Network Security News Summary for Monday April 19th, 2021

More Cobalt Stryike Decode; Codecov Breach; EIPStackGroup Vuln; MSFT Patch Problems

Decoding Cobalt Strike Traffic
https://isc.sans.edu/forums/diary/Decoding+Cobalt+Strike+Traffic/27322/

Codecov Breach
https://about.codecov.io/security-update/

Google Project Zero Tweaks Disclosure Rules
https://googleprojectzero.blogspot.com

EIPStackGroup OpENer Ethernet/IP
https://us-cert.cisa.gov/ics/advisories/icsa-21-105-02

DNS Problems with Windows 10 Security Update
https://www.bleepingcomputer.com/news/microsoft/mandatory-windows-10-update-causing-dns-and-shared-folder-issues/

keywords: dns; windows 10; llmnr; eipstackgroup; pener; ethernet/ip; google; project zero; codecov; cobalt strike

The post Network Security News Summary for Monday April 19th, 2021 appeared first on Malware Devil.

https://malwaredevil.com/2021/04/19/network-security-news-summary-for-monday-april-19th-2021/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-monday-april-19th-2021

Data poisoning in action

Read More

The post Data poisoning in action appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/data-poisoning-in-action-2/?utm_source=rss&utm_medium=rss&utm_campaign=data-poisoning-in-action-2

Positive Technologies’ official statement following U.S. sanctions

Read More

The post Positive Technologies’ official statement following U.S. sanctions appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/positive-technologies-official-statement-following-u-s-sanctions-2/?utm_source=rss&utm_medium=rss&utm_campaign=positive-technologies-official-statement-following-u-s-sanctions-2

[Node.js third-party modules] critical – [wireguard-wrapper] Command Injection via insecure command concatenation

Read More

The post [Node.js third-party modules] critical – [wireguard-wrapper] Command Injection via insecure command concatenation appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/node-js-third-party-modules-critical-wireguard-wrapper-command-injection-via-insecure-command-concatenation-2/?utm_source=rss&utm_medium=rss&utm_campaign=node-js-third-party-modules-critical-wireguard-wrapper-command-injection-via-insecure-command-concatenation-2

xscreensaver: raw socket leaked

Read More

The post xscreensaver: raw socket leaked appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/xscreensaver-raw-socket-leaked-2/?utm_source=rss&utm_medium=rss&utm_campaign=xscreensaver-raw-socket-leaked-2

CPDP 2021 – Moderator: Ian Brown ‘User Choice And Freedom Through Portability And Interoperability Rights?’

Speakers: Christoph Schmon, Rossana Ducato, Olivier Dion, Dita Charanzová

Our sincere thanks to CPDP 2021 – Computers, Privacy & Data Protection Conference for publishing their well-crafted videos on the organization’s YouTube channel. Enjoy!

Permalink

The post CPDP 2021 – Moderator: Ian Brown ‘User Choice And Freedom Through Portability And Interoperability Rights?’ appeared first on Security Boulevard.

Read More

The post CPDP 2021 – Moderator: Ian Brown ‘User Choice And Freedom Through Portability And Interoperability Rights?’ appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/cpdp-2021-moderator-ian-brown-user-choice-and-freedom-through-portability-and-interoperability-rights/?utm_source=rss&utm_medium=rss&utm_campaign=cpdp-2021-moderator-ian-brown-user-choice-and-freedom-through-portability-and-interoperability-rights

CPDP 2021 – Moderator: Christian Wiese Svanberg ‘E2EE: Stuck Between A Rock And A Hard Place’

Speakers: Scott Charney, Susan Landau, Christine Runnegar

Our sincere thanks to CPDP 2021 – Computers, Privacy & Data Protection Conference for publishing their well-crafted videos on the organization’s YouTube channel. Enjoy!

Permalink

The post CPDP 2021 – Moderator: Christian Wiese Svanberg ‘E2EE: Stuck Between A Rock And A Hard Place’ appeared first on Security Boulevard.

