obfuscated AsyncRAT or NjRAT Trojan, and the code to bypass the AMSI mechanism is added, which shows that the organization is constantly optimizing its attack weapon.
Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
I missed this last week, but thought it worthwhile to include. Ivan Nicole Chavez, Byron Gelera, Monte de Jesus, Don Ovid Ladores and Khristian Joseph Morales build on existing reporting for this group to detail their post compromise trade-craft. Again where actors have call centers ready to support your users in bypassing all the controls it adds a new dimension for sure..
External reports mention that the Royal ransomware group uses callback phishing as a means of delivering their ransomware to victims. These phishing attacks contain a number that leads to a service hired by the threat actors. When contacted, they will use social engineering tactics to lure victims into installing remote access software.
Our investigation found that the ransomware actors used a compiled remote desktop malware, which was used to drop the tools they needed to infiltrate the victim’s system: they used QakBot and Cobalt Strike for lateral movement, while NetScan was used to look for any remote systems connected to the network. Once they infiltrated the system, the ransomware actors used tools such as PCHunter, PowerTool, GMER, and Process Hacker to disable any security-related services running in the system. They then exfiltrate the victim’s data via the RClone tool. We also observed an instance in which they used AdFind to look for active directories, then executed RDPEnable on the infected machine.
L’art de l’évasion: How Shlayer hides its configuration inside Apple proprietary DMG files
Taha aka "lordx64" provides insight into some macOS specific obfuscation trade-craft.
Shlayer has mainly been used as an installer/downloader, its main goal being to download adware like Bundlore
I wanted to revisit the OSX/Shlayer.F variant of the Shlayer malware to report on a technique that has not previously been seen in other macOS malware for hiding Command and Control (C2) information. This variant encrypts its configuration using AES within the DMG file header structure, resulting in a modified DMG file. The modification is cleverly crafted and does not cause the DMG file to become corrupted or malfunction. In fact, the macOS operating system is able to mount these modified DMG files and load them as usual.
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
Ian Kenefick provides good detail on which specific brands are being used by criminal actors in their pay per click distribution campaigns. We have seen threat actors use this trade-craft both in the West (on the likes of Google) and also in the East on the Chinese equivalents. The fact they (criminals) continue to invest in such campaigns shows there is close return-on-investment.
In our investigation, we discovered that IcedID distributors hijacked the keywords used by these brands and applications to display malicious ads:
Adobe – A computer software company
AnyDesk - A remote control application
Brave Browser - A web browser
Chase Bank - A banking application
Discord - An instant messenger service
Fortinet - A security company
GoTo - A remote control application
Libre Office - An open-source alternative to Microsoft Office
OBS Project - A streaming application
Ring - A home CCTV (closed-circuit) manufacturer
Sandboxie - A virtualization/sandbox application
Slack - An instant messaging application
Teamviewer - A remote control application
Thunderbird - An email client
US Internal Revenue Service (IRS) – A US federal government bodynce December 2022, we observed the abuse of Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.
In our investigation, malicious actors used malvertising to distribute the IcedID malware via cloned webpages of legitimate organizations and well-known applications. Recently, the Federal Bureau of Investigation (FBI) published a warning pertaining to how cybercriminals abuse search engine advertisement services to imitate legitimate brands and direct users to malicious sites for financial gain.
Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT
Wojciech Cieslak provides detailed reporting on this commercial framework usage. It is also interesting to note that Microsoft Publisher was not subject to the macro blocking that Microsoft introduced.
[We] analyzed samples of an Ekipa Remote Access Trojan (RAT) in the wild, and found interesting techniques for the use of malicious Office documents. As shown in this research, the Ekipa RAT was added to a sophisticated threat actors’ cyber arsenal and used in the Russian – Ukraine war.
The current price is set at $3,900, which is very high. The trojan leverages MS Office and Visual Basic for Applications as its main infection and operations vector. It also comes with a control panel and builders for:
MS Word Macros
XLL Excel add-ins
MS Publisher Macros
When Microsoft blocked macros from executing in files downloaded from the Internet, it did not do so for the Publisher files.
Discovery
How we find and understand the latent compromises within our environments.
CVE-2022-27510, CVE-2022-27518 – Measuring Citrix ADC & Gateway version adoption on the Internet
Yun Zheng Hu details how to identify vulnerable versions (the techniques are applicable elsewhere) and then the results.
Using Shodan Images to Hunt Down Ransomware Groups
Josh Allman outlines some amusing trade-craft where image collection and OCR are combined in Shodan to find mass compromise campaigns by some organised crime groups.
These are exposed instances of VNC with no authentication and anyone is able to connect and send commands. I have searched through Shodan images looking for cases where people have executed PowerShell or bitsadmin. I have done this because not every instance of open VNC running is Windows, and what happens here is a pitfall for ransomware groups where they end up spamming their payload at any poor device that will listen.
https://www.huntress.com/blog/using-shodan-images-to-hunt-down-ransomware-groups
Defence
How we proactively defend our environments.
