Kategorie

Popular ‘safe browsing’ padlocks are now passe as a majority of bad guys also use them.

Introduction: This article provides an overview of various techniques that can be used to mitigate Format String vulnerabilities. In addition to the mitigations that are offered by the compilers & operating systems, we will also discuss preventive measures that can be used while writing programs in languages susceptible to Format String vulnerabilities.  Techniques to prevent […]

The post How to mitigate Format String Vulnerabilities appeared first on Infosec Resources.

How to mitigate Format String Vulnerabilities was first posted on September 29, 2020 at 2:46 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction: IoT Manufacturers Favor Convenience over Security Because IoT security is still an afterthought, cybercriminals in general consider smart devices a “low-hanging fruit” – a target easy to compromise and manipulate. Security (and privacy) by design is key for IoT, and probably the only effective way for a smart gadget to protect its communications is […]

The post IoT Security Fundamentals: Intercepting and Manipulating Wireless Communications appeared first on Infosec Resources.

IoT Security Fundamentals: Intercepting and Manipulating Wireless Communications was first posted on September 29, 2020 at 2:14 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction: Knowing the Notions  Industrial Internet of Things (IIoT) incorporates technologies such as machine learning, machine-to-machine (M2M) communication, sensor data, Big Data, etc. This article will focus predominantly on the consumer Internet of Things (IoT) and how it relates to Operational Technology (OT). Operational Technology (OT) is a term that defines a specific category of […]

The post IoT Security Fundamentals: IoT vs OT (Operational Technology) appeared first on Infosec Resources.

IoT Security Fundamentals: IoT vs OT (Operational Technology) was first posted on September 29, 2020 at 1:59 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

The attempted compromises, which could allow full control over Active Directory identity services, are flying thick and fast just a week after active exploits of CVE-2020-1472 were first flagged.

I am sure that many of you have by now heard of a recently disclosed critical Windows server vulnerability—called Zerologon—that could let hackers completely take over enterprise networks. For those unaware, in brief, all supported versions of the Windows Server operating systems are vulnerable to a critical privilege escalation bug that resides in the Netlogon Remote Control Protocol for Domain

How public-key cryptography works Public-key or asymmetric cryptography is one of the two main types of encryption algorithms. Its names come from the fact that it uses two different encryption keys: a public one and a private one. Public and private keys The private key used in public-key cryptography is a random number with certain […]

The post Public-Key Cryptography in Blockchain appeared first on Infosec Resources.

Public-Key Cryptography in Blockchain was first posted on September 29, 2020 at 12:25 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Botnets and IoT devices are forming a perfect storm for IT staff wrestling with WFH employee security.

Mezi nejrozšířenější hrozby, které kolují internetem, patřil v uplynulém měsíci spyware. Jde o špionážní software, jehož hlavním úkolem je odcizit uživatelská hesla na napadených strojích. Tak masivně jsou tito nezvaní návštěvníci rozšířeni proto, že si je mohou klidně i laikové objednat na internetu jako službu. Vyplývá to z analýzy antivirové společnosti Eset.

Introduction to hash functions Hash functions are one of the most extensively-used cryptographic algorithms in blockchain technology. They are cryptographic (but not encryption) algorithms that are designed to protect data integrity. In a nutshell, a hash algorithm is a mathematical function that transforms any input into a fixed size output. To be cryptographically secure — […]

The post Hash Functions in Blockchain appeared first on Infosec Resources.

Hash Functions in Blockchain was first posted on September 29, 2020 at 11:16 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction The blockchain gets its name from its underlying structure. The blockchain is organized as a series of “blocks” that are “chained” together. Understanding blockchain security requires understanding how the blockchain is put together. This requires knowing what the blocks and chains of blockchain are and why they are designed the way that they are. […]

The post Blockchain Structure appeared first on Infosec Resources.

Blockchain Structure was first posted on September 29, 2020 at 10:55 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

A researcher said he discovered an open data cache with names, grades, birthdates and more, after the Clark County School District refused to pay the ransom.

On 3rd of September, we were hosting our “Experts Talk. Why master YARA: from routine to extreme threat hunting cases“, in which several experts from our Global Research and Analysis Team and invited speakers shared their best practices on YARA usage. At the same time, we also presented our new online training covering some ninja secrets of using YARA to hunt for targeted attacks and APTs.