Read More

The post CPDP 2021 – Moderator: Christian Wiese Svanberg ‘E2EE: Stuck Between A Rock And A Hard Place’ appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/cpdp-2021-moderator-christian-wiese-svanberg-e2ee-stuck-between-a-rock-and-a-hard-place/?utm_source=rss&utm_medium=rss&utm_campaign=cpdp-2021-moderator-christian-wiese-svanberg-e2ee-stuck-between-a-rock-and-a-hard-place

Idaho CISO Shares Experience from Public, Private Sectors

There are only a small number of current public-sector chief information security officers who have served as the top cybersecurity leader in multiple states. Add if you consider those with both state and local government experience, as well as time in a federal government role, and top that all off with private-sector work, the number..

The post Idaho CISO Shares Experience from Public, Private Sectors appeared first on Security Boulevard.

Read More

The post Idaho CISO Shares Experience from Public, Private Sectors appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/idaho-ciso-shares-experience-from-public-private-sectors/?utm_source=rss&utm_medium=rss&utm_campaign=idaho-ciso-shares-experience-from-public-private-sectors

CommitStrip ‘Another Day, Another Daily’

Permalink

The post CommitStrip ‘Another Day, Another Daily’ appeared first on Security Boulevard.

Read More

The post CommitStrip ‘Another Day, Another Daily’ appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/commitstrip-another-day-another-daily/?utm_source=rss&utm_medium=rss&utm_campaign=commitstrip-another-day-another-daily

Decoding Cobalt Strike Traffic, (Sun, Apr 18th)

In diary entry “Example of Cleartext Cobalt Strike Traffic (Thanks Brad)” I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike.

This weekend I carried on with the analysis of that traffic, you can see my findings in this video and read the diary entry below.

Reader binarysheperds posted a comment to point out packet 8241, that looks like containing output of a UAC bypass command:

Yesterday I took a closer look at the binary protocol, started to see some patterns (like an epoch value), and then I found Python code on Github that handles Cobalt Strike’s encrypted traffic.

This allowed me to write a decoding tool: parse-cs-http-traffic.py. It takes the pcap file as argument and relies on Python module pyshark to parse the pcap file. I then extract the traffic and parse it. The parsing code is still incomplete because of partial understanding of the protocol.

Here is the output of my tool for the UAC bypass:

First, with an HTTP response, commands are delivered to the beacon: download a DLL and do a uacbypass.

Second, the output (text) is send to the C2 with an HTTP POST request.

This DLL is a reflective loader to perform a UAC bypass:

I also found portscanning activity. You can watch the complete analysis in the this video:

And here are 2 videos by Cobalt Strike developer Raphael Mudge on portscanning and UAC bypass.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Decoding Cobalt Strike Traffic, (Sun, Apr 18th) appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/decoding-cobalt-strike-traffic-sun-apr-18th/?utm_source=rss&utm_medium=rss&utm_campaign=decoding-cobalt-strike-traffic-sun-apr-18th

Mapping “America First” Revival of the KKK

Recently I wrote about a country song of encoded KKK/Nazi signals, called “The Big Revival“. It got me thinking about whether a map might show how a KKK revival happened as a result of Woodrow Wilson’s “America First” campaign platform in 1915. And then I found someone at Virginia Commonwealth University already had gone to … Continue reading Mapping “America First” Revival of the KKK →

The post Mapping “America First” Revival of the KKK appeared first on Security Boulevard.

Read More

The post Mapping “America First” Revival of the KKK appeared first on Malware Devil.

https://malwaredevil.com/2021/04/18/mapping-america-first-revival-of-the-kkk/?utm_source=rss&utm_medium=rss&utm_campaign=mapping-america-first-revival-of-the-kkk

Prepare Your Organization for MFA Compromise

Learn how Hackers are Bypassing MFA with Astonishing Accuracy  Understanding and preparing for how cybercriminals are bypassing Multi-Factor Authentication (MFA) is imperative for protecting your organization. The Cybersecurity & Infrastructure Security Agency (CISA) issued a warning in early 2021 that cybercriminals are using the cloud to bypass MFA. Threat actors are abusing the trust in authenticated services that […]

The post Prepare Your Organization for MFA Compromise first appeared on SlashNext.

The post Prepare Your Organization for MFA Compromise appeared first on Security Boulevard.

Read More

The post Prepare Your Organization for MFA Compromise appeared first on Malware Devil.

https://malwaredevil.com/2021/04/17/prepare-your-organization-for-mfa-compromise/?utm_source=rss&utm_medium=rss&utm_campaign=prepare-your-organization-for-mfa-compromise

What are the different roles within cybersecurity?

