Building your own DFIR/Malware/RE VM is great and all, but this last week or so i decided i got tired of having to waste a lot of time and energy trying to figure out what tools and such you should install related to such activities, specially when you have limited experience of what tool is actually useful and which of the multiple ones available are actually best at what task, and there’s also lots of tools i know of for various things i haven’t had the chance or time to use or learn properly yet.
So to save myself both time and energy in the future i decided it was time to just set up couple VM’s with the DFIR/Malware/RE equivalent of “Kali-Linux” on it which is “SANS SIFT Workstation”, and then added “REMnux” to it as well so that i have one VM with both SIFT and REMnux, so every time i got something i want to look into, i can just throw it in the box and start working on it instead of wasting a lot of times on stuff not related to actually learning and analysing stuff.
But wait, sometimes i need to look at things for windows systems and some tools are only available in windows, Ah, that’s right, Fireeye got Flare VM, that will do, let me just throw it all on a win7 VM, yeah, about that, while in the end i manage to get everything set up correctly, it’s a bloody pain as i had to download so many different files and read up on so much MS documentations on how to get things working correctly it was a royal pain, i guess i should maybe gone for win10, but then again, it’s so bloody noisy and another entirely set of problems to deal with, so not sure it would been much less annoying, just different kinds of annoying.
~Kazu
NEWS:
BlackMatter now requires victims to verify themselves to chat
Kazu: Even the bad guys can get fed up with getting their chat hijacked, and BlackMatter clearly got so fed up with it that they decided to start requiring companies to verify with session keys to avoid their chat getting hijacked.
REvil Affiliates Confirm: Leadership Were Cheating Dirtbags
https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/
Kazu: included this one cause i found it funny, ransomware and other criminal activity in the digital world have gotten to the point that more times than not it's all a big organization with proper departments for various things, support, affiliates programs and everything else you expect from a proper financially interested business, including leadership troubles, and in this case, the REvil seems to have a few particular bad eggs amongst the bad eggs.
RCE Vulnerability found in MacOS Finder
https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/
Kazu: someone have found a new MacOS Finder RCE which they reported to apple which in typical apple fashion, silently "patched" it without a giving it a CVE, but even after the patch are still vulnerable if you just mangle the value a bit which was reported to apple but with no current response from them regarding the matter.
Microsoft Exchange Autodiscover bug leaks hundreds of thousands of domain credentials
Kazu: Oh look, another data leak where misconfigurations, bugs and domain names are involved, this time it's thousands of domains credentials that got leaked due to how Microsoft exchange works, so that's nice.
CISA-Alert: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
https://us-cert.cisa.gov/ncas/alerts/aa21-259a
Kazu: Remember that ADSelfService vulnerability discovered some time ago, well, it's being actively exploited by various APT's out and CISA have even gone as far as releasing an alert about it, so i would strongly suggest getting around to patch it asap before it gets worse.
Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program
https://habr.com/en/post/579714/
Kazu: 3 new 0-day Vulnerabilities have been discovered in IOS and as usually, apple seem to be anything but in hurry to fix them
#OMIGOD Exploits Captured in the Wild.
Kazu: you remember that OMIGOD vulnerability found not long ago affecting the OMI service that is running on your azure linux install but was not told existing and told to patch yourself? well, it seems both the good and bad guys are actively poking at it with a big stick with some actively trying to exploit it, so if you find a exposed host inside azure running OMI, then you may want to consider giving the IR team a heads up
.
Seventh Inferno vulnerability (some NETGEAR smart switches)
https://gynvael.coldwind.pl/?id=742
Kazu:another reminder that if you have NETGEAR smart switch then you may strongly consider checking if you should get around to patching and if so then i suggest doing it asap if you have not done so already.
Cybercrime, Italy and Spain dismantle a huge group linked to the Mafia
Kazu: Ah, the mafia and Italy, a very familiar combination to most people, in the old days they were much more prevalent then now, but they still very much around and have turned to the Cybercrime where the rewards are high, low entry point and risk, well, maybe the last part not so low as 106 or so people have found out when Italy and Spain come crashing through their doors.
OTHER INTERESTING THINGS WORTH A LOOK:
SuperMem: A Free CrowdStrike Incident Response Tool for Automating Memory Image Processing
https://www.crowdstrike.com/blog/introducing-supermem-free-incident-response-tool/
Kazu: Crowdstrike have a announced a new free too to make memory analysing faster and easier then before, it is however relying on various existing forensic tools such as volatility 2/3, Yara, Plaso, Bulk extractor and such, so atm it's very much not a standalone tool, but simple "marrying" them together to do things easier and faster than before,
I haven't tested it out myself yet but I definitely will when I get the opportunities for it.
Financially motivated actor breaks certificate parsing to avoid detection
Kazu: Bad actors always tries to find new ways to bypass detection from various security solutions, one of the things most does are checking the validity of the programs certificate, if it's valid it's usually let trough, if not then usually flagged, in this case however, some actors have manage to make certificates that appear valid by windows but not decoded or checked against OpenSSL.
ssh-key-confirmer
Kazu: even got a SSH public key and wanted to know if it was valid without actually using it? well, it turns out you can and Ben Cox(@benjojo12) have created a tool to do just that.
Opensnitch: a “little Snitch” for your linux
https://github.com/evilsocket/opensnitch
Kazu: "little snitch" have for a long time been the most popular application firewall for MacOS, but it both cost(got a free one but that don't count) and is not available for linux, someone decided to change that and created "opensnitch", i have not checked it out personally, but "@c0dehard" have had a look at it and seem to like it, and if he likes it, then it's good enough for me, it also have 6k stars and 350 forks on github, so safe to say people like it.
What Really Caused Data Breaches in 2020?
https://www.hivesystems.io/blog/what-really-caused-data-breaches-in-2020
Kazu: there's long been known there's a mismatch between what actually happened and the ease of finding information related to what happened in cases of data breaches,
"Hive Systems" decided to look into this more and investigated what is being reported and people's perception on what has happened, they decided to look at what the industry reported, what academia published, what the news covered and what google said,
and as you can clearly see, not all are equal and in some cases have very different results.
"Hive System" has also mentioned that if there's enough interest, they may consider expanding their investigation into "Wikipedia, Reddit, LinkedIn, Google patent search, security conferences, WayBack Machine, other search engines etc." which can indeed be interesting.
KDL 1.0.0 stable document language is here!
Kazu: i was planning to add this in during the last newsletter but i completely forgot and since there was no new one before this week i first now manage to get it in,
Kat Marchán(@zkat__) has announced a version 1.0 of a new document language they have been working on called KDL(pron. "cuddle") which is supposed to replace YAML/JSON/XML which are optimized for stuff like considerations, verbosity, easier to manage regardless of the size of your project and such,
The response from people to it has been overwhelmingly positive and looks like definitely a worthy alternative if you want to try to get away from YAML, JSON and XML in your project, i highly recommend reading the FAQ as well to learn more.