KazukiLabs NewsLetter Vol. 3 Num. 12
The bug Snatcher
For a while now, i have kinda been somewhat more focused on getting various things in order then actually spending much time on many of my projects, but the thought of having a bunch of both public and non-public project just laying around for too long without any work done on them greatly annoys me, and many of the projects was for my own need more than anything else after all, so i have decided it’s time to try get back to some of them soon, so hopefully you will start to see more of my projects being updated in the future and possible new ones as well.
Also nice to actually have more active projects when the HR person comes looking when I try to apply for a position at a company:)
News of interest:
Rogue HackerOne employee steals bug reports to sell on the side
Kazu: Seems HackerOne had a case of bad employee who tried cashing in on other security researches work for financial gain, how the person thought he would manage to get away with this without anyone noticing is beyond me, but shows that regardless where, there's always the risk of a malicious insider.
Also, tbh, I have never really understood the point of even considering trying to pull something against your company(or others) for financial gain. I can in some way understand non-financial gain as that is driven by something else, but financial? i get it, you want money, but in 99.9% of the cases, the risk and profit is not even close to matching up.
Look, you already likely get paid just doing your job, and if you don't like your job, there's always options to look for others, but by trying to pull something stupid just for some extra money, you are not only risk losing your job and time behind bars, but you also effectively prevented yourself from ever getting any job in the future, a least within that industry again. Why on earth someone would think that was a good idea is beyond me.
Tags: HackerOne, Insider, rogue, bounty, attack, infosec
Gimphash now included in MalwareBazaar:
abuse.ch @abuse_chMalwareBazaar is now calculating the #gimphash for Go binaries 📄🔍 gimphash is a method proposed by @cyb3rops to calculate an imphash equivalent for Go binaries 👀 You can hunt gimphashes on MalwareBazar using both, the API and UI 💥💪 Sample report: 👉 https://t.co/zIdMAfUPEc https://t.co/pka2YyiLRM
Kazu: Florian roth(@cyb3rops) have created a tool called "gimphash" which was made to be similar to "imphash" but for Go binaries and is a method to calculate hash of all the imports a binary does which make identifying and tracking of malware easier.
it's been out for a while now, but MalwareBazzar just recently included it into their database entry, which should make tracking of malware easier. still not available on virustotal or as a YARA, but that is coming in the future.
Tags: GitHub, hash, cryptography, Tool, MalwareBazaar, Go, DFIR, CTI
Other Things of interest
Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
Kazu: Since the ransomware "Black Basta" hit the scene not that long ago, it have manage to get the better of over 50+ organizations around the world and gotten quite a bit a attention and it's in constant development and have been observed using Qakbot as a means of entry and movement as well as making us of the printernightmare vulnerability to perform privileged file operations.
This article goes a bit more into it's attack chain and as always includes a list of IoC's as well for your use.
Tags: Ransomware, Black Basta, QakBot, Printnightmare, DFIR, CTI, IoC
A Reuters special report: How mercenary hackers sway litigation battles
Kazu: came over this special report by reuters in my feed which i found interesting and is about "hackers for hire" or alternatively knowns as "cyber mercenaries" and how they are seen involved in litigation battles around the world, this report tries to go a little further into how they operate and the alleged cash flow between "client and spy" and is an interesting read if you got the time for it.
Tags:Report, spying, Reuters, hacking, intelligence
What large sampleset can teach us about existing file extensions:
Kazu: To quote from the post itself: "Is there a single superset of all possible file extensions that are of interest from a security perspective?", and unsurprisingly, the answer appears to be no, as there's so many file types out there using the same extensions as something else but is not alik.
in addition when you open for instance a CSV file, then the program is likely expecting a certain type, but there's many file types that use the same extension, so when the program tries to open it, it may fail to view it correctly, fail to open it outright, or trigger a unknown vulnerability that can allow a attacker to gain foothold on the system or even completely compromise it.
with the amount of applications that exist and methods other than mail attachments to get a file onto and opened on a system, it's both impossible to always be able to completely lock down a system from any kind of exploits.
Tags: infosec, Security, windows, file extensions, DFIR, Digital Archaeology