People talk about the cybersecurity job market like it’s a monolith, but there are a number of different roles within cybersecurity, depending not only on your skill level and experience but on what you like to do.
In fact, Cybercrime Magazine came up with a list of 50 cybersecurity job titles, while CyberSN, a recruiting organization, came up with its own list of 45 cybersecurity job categories
Read More

The post What are the different roles within cybersecurity? appeared first on Malware Devil.

https://malwaredevil.com/2021/04/17/what-are-the-different-roles-within-cybersecurity/?utm_source=rss&utm_medium=rss&utm_campaign=what-are-the-different-roles-within-cybersecurity

Pandemic Drives Greater Need for Endpoint Security

Subscribe to Newsletters

Cybersecurity Risk Management FREE Event 4/22
Earn (ISC)2 CPEs at Interop Digital, April 29

More Informa Tech Live Events

White Papers

What Elite Threat Hunters See That Others Miss: Case Study

How to Optimize Your Windows 10 Defense Strategy

The Dark Side of SD-WAN

Top Threats to Cloud Computing: The Egregious 11

Cybersecurity Report Card

More White Papers

Video

All Videos

Cartoon

Latest Comment: This comment is waiting for review by our moderators.

Cartoon Archive

Current Issue

2021 Top Enterprise IT TrendsWe’ve identified the key trends that are poised to impact the IT landscape in 2021. Find out why they’re important and how they will affect you today!

Back Issues | Must Reads

Flash Poll

All Polls

How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.

Download Now!

Assessing Cybersecurity Risk in Today’s Enterprises

0 comments

The Malware Threat Landscape

0 comments

How Data Breaches Affect the Enterprise (2020)

0 comments

More Reports

Twitter Feed

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17

The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile…

CVE-2021-3492
PUBLISHED: 2021-04-17

Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker…

CVE-2020-2509
PUBLISHED: 2021-04-17

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q…

CVE-2020-36195
PUBLISHED: 2021-04-17

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C…

CVE-2021-29445
PUBLISHED: 2021-04-16

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe…

The post Pandemic Drives Greater Need for Endpoint Security appeared first on Malware Devil.

https://malwaredevil.com/2021/04/16/pandemic-drives-greater-need-for-endpoint-security-2/?utm_source=rss&utm_medium=rss&utm_campaign=pandemic-drives-greater-need-for-endpoint-security-2

Who Invented the Personal Computer? “Apple Was Literally Following Us Around”

It is quite sad how someone can gleefully erase people to highlight himself. Anyone believe a claim by Steve Jobs in 2001 that there was no personal computer in 1975? Being literate in history should require knowing that by 1974 personal computers already were on the cover of popular magazines. It also is useful to … Continue reading Who Invented the Personal Computer? “Apple Was Literally Following Us Around” →

The post Who Invented the Personal Computer? “Apple Was Literally Following Us Around” appeared first on Security Boulevard.

Read More

The post Who Invented the Personal Computer? “Apple Was Literally Following Us Around” appeared first on Malware Devil.

https://malwaredevil.com/2021/04/17/who-invented-the-personal-computer-apple-was-literally-following-us-around/?utm_source=rss&utm_medium=rss&utm_campaign=who-invented-the-personal-computer-apple-was-literally-following-us-around

Querying Spamhaus for IP reputation, (Fri, Apr 16th)

Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks.  In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script.

As most of you know, The Spamhaus Project has been forefront in the fight against Spam for over 20 years. But did you know they provide a DNS query based api that can be used, for low volume non-commercial use, to query all of the Spamhaus blocklists at once. The interface is zen.spamhaus.org. Because it is DNS query based you can perform the query using nslookup or dig and the returned IP address is the return code.