Here is a brief summary of the agenda from that webinar:

• Tips and insights on efficient threat hunting with YARA
• A detailed demo of our renowned training
• A threat hunting panel discussion with a lot of real-life yara-rules examples

Due to timing restrictions we were not able to answer all the questions, therefore we’re trying to answer them below. Thanks to everyone who participated and we appreciate all the feedback and ideas!

Questions about usage of YARA rules

1. How practical (and what is the ROI), in your opinion, is it to develop in-house (in-company/custom) YARA rules (e.g. for e-mail / web-proxy filtering system), for mid-size and mid-mature (in security aspects) company, when there are already market-popular e-mail filtering/anti-virus solutions in use (with BIG security departments working on the same topic)?

In the case of mid-size companies, they can benefit a lot from three things connected to YARA, because YARA gives you some flexibility to tailor security for your environment.
First is the usage of YARA during incident response. Even if you don’t have an EDR Endpoint Detection and Response) solution, you can easily roll-out YARA and collect results through the network using PowerShell or bash. And it’s often the case that someone in a company should have experience developing YARA rules.
Second is the usage of third-party YARA rules. It’s an effective way to  have one more layer of protection. On the other hand, you need to maintain hunting and detection sets and fix rules and remove false positives anyway. Which once again means that someone needs experience in writing YARA rules.
Third is that, as mentioned earlier, it might be really useful to have rules to look for organization-specific information or IT assets. It can be a hunting rule that triggers on specific project names, servers, domains, people, etc.So the short answer is yes, but it is important to invest time wisely, so as not to become overwhelmed with unrelated detections.

2. What is the biggest challenge in your daily YARA rule writing/management process? Is it a particular malware family, actor, or perhaps a specific anti-detection technique?

In our experience, certain file formats make writing YARA rules more difficult. For instance, malware stored in the Office Open XML file format is generally more tricky to detect than the OLE2 compound storage, because of the additional layer of ZIP compression. Since YARA itself doesn’t support ZIP decompression natively, you need to handle that with external tools. Other examples include HLL (high level language) malware, notably Python or Golang malware. Such executables can be several megabytes in size and contain many legitimate libraries. Finding good strings for detection of malicious code in such programs can be very tricky.

3. Some malware uses YouTube or Twitter or other social media network comments for Command-and-Control. In that regard, where there are no C2 IPs, is it currently hard to detect these?

Yes and no. Yes, it’s hard to get the real C2, because you need to reverse engineer or dynamically run malware to get the final C2. No, it’s relatively easy to detect, because from a ML   point of view  it’s a pure anomaly when very unpopular software goes to a popular website.

4. So what is the size of the publicly available collections for people to use YARA against? What are some good ways to access a set of benign files, if you don’t have access to retrohunts/VTI?

You can use YARA on clean files and malware samples. Creating a comprehensive clean collection is a challenge, but in general, to avoid false positives, we recommend grabbing OS  distributions and popular software. For this purpose, a good starting point could be sites like:
https://www.microsoft.com/en-us/download
https://sourceforge.net/
ftp://ftp.elf.stuba.sk/pub/pc/

For malware collection it’s a bit tricker. In an organization it’s easier, since you can collect executables from your own infrastructure. There are also websites with the collection of bad files for research purpose in Lenni Zeltser blogpost there is a good list of references:
https://zeltser.com/malware-sample-sources/

The final size of such a collection could be several terabytes or even more.

5. Can YARA be used to parse custom packers?

Yes, but not out-of-the-box. YARA has a modular architecture, so you can write a module that will first unpack the custom packer and then scan the resulting binary.
A more common option is to run YARA against already unpacked objects, e.g. results of unpacking tools like Kaspersky Deep Unpack or sandbox and emulator dumps.

6. What is the trade-off when we want to hunt for new malware using YARA rules? How many FPs should we accept when we need rules that detect new variants

It depends what you want to catch. In general, from a research perspective, it’s ok to have an average FP rate up to 30%. On the other hand, production rules should have no FPs whatsoever!

