Bluepurple Pulse: week ending June 12th
Vulnerabilities get quick flipped..
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading).
Operationally this week it has been around Confluence exploitation (the subreddit ran one of our live threads collating open source). Interestingly this is the first time the Dutch government used some of their new powers to notify the owners of 15,000 vulnerable instances. Then there was the ongoing surge of interest in URI and default file handlers on Microsoft Windows (detailed reporting below). Then there was the disclosure that Click Studios had their code signing certificate for PasswordState misused because they shipped it in an installation bundle.
In the high-level this week:
Washington Post article - Opinion The U.S.-Russia conflict is heating up - in cyberspace - seems like grey zone is going to be the cause of much study.
Russia also retorted with Russia says West risks 'direct military clash' over cyber attacks
Royal Hansen from Google (an ex manager of mine several lifetimes ago) has outlined How Congress’ anti-tech bill undermines security in their view.
Annita Larissa Sciacovelli, Professor of International law, Cybersecurity Specialist, University of Bari, released her analysis of the Italian Cyber Security strategy which we discussed a little bit back
A little bit of legal analysis this week shows the difference between how international law an cyber is interpreted - “Offensive Cyber Ops including active intel is a US approach, one that has seeped into NATO doctrine (e.g. AJP-3.20). But UK MoD publications often have a different perspective that carves out intelligence activities from OCOs.”
Article on how Israel is pushing the U.S. to remove NSO from blacklist - obviously hurting revenue/growth and thus lobbying going brrrr..
US Department of Justice announced SSNDOB Marketplace, A Series Of Websites That Listed More Than 20 Million Social Security Numbers For Sale, Seized And Dismantled In International Operation
Microsoft Digital Crimes Unit took legal action to disrupt a spear-phishing operation linked to Bohrium, a threat actor from Iran - they seized a load of Internet domains
NSA, CISA, and FBI Expose Chinese State-Sponsored Exploitation of Network Providers, Devices - primarily known vulnerabilities exploited at scale.
The Whitehouse announced the US’s nominee of Nate Fick, Nominee for Ambassador at Large for Cyberspace and Digital Policy
We’ve written an IETF document on Indicators of Compromise, and we’d like you to review it.
The Internet Engineering Task Force (IETF) is a standards body that designs major internet protocols (like TLS, DNS-over-HTTPS, QUIC etc.). In our draft standard, we outline what Indicators of Compromise (IoCs) are, and their use in cyber defence. It shows the benefits of different types of IoC and illustrates their use in two case studies. The draft highlights this valuable technique, not currently considered by protocol designers, but greatly impacted by protocol design. We want to provide a resource to allow protocol designers to consider the impact on IoCs when designing protocols.
This draft has now been adopted by the IETF’s Operational Security (OPSEC) Working Group as a document they want to work on. In order to move the document forward, we need people to review the draft. This is to make sure it has had appropriate scrutiny before it can get consensus and be published as an IETF standard. As a group of people with relevant expertise, we would really appreciate it if you were able to review the draft. It would be great for any reviews to be posted on the OPSEC mailing list, but this is not the only way to contribute. Do reach out to any of the draft authors if you’re interested in reviewing it, or would like some more information on the draft and how it fits into the IETF.
Enjoying this? don’t get via e-mail? subscribe:
Think someone else would benefit? Share:
Have a lovely Friday
Ollie
Cyber threat intelligence
Who is doing what to whom and how.
People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
Technical reporting on the Chinese state actor where the US Government basically says patch. The trend of threat actors such as China, Iran etc. quick flipping vulnerabilities and exploiting at scale should not be expected to subside.
Entities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program.
https://www.cisa.gov/uscert/ncas/alerts/aa22-158a
Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat
Two bits of reporting on this threat by Joakim Kennedy and others. After the BPFDoor we can expect more researcher/threat intelligence analyst interest in Linux targeted capability. Expect more reporting and more sophisticated discoveries. I’m not sure I would agree with the headline here of ‘nearly impossible’. The fact it uses LD_PRELOAD means there are environment variables which may stick out with level scale observability.
Symbiote is very stealthy. The malware is designed to be loaded by the linker via the LD_PRELOAD directive.
