Tag Archive for: Hunting

Hunting for Windows “Features” with Frida: DLL Sideloading

/in


Offensive security professionals have been using Frida for analyzing iOS and Android mobile applications. However, there has been minimal usage of Frida for desktop operating systems such as Windows. Frida is described by the author as a “Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.” From a security research and adversarial simulation perspective, Frida can be used to identify MITRE ATT&CK technique T1574.002 also known as dynamic-link library (DLL) sideloading. Frida is not limited to identifying DLL sideloading. It can also identify MITRE ATT&CK technique T1546.015 also known as Component Object Model (COM) hijacking. This blog post will review DLL sideloading, and how attackers and offensive security professionals can identify potential DLL sideloading opportunities using X-Force Red’s proof-of-concept Frida tool Windows Feature Hunter (WFH).

What Is DLL Sideloading?

MITRE ATT&CK describes DLL sideloading in T1574.002 as follows:

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

MITRE ATT&CK goes on to say that “side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other.”

Microsoft also wrote a blog post where they define what is considered a vulnerability, saying that CWD scenarios would be addressed with a security fix, while PATH directory scenarios would not, “since there can’t be a non-admin directory in the PATH, [it] can’t be exploited.”

Windows DLL Search Order

Microsoft details DLL search order in this post. The post describes DLL search order, as shown in the excerpt below:

A system can contain multiple versions of the same dynamic-link library (DLL). Applications can control the location…

Source…

Hunting the hunters: How Russian hackers targeted US cyber first responders in SolarWinds breach

/in


Over the course of a few months, as US officials remained unaware of the breach, hackers identified a handful of key cyber security officials and analysts who would be among the first to respond once the hack was detected, so-called ‘threat hunters,’ and attempted to access their email accounts, according to two sources familiar with the matter.

While it is unclear if any of those accounts were compromised, sources say the fact that the hackers knew which working-level cybersecurity analysts at the Department of Homeland Security to go after suggests they were able to develop a much deeper understanding of US cyberdefenses than was previously known.

“It appears as if the Russian SolarWinds hackers possess granular information on personnel and who among them is likely to be involved in investigating the SolarWinds hack,” said Cedric Leighton, a former NSA official and CNN military analyst. “This could mean that networks have been penetrated to a degree we’ve not known before. If that’s true, we need a complete housecleaning of all our defensive cyberoperations.”

The assessment that hackers deliberately targeted DHS threat hunters, which has not been previously reported, underscores how the SolarWinds attack was among the most sophisticated cyberoperations ever conducted against the US, according to current and former officials.

By keeping tabs on these cyber first responders, sources and experts tell CNN the hackers could have been able to monitor in real-time as US officials began to discover the attack, allowing them to tailor their actions accordingly and remain hidden for as long as possible.

Biden says Putin 'will pay a price' for Russian efforts to undermine the 2020 US election

“What this does is it shows a level of sophistication in terms of targeting those who are working actively to prevent the attacks from either occurring or expanding. And so that is different than what you’re seeing in past cyberattacks,” former acting DHS acting undersecretary Chris Cummiskey told CNN.

“The level of sophistication is problematic because they’re actually going after people that they see as more valuable, so it shows a sense of prioritization,” he added.

While emails belonging to the senior-most cyber officials, including Chris Krebs, the former director of the Cybersecurity…

Source…

FIN11 e-crime group shifted to clop ransomware and big game hunting

/in


The financially motivated FIN11, which increasingly incorporated CL0P ransomware into their operations in 2020, appeared to rely on low-effort volume techniques like spamming malware for initial entry, but put a substantial amount of effort into each follow-up compromise.

“Several of their recent ransom notes explicitly name data stolen from workstations that belong to top executives (including founders/CEOs) of the respective enterprises,” Senior Cybersecurity Analyst Thomas Barabosch wrote in a blog post detailing new research from Deutsche Telekom. “This is likely based on the hope that using data stolen from top executives in the extortion process raises their chances that the victim pays.”

The research sheds new light on how cybercriminals from the threat group, described as a relentless, big game ransomware hunter that rarely goes more than a day or two between attacks, used the popular clop ransomware in their exploitations.

Throughout 2020, FIN11 actors followed an observable pattern through three separate campaigns: first spamming potential victims with phishing emails during the work week and then sifting through those who clicked on the malicious link to identify the most lucrative corporate targets for follow up action. FireEye picked up on one of those campaigns in October, and the company’s research suggests “that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture.”

In the FIN11 clop attacks, a target is hit with a unique variation of the ransomware. Researchers found more than a dozen different clop samples used by the group. In some cases there are multiple samples for a single victim. They also craft a personalized ransom note that includes the victim’s name, specifics around exfiltrated data, file share paths, user names and other details. They also use ransomware with unique, 1024-bit RSA public keys for each victim, with Barabosch noting in a blog that “as of January 2021, the largest publicly known RSA key that was factored…had 829 bits.”

There’s…

Source…

Cyber shopping is hunting season for hackers :: WRAL.com

/in


By Adam Owen, WRAL anchor/reporter

As the pandemic drives more holiday shoppers to fill their carts online, it’s hunting season for the bad guys.

A cybercrime expert says those struggling financially are more likely to fall for too-good-to-be-true deals.

Rob Goldfinger is a global financial crimes expert with BAE Systems Artificial Intelligence.

“People online are letting their guard down,” he says.

He urged those who shop online to stay focused and be vigilant for the tricks that criminals use to gather personal and financial information.

Goldfinger suggests sticking to stores, brands and sites that are familiar. It’s safer to seek out sites – type in an address you know – than to follow links in ads or in email.

“If an ad pops up,” he said, “You should say, ‘That is not what I was originally looking for.'”

Keep the security programs on your computer current, and check that the network is secure. It’s best to shop from home or work.

A device may detect multiple Wi-Fi networks. Make sure to connect to one that is secure.

Even with precautions, if a vendor’s site is hacked, personal information could be stolen. Goldfinger suggests tracking purchased and your bank account and credit care statements carefully to challenge any unexpected charges.

Report anything suspicious to law enforcement and to the bank or credit card company immediately.

Source…