7. Could YARA help us to detect a fileless attack (malware)?

Yes, YARA can scan memory dumps and different data containers. Also, you can run YARA against telemetry, but it may take some additional steps to achieve it and properly modify the ruleset.

8. We can use YARA, together with network monitoring tools like Zeek, to scan files like malicious documents. Can YARA be used against an encrypted protocol?

Only if you do a MITM (Man-in-the-Middle) and decrypt the traffic, since YARA rules most likely expect to run on decrypted content.

9. What open source solution do you recommend in order to scan a network with YARA rules?

YARA itself plus PowerShell or bash scripts; or, as an alternative, you can use an incident response framework and monitoring agent like OSquery, Google Rapid Response, etc. Other options are based on EDR solutions which are mostly proprietary.

10. Which is better, YARA or Snort, for looking at the resource utilization for detection in live environments?

YARA and Snort are different tools providing different abilities. Snort is designed specifically as a network traffic scanner, while YARA is for scanning files and/or memory. The best approach is to combine usage of YARA and Snort rules together!

Questions about creating yara rules and training course questions

11. Are we able to keep any of the materials after the course is finished?

Yes, Kaspersky YARA cheat-sheets or training slides which include Kaspersky solutions to exercises are some of the things that are available for you to download and use even after the training session has finished.

12. Is knowledge about string extraction or hashing sufficient to create solid YARA rules? Are there other things to learn as prerequisites?

This depends on case-by-case knowledge. Strings and hashing are basic building blocks for creating YARA rules. Other important things are PE structure and preferences and anomalies in headers, entropy, etc. Also, to create rules for a specific file format, you need some knowledge of the architecture of the corresponding platform and file types.

13. Can we add a tag to the rule that says it is elegant, efficient or effective, such as the tag on the exploit (in the metasploit): excellent, great, or normal?

Sounds like a good idea. Actually, YARA rules also support tags in the name:
https://yara.readthedocs.io/en/stable/writingrules.html

14. Maybe you can explain more about the fact that metadata strings don’t have a direct impact on the actual rule.

    As we described before, a YARA rule can consist of meta, strings and conditions. While the condition is a mandatory element, the meta section is used only for providing more info about that specific YARA rule. and it is not at all used by the YARA scanning engine.

15. ASCII is the default, so why do you need to put ASCII in the rule?

Without ASCII, say ‘$a1 = “string” wide’, only the Unicode representation of the string would be searched. To search both ASCII and Unicode, we need ‘$a1= “string” ascii wide’.

16. Can we use RegEx in YARA? Is nesting possible in YARA?

Yes, it’s possible to use RegEx patterns in YARA. Be aware that RegEx patterns usually affect performance and can be rewritten in the  form of lists. But in some cases you just cannot avoid using them and the YARA engine fully supports them.
Nesting is also possible in YARA. You can write private rules that will be used as a condition or as a pre-filter for your other rules.

17.  Is there a limit on the number of statements in a YARA rule?

We created several systems that create YARA rules automatically; and over time these have reached tens of megabytes in size. While these still work fine for us, having a very large number of strings in one rule can lead to issues. In many cases, setting a large stack size (see the yara -k option) helps.

18. Can we say that YARA can be a double-edged sword? So a hacker can develop malware and then check with YARA if there’s anything similar out there and enhance it accordingly?

Sure, although they would need access to your private stash of YARA rules. In essence, YARA offers organizations a way to add extra defenses by creating custom, proprietary YARA rules for malware that could be used against them. Malware developers can always test their creations with antivirus products they can just download or purchase. However, it would be harder to get access to private sets of YARArules.

19. This is a philosophical question: Juan said YARA has democratized hunting for malware. How have APTs and malware authors responded to this? Do they have anti-YARA techniques?

A few years ago we observed a certain threat actor constantly avoiding our private YARA rules for one to two months after we published a report. Although the YARA rules were very strong, the changes the threat actor made to the malware kind of suggested they knew specifically what to change. For instance, in the early days they would use only a few encryption keys across different samples, which we, of course, used in our YARA rules. Later, they switched to a unique key per sample.