For example say we want to test whether or not 196.16.11.222 is on a Spamhaus list.  First because the interface takes a DNS query we would need to reverse the IP address and then add .zen.spamhaus.org.  i.e. the DNS query would look like 222.11.16.196.zen.spamhaus.org

$ nslookup 222.11.16.196.zen.spamhaus.org

Non-authoritative answer:
Name:  222.11.16.196.zen.spamhaus.org
Address: 127.0.0.2
Name:  222.11.16.196.zen.spamhaus.org
Address: 127.0.0.9

or with dig…

$ dig 222.11.16.196.zen.spamhaus.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.4 <<>> 222.11.16.196.zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64622
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;222.11.16.196.zen.spamhaus.org.    IN   A

;; ANSWER SECTION:
222.11.16.196.zen.spamhaus.org. 41 IN  A    127.0.0.2
222.11.16.196.zen.spamhaus.org. 41 IN  A    127.0.0.9

As you can see in both cases the DNS response returned two results. 127.0.0.2 and 127.0.0.9.  In practicality just the fact that you receive return codes tells you that this IP is on Spamhaus’s lists, and has recently been involved in naughty behavior. However to know which Spamhaus lists in particular the return codes apply to:

Return Code       Zone    Description
127.0.0.2       SBL         Spamhaus SBL Data
127.0.0.3       SBL         Spamhaus SBL CSS Data
127.0.0.4       XBL         CBL Data
127.0.0.9       SBL         Spamhaus DROP/EDROP Data
127.0.0.10      PBL         ISP Maintained
127.0.0.11      PBL         Spamhaus Maintained

If you query an IP which is not on any Spamhaus lists the result will be Non-Existent Domain (NXDOMAIN)

nslookup 222.11.16.1.zen.spamhaus.org

** server can't find 222.11.16.1.zen.spamhaus.org: NXDOMAIN

I have created a Python script which performs this lookup and have integrated this code into my ip reputation script. 

$ python3 queryspamhaus.py 196.16.11.222
196.16.11.222 127.0.0.2 ['SBL']
    
$ python3 queryspamhaus.py 1.16.11.222
1.16.11.222 0 ['Not Found']

The script does have a bug.  The socket.gethostbyname() function only returns one result, so is returning an incomplete result for IPs which are on multiple Spamhaus lists. Since usually all I am looking for is if the IP is on any list I have never bothered to research how to fix this bug.

For those of you who are interested, the script is below.  As usual, I only build these scripts for my own use/research, so a real python programmer could very likely code something better.

#!/usr/bin/env/python3
#
# queryspamhaus.py

import os
import sys, getopt, argparse
import socket

def check_spamhaus(ip):
    hostname = ".".join(ip.split(".")[::-1]) + ".zen.spamhaus.org"
    try:
       result  = socket.gethostbyname(hostname)
    except socket.error:
       result = 0

    rdict = {"127.0.0.2": ["SBL"],
             "127.0.0.3": ["SBL CSS"],
             "127.0.0.4": ["XBL"],
             "127.0.0.6": ["XBL"],
             "127.0.0.7": ["XBL"],
             "127.0.0.9": ["SBL"],
             "127.0.0.10": ["PBL"],
             "127.0.0.11": ["PBL"],
             0 : ["Not Found"]
            }

    return result, rdict[result]

def main():
   parser = argparse.ArgumentParser()
   parser.add_argument('IP', help="IP address")
   args=parser.parse_args()

   ip=args.IP
   result,tresult  = check_spamhaus(ip)
   print('{} {} {}'.format(ip, result, tresult))

main()

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Querying Spamhaus for IP reputation, (Fri, Apr 16th) appeared first on Malware Devil.

https://malwaredevil.com/2021/04/17/querying-spamhaus-for-ip-reputation-fri-apr-16th/?utm_source=rss&utm_medium=rss&utm_campaign=querying-spamhaus-for-ip-reputation-fri-apr-16th

2021-04-16 – BazaLoader (BazarLoader) activity

Read More

The post 2021-04-16 – BazaLoader (BazarLoader) activity appeared first on Malware Devil.

https://malwaredevil.com/2021/04/17/2021-04-16-bazaloader-bazarloader-activity-2/?utm_source=rss&utm_medium=rss&utm_campaign=2021-04-16-bazaloader-bazarloader-activity-2

2021-04-16 – TA551 (Shathak) German-template Word docs push Ursnif (Gozi/ISFB)

Read More

The post 2021-04-16 – TA551 (Shathak) German-template Word docs push Ursnif (Gozi/ISFB) appeared first on Malware Devil.

https://malwaredevil.com/2021/04/17/2021-04-16-ta551-shathak-german-template-word-docs-push-ursnif-gozi-isfb-2/?utm_source=rss&utm_medium=rss&utm_campaign=2021-04-16-ta551-shathak-german-template-word-docs-push-ursnif-gozi-isfb-2

WeAreDelphix: Meet Javier Barthe

WeAreDelphix: Meet Javier Barthe
michelle
Fri, 04/16/2021 – 14:17

At Delphix, our SDRs are an amazing group of ambitious individuals spanning across the globe. Meet Javier Barthe, who supports the team in Latin America. Read about why he joined Delphix, his expertise in database technologies, and more.