Symbiote also has functionality to hide network activity on the infected machine. It uses three different methods to accomplish this. The first method involves hooking fopen and fopen64. If the calling application tries to open /proc/net/tcp, the malware creates a temp file and copies the first line to that file. After that, it scans each line for the presence of specific ports. If the malware finds a port it’s searching for on a line it’s scanning, it skips to the next line. Otherwise, the line is written to the temp file. Once the original file has been completely processed, the malware closes the file and returns the file descriptor of the temp file back to the caller.
https://www.intezer.com/blog/research/new-linux-threat-symbiote/
https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat
Shining the Light on Black Basta
Ross Inman and Peter Gurney from NCC Group walk through some of the tradecraft of this criminal threat actor.
Lateral movement through use of Qakbot.
Gathering internal IP addresses of all hosts on the network.
Disabling Windows Defender.
Deleting Veeam backups from Hyper-V servers.
Use of WMI to push out the ransomware.
Technical analysis of the ransomware executable.
https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/
Phishing tactics: how a threat actor stole 1M credentials in 4 months
A content led marketing post, but the scale of the campaign is the thing of note. The beautiful aspect is the way the researchers turned the threat actors traffic monitoring solution back on them to gain the insight.
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
Joey Chen outs a Chinese regional campaign, however it is unclear how recent any of it is. There are references such as “From 2018 to present, this actor has also been observed using a fake removable device as an initial infection vector” but nothing more specific. The use of a fake removeable device as an infection vector is novel for sure..
Aoqin Dragon, a threat actor [we have] been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
Based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential association to UNC94 (Mandiant).
Bumblebee Loader Linked to Conti and Used In Quantum Locker Attacks
Good insight here from George Glass into the initial access vector. Use of .iso files (again) and some social engineering.
During our investigation of the Quantum Locker ransomware case, we observed a BumbleBee payload delivered via an .iso file downloaded from a Google storage service. The phishing lure was delivered via a web site contact form in which the threat actors, purporting to be a third party claiming the victim organization had infringed their copyrighted materials—a tactic we have seen used by actors to deliver IcedID previously.
APT-C-55 Kimsuky Organization's Recent BabyShark Component Disclosure
Chinese reporting on North Korean activity, the thing of real note is the use of Microsoft OneDrive for distribution. This is good as it will enable MSFT to both understand and disrupt the threat.
In the first half of 2022, [we] discovered multiple attack activities of this component from the Kimsuky organization
Andariel Group, active only in Korea, for the past two years
South Korean Reporting on North Korean activity use use a number of initial access vectors to compromise their victims. Interesting that ActiveX still works for them in the watering hole scenario.
The Andariel group is a threat group operating in South Korea since 2008 and is suspected to be supported by North Korea, and is presumed to be a cooperative or subgroup of the Lazarus group.
The Andariel Group's target of attack is South Korea, and the target fields are mainly defense, defense industry, communications, and security-related places such as energy.
Operation (काराकोरम) Tejas: A dying elephant curled up in the Kunlun Mountains
Chinese reporting on Indian activity which includes maldocs and ancient vulnerabilities i.e. CVE-2018-0798.
Anti-sandbox and enterprise-targeted attacks identified by CHM malware
Chinese reporting on Korean activity using CHM files with the novelty that they are trying to detect sandboxes before they doing latter activity. This includes (cleverly) looking at the number of files in the TEMP folder. Proof of life for a real computer if you will.
First, the CHM type to which the anti-sandbox technique is applied scans the user's PC environment before dropping the malicious VBE file. The HTML code included in the malicious CHM file is as follows, and the HTML performs the function of creating a normal program (EXE) and a malicious DLL file and then executing it. Malicious DLLs created through the DLL hijacking technique are loaded, and actual malicious actions are performed by the DLLs.
https://asec.ahnlab.com/ko/35072/
Exposing POLONIUM activity and infrastructure targeting Israeli organizations
The value of cloud showing its self again around threat intelligence by allowing at-scale disruption with the press of an enter key.
[We] successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM. The associated indicators and tactics were used by the OneDrive team to improve detection of attack activity and disable offending actor accounts. To further address this abuse, Microsoft has suspended more than 20 malicious OneDrive applications created by POLONIUM actors, notified affected organizations, and deployed a series of security intelligence updates that will quarantine tools developed by POLONIUM operators. Our goal with this blog is to help deter future activity by exposing and sharing the POLONIUM tactics with the community at large.
MSTIC assesses with high confidence that POLONIUM represents an operational group based in Lebanon. We also assess with moderate confidence that the observed activity was coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques.