20. Would be possible to create a YARA rule to find Morphy’s games among a large set of chess games?

Probably! Morphy was one of the most famous players from the so-called romantic chess period, characterised by aggressive openings, gambits and risky play. Some of the openings that Morphy loved, such as the Evans Gambit or the King’s Gambit accepted, together with playing with odds (Morphy would sometimes play without a rook against a weaker opponent), might yield some interesting games. Or, you could just search for ‘$a1 = “Morphy, Paul” ascii wide nocase’, perhaps together with’ $a2 = “1. e4″‘  ????

21. Would you recommend YARA for Territorial Dispute checks?

Yes, of course. In essence, “Territorial Dispute” references a set of IoCs for various threat actors, identified through “SIGS”. While some of them have been identified, for instance in Boldi’s paper, many are still unknown. With YARA, you can search for unique filenames or other artifacts and try to find malware that matches those IoCs. Most recently, Juan Andres Guerrero-Saade was able to identify SIG37 as “Nazar”: check out his research here:
https://www.epicturla.com/blog/the-lost-nazar

Pro tips and tricks from the audience

• Using YARA programmatically (e.g. via py/c) allows you to use hit callbacks to get individual string matches. This enables you to check for partial rule coverage (k of n strings matched but without triggering the condition), which is great for aiding rule maintenance.
• On the top white list (clean stuff), known exploits and payloads should be also populated in our YARArule sets.
• I always find it easier to maintain code by grouping the strings together.
• As a dedicated/offline comment to JAG-S: The “weird” strings from the rule discussed most likely come from the reloc section (thus locking on encoded offsets), which would make the rule highly specific to a given build, even with a soft 15/22 strings required. That would still probably work well if the samples originate from a builder (i.e. configured stub) but should not generalize well. And for the IDA-extracted functions: consider wildcarding offsets to have better generalizing rules.
• When it comes to strings – besides the strings from disk, mem, network dump, etc., bringing context and offset should be a best practice. Then rank the strings in the context of the malware. And this requires human expertise but can be easily adapted into the YARA rule building process.
• Сombining, in a flexible way, the YARA rules build process with the enrichment of the recently announced Kaspersky Threat Attribution Engine, will be also GReAT ????

Feel free to follow us on Twitter and other social networks for updates, and feel free to reach out to us to discuss interesting topics.
On Twitter:

• Costin Raiu: @craiu
• Dan Demeter: @_xdanx
• Yury Namestnikov: @SomeGoodOmens

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named Traceback. HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple […]

The post Hack the Box (HTB) Machines Walkthrough Series – Traceback appeared first on Infosec Resources.

Hack the Box (HTB) Machines Walkthrough Series – Traceback was first posted on September 29, 2020 at 8:07 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction Passwords should be secret, so why do so many people wind up using the same popular passwords? The truth is, no one sets out to choose a password that is dangerously common or insecure. Instead, they most likely don’t realize the risk of using a common password or don’t know how to create — […]

The post Breached passwords: The most frequently used and compromised passwords of the year appeared first on Infosec Resources.

Breached passwords: The most frequently used and compromised passwords of the year was first posted on September 29, 2020 at 8:05 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction The cybersecurity threat landscape is rapidly evolving, and cybercriminals are becoming more sophisticated. Traditional threat detection techniques that rely on signature-based threat detection are no longer effective. In fact, signature-based antivirus systems were only capable of detecting and blocking half of malware in the last quarter of 2019. Anomaly-based detection enables the detection of […]

The post The business value of CompTIA CySA+ employee certification appeared first on Infosec Resources.

The business value of CompTIA CySA+ employee certification was first posted on September 29, 2020 at 8:03 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Threatpost's latest poll probes telehealth security risks and asks for IT cures.

The infamous FinSpy spyware has returned - and is now targeting Linux and macOS users. FinSpy is being used in new campaigns targeting dissident organizations in Egypt.

Poklidnými vodami českého internetu se v těchto dnech začala šířit nová podvodná zpráva, která cílí na klienty České spořitelny. Kyberzločinci se prostřednictvím ní snaží z důvěřivců vylákat přihlašovací údaje a následně i peníze z účtu. Tvrdí přitom, že kvůli aktualizaci byl účet uzamčen.

Researchers warn of emails pretending to help business employees upgrade to Windows 10 - and then stealing their Outlook emails and passwords.