AWS CIRT releases five publicly available workshops
Steve de Vera discusses from free training from Amazon on how to detect and respond to common incident types that they see.
Over the past year, AWS CIRT has responded to hundreds of such security events, including the unauthorized use of AWS Identity and Access Management (IAM) credentials, ransomware and data deletion in an AWS account, and billing increases due to the creation of unauthorized resources to mine cryptocurrency.
We are excited to release five workshops that simulate these security events to help you learn the tools and procedures that AWS CIRT uses on a daily basis to detect, investigate, and respond to such security events.
Advanced Notice: Amazon S3 will automatically enable S3 Block Public Access and disable access control lists
Defaulting to secure for all new S3 buckets starting in April 2023 for all creation use cases. This is how hyperscalers move the dial.
Starting in April 2023, Amazon S3 will introduce two new default bucket security settings by automatically enabling S3 Block Public Access and disabling S3 access control lists (ACLs) for all new S3 buckets. Once complete, these defaults will apply to all new buckets regardless of how they are created, including AWS CLI, APIs, SDKs, and AWS CloudFormation. These defaults have been in place for buckets created in the S3 management console since the two features became available in 2018 and 2021, respectively, and are recommended security best practices. There is no change for existing buckets.
Vulnerability
Our attack surface.
The Future of Advisories: Automation and proprietary analytics
Rik van Dijk and Jeroen van der Ham from the Netherlands National Cyber Security Center outline the future for advisories from NCSC-NL.
In addition to including CSAF and SSVC in the operational information provision, we also request attention in the new NCSC Research Agenda for the further automation of security advice in order to keep the ever-increasing stream of vulnerabilities manageable.
Offense
Attack capability, techniques and trade-craft.
Pass-the-Challenge: Defeating Windows Defender Credential Guard
Oliver Lyak drops impressive research which shows how Credential Guard can be bypassed in part due to the need to support some backwards compatibility.
In this blog post, we present new techniques for recovering the NTLM hash from an encrypted credential protected by Windows Defender Credential Guard. While previous techniques for bypassing Credential Guard focus on attackers targeting new victims who log into a compromised server, these new techniques can also be applied to victims logged on before the server was compromised.
https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22
Blindside: Utilizing hardware breakpoints to evade monitoring by Endpoint Detection and Response platforms
More arms race capability against EDR/XDR platforms.
Blindside is a technique for evading the monitoring of endpoint detection and response (EDR) and extended detection and response (XDR) platforms using hardware breakpoints to inject commands and perform unexpected, unwanted, or malicious operations. It involves creating a breakpoint handler, and setting a hardware breakpoint that will force the debugged process to load only ntdll to memory. This will result in a clean and unhooked ntdll which then could be copied to our process and unhook the original ntdll.
https://github.com/CymulateResearch/Blindside
Divide And Bypass: A new Simple Way to Bypass AMSI
Brahim Chebli made me smile with this post as I used this technique when I worked in Symantec’s Advanced Threat Research team in the mid 2000s. At the time whole system observability was too expensive so to bypass the behavioral elements I used a ‘a process does one incrementally malicious action’ methodology. This has now been applied to AMSI and PowerShell with good effect...
As a review, we saw how to bypass AMSI by dividing a script into small files. I think the most useful use-case of this method is execute an AMSI bypass, but it can be applied on any scripts ( small scripts ), Reverse shell, FODHelper UAC Bypass .. I didn’t testing on a script that contains defined functions, but the principle stay the same.
https://x4sh3s.github.io/posts/Divide-and-bypass-amsi/
New AMSI Bypass Using CLR Hooking
A new technique which should be detectable via copy on write mechanisms.
In this article, I will present a new technique to bypass Microsoft’s Anti-Malware Scan Interface (AMSI) using API Call Hooking of CLR methods. When executed on a Windows system, this AMSI bypass will prevent the current process from passing any more data to the installed AV, thus allowing for malicious code to be loaded without interference. This technique has an advantage over other API Call Hooking techniques that target native functions such as AMSI.dll::AmsiScanBuffer in that this method is more difficult to prevent with EDR or Application Protection rules commonly found in enterprise environments. Additionally, it works against PowerShell 3.0+ including PowerShell 7+.
https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/
Detecting and Evading Sandboxing through Time based evasion
Jordan Jay shows some further evolution in evasion techniques that will need remediating in various sandboxes.
Hooks on any default sleep function or the underlying syscall (
NtDelayExecution) can be avoided without using unhooking.This was just a showcase on two time based evasion techniques i thought of as cool, i might add some more if i can be bothered.
DCMB: Dont Call Me Back - Dynamic kernel callback resolver for Windows
A work aid for offensive use cases to remove some telemetry sources.