Apr 16, 2021

What do you do at Delphix and what inspired you to join the company?

I joined the company last November as a sales development representative. I’m responsible for spreading the Delphix message and brand over the Hispanic region in Latin America, working closely with our partner ecosystem to achieve success. I first encountered Delphix in 2015, when I was working as a database manager at a healthcare company based in Buenos Aires. I was looking for a solution that could help me and my team better manage dev/test data. After seeing a demo of the Delphix platform, I was amazed to see the capabilities the platform brought to data. Ever since, I’ve been a Delphix lover. 

Delphix also has a great culture that inspires happiness, health, and greatness. Colby Wren—senior director of Americas sales development—and Bruna Bolorino—general manager for Latin American operations—are both supportive managers that care about fostering a strong sense of culture and community. 

You can ask me anything about…?

Technology and databases. I have more than a decade of experience working with all types of databases (Sybase Hana, MSSQL, MongoDB, Oracle). I’m also a tech lover, and I read about it every day. I’m currently getting my master’s degree in technology, where I’m diving deep into emerging trends and technologies such as IoT, machine learning, analytics, and big data. Outside of work, I teach part-time at Universidad Tecnológica Nacional FRGP. 

What’s the coolest project you’ve worked on at Delphix? 

It’s difficult to point out the coolest project as every day brings on a new, exciting challenge. I  love hearing from customers about the impact Delphix has on their development processes after a complete database delivery in minutes and using our self-service features. You’ll also notice me in some of our Spanish webinars, showcasing all the different ways our product can benefit customers’ digital transformation programs, especially in the area of data compliance. 

What are your hobbies or passions outside of Delphix?

I like sports, especially handball and biking. While we’re still in the midst of the COVID-19 pandemic, travelling is another big passion of mine that I plan to resume as soon as it is safe to do so. 

5 songs that make your personal soundtrack:

La vuelta al mundo – Calle 13
Latinoamérica – Calle 13
El Aguante – Calle 13
Let it Be – The Beatles
Penny Lane – The Beatles

What show are you binge watching? 

The Office. This is old, but I enjoy watching it as it reminds me of some of the funny memories of being in the office, especially after working from home for more than a year now. I’m also watching The Big Bang Theory, Peaky Blinders, and The Queen’s Gambit.

What drives you everyday?

I’m passionate about helping customers innovate using data. I talk and engage with technologists at different companies almost every day, and I’m still amazed to hear about all the different data ecosystems and data infrastructures companies have in place today. My ultimate goal is to help businesses achieve a true data-driven culture, where data is delivered at the speed of business to the right people and in a secure way.

What’s the best piece of advice you’ve ever received? 

Be whatever you want in life, but be the best at it. One of my university professors shared this quote, and it’s had a huge impact on me ever since. I try to give my best to everything I do and work towards improving myself every day. 

Tags

Employee Spotlight

The post WeAreDelphix: Meet Javier Barthe appeared first on Security Boulevard.

Read More

The post WeAreDelphix: Meet Javier Barthe appeared first on Malware Devil.

https://malwaredevil.com/2021/04/16/wearedelphix-meet-javier-barthe/?utm_source=rss&utm_medium=rss&utm_campaign=wearedelphix-meet-javier-barthe

Phishing 101: How It Works & What to Look For

Phishing is one of today’s biggest cybersecurity threats and the premier gateway to an array of cybercrimes and fraud. Learn how to protect your organization.

The post Phishing 101: How It Works & What to Look For appeared first on Security Boulevard.

Read More

The post Phishing 101: How It Works & What to Look For appeared first on Malware Devil.

https://malwaredevil.com/2021/04/17/phishing-101-how-it-works-what-to-look-for/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-101-how-it-works-what-to-look-for