recentpopularlog in


« earlier   
. It’s now the most common tool for data-theft attacks against organizations. Learn common evasion techniqu…
Malware  from twitter_favs
2 days ago by jasonquinlan
Deciphering Malware’s use of TLS (without Decryption)
1) Flow Metadata - f inbound bytes, outbound bytes, inbound
packets, outbound packets; the source and destination ports;
and the total duration of the flow in second
2) Sequence of Packet Lengths and Times - sequence of packet lengths and packet inter-arrival times (SPLT) has been well studied [25], [39]. In our open source implementation, the SPLT elements are collected for the first 50 packets of a flow. Zero-length payloads (such as ACKs) and retransmissions are ignored. A Markov chain representation is used to model the SPLT data
3) Byte Distribution - the byte distribution can give information about the header-to-payload ratios, the composition of the application headers, and if any poorly implemented padding is added.
4) Unencrypted TLS Header Information - TLS version, the ordered list of offered ciphersuites,
and the list of supported TLS extensions are collected from
the client hello message. The selected ciphersuite and
selected TLS extensions are collected from the server
hello message. The server’s certificate is collected from the
certificate message. The client’s public key length is
collected from the client key exchange message, and
is the length of the RSA ciphertext or DH/ECDH public key,
depending on the ciphersuite. Similar to the sequence of packet
lengths and times, the sequence of record lengths, times, and
types is collected from TLS sessions
tls  malware  cisco  machinelearning  research 
3 days ago by bwiese
Bears, Kittens, and Chollimas — Thoughts on Attribution and Reporting It
Don’t lay out analysis if you’re not going to say something beyond “look at all these interesting things!”. Give me the “so-what” or get out.

True attribution can be done by organizations (usually governments) who have the authorities to clandestinely collect supporting information that can associate cyber activity with human actors.... taking weeks, months, years.

Let’s focus on analyzing and defending against adversary TTPs
olympics  malware  attribution  cybersecurity  cyberthreatintel 
4 days ago by bwiese
Microsoft’s compiler-level Spectre fix shows how hard this problem will be to solve | Ars Technica
Investigation of Microsoft's compiler changes show that much of the time, they won't fix Spectre.
The Meltdown and Spectre attacks that use processor speculative execution to leak sensitive information have resulted in a wide range of software changes to try to limit the scope for harm. Many of these are operating system-level fixes, some of which depend on processor microcode updates.
But Spectre isn't a simple attack to solve; operating system changes help a great deal, but application-level changes are also needed. Apple has talked about some of the updates it has made to the WebKit rendering engine, used in its Safari browser, but this is only a single application.
Microsoft is offering a compiler-level change for Spectre. The "Spectre" label actually covers two different attacks. The one that Microsoft's compiler is addressing, known as "variant 1," concerns checking the size of an array: before accessing the Nth element of an array, code should check that the array has at least N elements in it. Programmers using languages like C and C++ often have to write these checks explicitly. Other languages, like JavaScript and Java, perform them automatically. Either way, the test has to be done; attempts to access array members that don't exist are a whole class of bugs all on their own.
browser  bug  cpu  javascript  linux  mac  malware  meltdown_spectre  privacy  security  windows 
5 days ago by rgl7194
Stopping Olympic Destroyer: New Process Injection Insights | Endgame
sample leverages “notepad.exe” for shellcode injection

It leverages a multitude of tactics described in MITRE’s ATT&CK Matrix such as the file deletion technique T1107.. these noisy techniques have worked successfully within the domain of ransomware and unsurprisingly are very effective when ransom isn’t your objective.

Code injection is a method wherein malware can write to the memory of another running process, copying new code into into the other processes’ memory and executing it as that process with that process’ privileges. This allows the malware to execute stealthily in the address space of that process, often evading security products. In the case of the main executable, it gains the ability to do this by using privileges that it already found and new ones attained through lateral movement to write to notepad.exe on infected hosts
olympics  malware  analysis  endgamge 
5 days ago by bwiese
Cisco's Talos Intelligence Group Blog: Olympic Destroyer Takes Aim At Winter Olympics
perform only destructive functionality. There does not appear to be any exfiltration of data. Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample... aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI, VBscript to further move through the environment. Also witnessed previously with BadRabbit and Nyetya.

custom binaries - malware dynamically updates this list after using the password stealers. A new version of the binary is generated with the newly discovered credentials. This new binary will be used on the new infected systems via the propagation. This feature explains why we discovered several samples with different sets of credentials that were collected from previously infected systems.

Collect local creds from browsers & system LSASS
Arp check and ds scan for lateral movement

drops legit MS signed copy of psexec.exe

cmd.exe, vssadmin.exe (delete shadow copies), wbadmin.exe (delete backups), (boot config), wevtutil.exe (clear System & Security logs)

deletes writeable files from shares

Disruption of services included the Olympic website being offline, meaning individuals could not print their tickets... wifi was down.
olympics  malware  analysis  snort  cisco  talos 
5 days ago by bwiese
File and IP malware scanner
malware  scanners  security 
6 days ago by angusm

Copy this bookmark:

to read