Analysis of the Massive NDSW/NDSX Malware Campaign
Denis Sinegubko documents a significant campaign which is using WordPress and numerous vectors to get a foothold.
builds on the reporting from April titled 'Parrot TDS takes over web servers and threatens millions
At the time of writing, this “ndsw” campaign is still active. During the first 5 months of 2022, SiteCheck has detected more than 11,000 infected websites — and we’ve already cleaned over 2,900 PHP and 1.64 million JavaScript files related to this malware campaign this year.
https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html
Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Don Ovid Ladores outlines what feels like a plot from PointBreak where the criminals holiday using their ill-gotten gains. Looks like they are targeting in part database and e-mail servers.
Cuba ransomware is a malware family that has been seasonally detected since it was first observed in February 2020. It resurfaced in November 2021 based on the FBI’s official notice, and has reportedly attacked 49 organizations in five critical infrastructure sectors, amassing at least US$ 43.9 million in ransom payments.
We observed Cuba ransomware’s resurgence in March and April this year. Our monitoring showed that the malware authors seem to be pushing some updates to the current binary of a new variant.
SVCReady: A New Loader Gets Ready
Patrick Schläpfer documents a novel maldoc trying to avoid some of the tooling such as the OLE extraction etc. used by analysts.
Since the end of April 2022, we have observed new malicious spam campaigns spreading a previously unknown malware family called SVCReady. The malware is notable for the unusual way it is delivered to target PCs – using shellcode hidden in the properties of Microsoft Office documents – and because it is likely in an early stage of development, given that its authors updated the malware several times in May. In this report, we share a closer look at the infection chain of the new SVCReady campaigns, the malware’s features, its changes over time, and possible links with TA551.
https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
Will the Real Msiexec Please Stand Up? Exploit Leads to Data Exfiltration
The DFIR Report doing what they do best by providing exquisite insight in to end-to-end compromises. No massive surprises but our friends do release rich indicators including Yara etc.
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.
SMSFactory Android Trojan producing high costs for victims
Jakub Vávra documents a mobile focused campaign using annoyance to get installed at scale. It appears to be working with the vendor detecting 165,000 installs.
Avast has been tracking a wide-spread malware campaign consisting of TrojanSMS malware, which we are calling SMSFactory. SMSFactory sneakily siphons money from victims around the world, including Russia, Brazil, Argentina, Turkey, Ukraine, US, France and Spain, among others, by sending premium SMS and making calls to premium-rate phone numbers.
Undetected, it can rack up a high phone bill, up to $7 per week or $336 per year.
The malware is spreading through malvertising, push notifications, and alerts displayed on sites offering game hacks, adult content, or free video streaming sites, serving the malware disguised as an app in which users can access gaming, videos, or adult content. Once installed, the malware hides itself, making it nearly impossible for victims to detect what is causing the charges on their phone bills.
https://blog.avast.com/smsfactory-android-trojan?s=09
Closing the Door DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme
Ransomware at scale targeting Network Attached Storage. They have been able to pivot across vendors and the numbers are growing too..
The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices. It was first seen targeting QNAP Systems, Inc. in January 2022. According to a report from attack surface solutions provider Censys.io, as of Jan. 26, 2022, out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection. A few weeks later, ASUSTOR, another NAS devices and video surveillance solutions vendor, also experienced DeadBolt ransomware attacks that targeted an unknown number of its devices. In March, DeadBolt attackers once again targeted QNAP devices; according to Censys.io, the number of infections reached 1,146 by March 19, 2022. Most recently, on May 19,2022, QNAP released a product security update stating that internet-connected QNAP devices were once again been targeted by DeadBolt, this time aiming at NAS devices using QTS 4.3.6 and QTS 4.4.1.
Discovery
How we find and understand the latent compromises within our environments.
Guided Hunting Notebook: Azure Resource Explorer
Jannie Li provides a work aid to SOCs responsible for Azure environments. The weight of engineering does really allow SOCs to add the 10% of value without being bogged down getting stuff to work.
The Guided Hunting: Azure Resource Explorer notebook will allow you to take advantage of the new Azure Resource API and visualize all the resources in your subscription. It will also provide general contextual TI info about your resources of interest to help you recognize unusual behaviours.
PiRogue tool suite - Mobile forensic & Network traffic analysis
Esther Onfroy gives us tooling to help detect the likes of Pegasus etc.
PiRogue tool suite (PTS) is an open-source tool suite that provides a comprehensive mobile forensic and network traffic analysis platform targeting mobile devices both Android and iOS, internet of things devices (devices that are connected to the user mobile apps), and in general any device using wi-fi to connect to the Internet.
https://piroguetoolsuite.github.io/
AnoMark: Statistical learning algorithm to create a model on the command lines of "Process Creation" events, in order to detect anomalies in future events
French Government in the guise of ANSSI drop some of their data science to help detect suspicious process command lines on Windows.