I really want to remove AC/AV/EDR's kernel callback, but I don’t like working with offsets and/or signature". Well, not anymore! DCMB will help you to find those callbacks dynamically.
Supported Callback
Process Creation Callback (Returns PspCreateProcessNotifyRoutine array address)
Thread Creation Callback (Returns PspCreateThreadNotifyRoutine array address)
Image Load Callback (Returns PspLoadImageNotifyRoutine array address)
Registry RW Callback (Returns CallbackListHead doubly linked list address)
Object Creation Callback (Both Process and Thread object) (Returns PsProcessType's and PsThreadType's CallbackList linked list address)
https://github.com/GetRektBoy724/DCMB
ServerlessRedirector: Serverless Redirector in various cloud vendors
Sabri provides AWS, GCP and Azure lambda to redirect C2. Should be easy for the cloud vendors to detect and nuke for terms of service violation.
https://github.com/KINGSABRI/ServerlessRedirector
Exploitation
What is being exploited.
OWASSRF Vulnerability Exploitation
Robert Falcone and Lior Rochberger provide details of in the wild exploitation further building on the reporting last week.
[We] did observe threat actor activity exploiting these vulnerabilities, in which the actor used a PowerShell-based backdoor that we are tracking as SilverArrow to run commands on the Exchange Server. The actors ran commands to do the following:
Create an administrator account
Install the AnyDesk remote desktop application
Create an SSH tunnel using PuTTY Link to remotely access Windows Remote Desktop Protocol (RDP)
Dump memory of the LSASS process to harvest credentials
At the time of writing (Dec 22), [we are] aware of eight organizations that have seen exploitation activity. In exploit attempts we observed on Dec. 2 and 3, the actors attempted to run PowerShell
https://unit42.paloaltonetworks.com/threat-brief-OWASSRF/
YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
Ram Gall provides details of the in the wild exploitation of this vulnerability. Of note is the speed after disclosure it was exploited.
[We have] been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.
The vulnerability, reported by security researcher Dave Jong and publicly disclosed on November 22, 2022, impacts plugin versions up to and including 3.19.0 and allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin. This allows attackers to place a back door, obtain Remote Code Execution, and take over the site.
The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022.
Tooling and Techniques
Low level tooling for attack and defense researchers.
PPEditor: a Kernel-mode WinDbg extension to edit Protection Level for processes
Does what it says on the tin.
0: kd> .load C:\dev\PPEditor.dll PPEditor - Kernel Mode WinDbg extension for Protected Process investigation. Commands : + !getpps : List Protected Processes in the target system. + !setpps : Set Protection Level for target processes. [*] To see command help, execute "!<Command> help" or "!<Command> /?"
https://github.com/daem0nc0re/TangledWinExec/tree/main/ProtectedProcess#ppeditor
ipyida: IPython console integration for IDA Pro
Marc-Etienne M.Léveillé brings an IPython console to IDA Pro with inbuilt Jupyter notebook support.
IPyIDA is a python-only solution to add an IPython console to IDA Pro.
IPyIDA includes a magic command,
%open_notebook, to open a browser with a notebook attached to IPyIDA. The command takes care of installing dependencies on its first run and starting a Notebook server unless one is already running. Check the command help (by typing%open_notebook?) for further options.
https://github.com/eset/ipyida
ASKJoe
Building of the plethora of these integrations, here is another.
AskJoe is a tool that utilizes ChatGPT to assist researchers wanting to use Ghidra as their malware analysis tool. With its capabilities, ChatGPT highly simplifys the practice of reverse engineering, allowing researchers to better detect and mitigate threats.
https://github.com/securityjoes/ThreatResearch/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Building a social cyber community of interest part II - further lessons from the field - a summary of the journey of building the sub reddit and stack by moi.
Technology and geopolitics with Britain’s former chief cyber negotiator - an event on Feb 20th 2023 at Jesus College Cambridge, United Kingdom
What's in a PR statement: LastPass breach explained - a rather spicy analysis
DevSecOps Agile Security Technology Pyramid v3.0 - from China - compare and contrast
29th Static Analysis Symposium -
The paper Adversarial Logic was presented there - We introduce Adversarial Logic, an extension of Incorrectness Logic with an explicit Dolev-Yao adversary to statically analyze the severity of security vulnerabilities in the under-approximate setting. Adversarial logic is built on the ability to separate logical facts known to the adversary from facts solely known to the program under analysis.
Data-driven decision-making can fail to meet expectations. Decision-driven data analytics may fare better - from the MIT Sloan School of Management
Yara training - aims to explain the basics for creating Yara rules, classification and hunting
That’s all folks.. until next week..
This newsletter is produced by BinaryFirefly, it is via BinaryFirefly I support a hand picked set of organisations across investment, strategy and capability in the domain of cyber.