This algorithm is a Machine Learning one, using Natural Language Processing (NLP) techniques based on Markov Chains and n-grams. It offers a way to train a theoretical model on command lines datasets considered as clean. Once done it is able to detect malicious command lines on other datasets.
https://github.com/ANSSI-FR/AnoMark?s=09
Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor
Yuval Zan and Chen Evgi show further value of data science being applied at fleet (or global) scale to discover anomalous DLL side loading.
Using these new detectors, we found what seems to be an industrial espionage attack. The observed activity includes performing a specially crafted DLL hijacking attack used by a previously unknown piece of malware that we dubbed "Popping Eagle" due to several artifacts found in the samples. It also includes a second stage malicious tool written in Go dubbed "Going Eagle." In this particular case, we observed the attacker following this by performing several network scans and lateral movement steps.
https://unit42.paloaltonetworks.com/popping-eagle-malware/
Defence
How we proactively defend our environments.
Improved Detection and Response via Optimized Alerts: Usability Study
Griffith Russell McRee brings science to cyber defence alerting. Interesting that visualised alert lead to increased acceptance by analysts.
This quantitative, quasi-experimental, explanatory study determined that security analysts perceive improved usability of security alert output that is visualized rather than text-based. The related hypothesis tested for significant differences in the level of acceptance of output between those affirming a maximum visual preference (three out of three scenarios) and those showing a preference for text in at least one scenario. The results determined that those showing maximum visual preference had a significantly higher acceptance of alert output (U = 863.5, p = 0.023).
https://www.mdpi.com/2624-800X/2/2/20
Offense
Attack capability, techniques and tradecraft.
npm Package High jacking
Two bits of reporting here on this threat.
Npm Package Hijacking Through Domain Takeover: How Bad is this “New” Attack?
The problem is vast..
In this post we will present a more severe case of lack of maintenance, where one of the user accounts assigned to a project (in our case, npm package) becomes “hijackable” due to the account’s email domain expiring. This is not a new attack technique by any means, but it does seem to be the first time where a large public discussion is held with regards to this attack on the npm registry.
https://jfrog.com/blog/npm-package-hijacking-through-domain-takeover-how-bad-is-this-new-attack/
npmdomainchecker: Checks all maintainers of all NPM packages for hijackable domains
The offensive capability arrives allowing mass exploitation. It will be interest to see the mitigation that this and other software/container etc. registries implement.
This tool checks every maintainer from every package in the NPM registry for unregistered domains or unregistered MX records on those domains. If a domain is unregistered you can grab the domain and initiate a password reset on the account if it has no 2 factor auth enabled. This enables you to hijack a package and do whatever you want with it.
https://github.com/firefart/npmdomainchecker
Zinsider: instant md5 collisions of pairs of zip+xml files
Ange Albertini shows how to create MD5 collisions for the container formats used by Microsoft Office, epub and numerous other applications. Lesson here is don’t use allowed lists based on MD5 in 2022.
https://github.com/decalage2/collisions/blob/master/scripts/zinsider.py
Nidhogg: an all-in-one simple to use rootkit for red teams.
Another Windows rootkit to contend with when consumed and reused by bad actors.
Nidhogg is a multi-functional rootkit for red teams. The goal of Nidhogg is to provide an all-in-one and easy to use rootkit with multiple helpful functionalities for red team engagements that can be integrated with your own C2 framework via single header file with simple usage
Nidhogg can work on any version of Windows 10 and Windows 11.
https://github.com/Idov31/Nidhogg
Vulnerability
Our attack surface.
Over 3.6 million exposed MySQL servers on IPv4 and IPv6
Not sure exposing database servers is a hot idea in 2022 due to all the obvious password spraying, misconfiguration and patching challenges with managing that attack surface. Despite that some appear to think it is OK.
We recently began scanning for accessible MySQL server instances on port 3306/TCP. These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single Autonomous System).
IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide
https://www.shadowserver.org/news/over-3-6m-exposed-mysql-servers-on-ipv4-and-ipv6/
FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection
Luke Paris from NCC Group’s BENELUX team (Fox-IT) found a pre-auth code exec on a backup solution from Fujistu. In a world of criminal actors deleting backups if you run the technology you likely want to patch.
On the 6th of April 2022, NCC Group’s Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization.
The vulnerability is caused due to a lack of user input validation in two PHP scripts, which are normally included post-authentication. As no include-guards are in-place, an attacker is able to trigger the script without prior authentication by calling it directly.
Backdoor account in Korenix Technology JetPort Series
Yes, really..
Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions
Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation
The device series JetPort from Korenix Technology has a built-in backdoor account
GitLab Critical Security Release: 15.0.1, 14.10.4, and 14.9.5
When Single Sign On doesn’t save you. Bravo to Gitlab issuing an advisory for an internally discovered issue. Also note this release includes various patches to allow list bypasses.
An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account.
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
Illumina Local Run Manager
Vulnerabilities in genetic analysis devices, I’m sure certain countries would never go after these. No material details as to the underlying root cause though.
Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level.
https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-02
Exploitation
What is being exploited.
CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability
Aggregate reporting on this issue
Outbreak of Follina in Australia
So China quick flipped and used with a stolen or otherwise illegally obtained code signing certificate.
This threat was a complex multi-stage operation utilizing
LOLBAS
(Living off the Land Binaries And Scripts), which allowed the attacker to initialize the attack using theCVE-2022-30190
vulnerability within theMicrosoft Support Diagnostic Tool
. This vulnerability enables threat actors to run malicious code without the user downloading an executable to their machine which might be detected by endpoint detection.Multiple stages of this malware were signed with a legitimate company certificate to add additional legitimacy and minimize the chance of detection.
https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/
Same threat discussed here:
Multiple attackers are using a variety of payloads at the end of successful exploitation. In one of the instances, [we] observed the attackers deploying the remote access Trojan AsyncRAT, which had a valid digital signature.
Ben then attributed how this was Chinese state activity,
CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability “Follina”
Attacks also seen against Saudi Arabia.
One of the real-world attacks that leverage CVE-2022-30190 is a Microsoft Word file submitted to VirusTotal from Saudi Arabia on June 1st
https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day
TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
Brad Duncan shows organised crime use of the vulnerability
https://isc.sans.edu/diary/rss/28728
Beyond this there were other vulnerabilities also discovered such DogWalk.
Unsecured elasticsearch data replaced with ransom note
GDPR nightmare.. where there is blame there is a claim.
[We] identified over 1,200 Elasticsearch databases that contained the ransom note. It is not possible to determine the actual number of victims because the vast majority of the databases were hosted on networks operated by cloud computing providers. It is likely that some databases belong to the same organization, but identifying specific victims was not possible in most cases.
https://www.secureworks.com/blog/unsecured-elasticsearch-data-replaced-with-ransom-note
Tooling and Techniques
Low level tooling which can be applied to attack and defence.
HyperDbg
HyperDbg debugger is an open-source, user-mode, and kernel-mode debugger focusing on using hardware technologies to provide new features to the debuggers’ world - ensure you can subvert anti debug in style
ttddbg - Time Travel Debugging IDA plugin
This plugin adds a new debugger to IDA which supports loading Time Travel Debugging traces generated using WinDBG Preview.
https://github.com/airbus-cert/ttddbg
Introducing Fuzz Introspector, a tool to Improve Fuzzing Coverage
Currently, Fuzz Introspector supports C/C++ projects. For each project, Fuzz Introspector provides:
a detailed overview of all functions in the projects, including their coverage, reachability and complexity;
a statically extracted call-tree overview overlayed with runtime coverage information for each fuzz target along with a blocker table to pinpoint roadblocks for each fuzz target;
a list of suggested optimal fuzz targets that can be added to increase coverage.
Footnotes
Some other small bits and bobs which might be of interest.
NIST SP 800-160 Vol. 1 Rev. 1 (Draft), Engineering Trustworthy Secure Systems
Introducing CyberFI: Perspectives on Cybersecurity, Capacity Development, and Financial Inclusion in Africa
Criminal Proxies Offer ‘Perfect Cover’ for Russian Cyber Offensive
R4IoT: a proof of concept for next-generation ransomware that exploits IoT devices for initial access, targets IT devices to deploy ransomware and cryptominers, and leverages poor OT security practices to cause physical disruption to business operations -
Information on RFC 9230 - This document describes a protocol that allows clients to hide their IP addresses from DNS resolvers via proxying encrypted DNS over HTTPS (DoH) messages - this feels instinctively bad from a cyber defence perspective.
Your humour this week from Jaco.. new security analyst on the job… it will be fun they said…
That’s all folks.. until next week..