Automatic Protocol Reverse Engineering
Cooles Video (wenn auch etwas gewöhnungsbedürftiger Dialekt) zu einem eigentlich zeitaufwändigen Thema des Protokoll-Reversings.
Protocol reverse engineering is the process of extracting the specification of a network protocol from a binary code that implements it. Extraction of protocol specification is useful in several security-related contexts, such as finding implementation bugs, determining conformance to a standard, or discovering a botnet's command and control (C&C) protocol.Manual reverse engineering of a protocol can be time-consuming. We present a tool that automatically reverse engineers a protocol directly from the binary...
Full Abstract & Presentation Materials: https://www.blackhat.com/us-22/briefi...
OSINT
Ein kleiner Einblick in die Telegramüberwachung:
Eine recht "redselige" Gruppe:
https://t.me/plumdatabases/1885
Google veröffentlich Cobalt-Strike-YARA-Regeln
Darkreading schreibt über Googles Veröffentlichung von YARA Regeln zu Detektion der versch. CobaltStrike Varianten.
Der geneigte Security-Nerd sollte diese also in seine IOC-Liste mit aufnehmen und seine Speicher damit absuchen.
Abgelegt ist die freundliche Spende von Google hier auf GitHub:
This directory contains the currently open sourced YARA signatures from GCTI. Each directory contains signatures specific to a particular malware/ tool family.
Currently, the following signature sets include:
CobaltStrike: Signatures for detecting the key components of the Cobalt Strike framework.
Sliver: Signatures for detecting the 32 and 64-bit versions of the Sliver implant.
HIVE erpresst Mediamarkt
Meldung der heise.de zufolge, fordert hive (tor Link) ein Lösegeld von 100 Millionen USD für die "Freigabe" ihrer Daten.
Eine Liste von möglichen Indikatoren veröffentlicht das FBI auf einer seiner Seiten. Es empfiehlt sich, wenigstens auf deren Existenz im eigenen Netzwerk zu suchen. ;-)
OSINT Status via DiscordBot
Um einen kleinen Statusüberblick der aktuellen OSINT-Landschaft und der Auswertungen zu bekommen, wird aus dem CDC ein DiscodBot "gefüttert".
Hier laufen nicht nur allgemeine Cyber-News auf, sondern auch die jeweiligen Ergebnisse aus der CDC-Leak-Kontrolle:
Play with real IPv6 /48 at Hurricane Electric
Get yourself a /48 IPv6 tunnel (65535 times a /64) at Hurricane Electric and prove your IPv6 capabilities with a free exam.
SMBGhost Exploit PoC
"chompie1337" is giving us a PoC for the SMBGhost vulnerability to test System in your Environment.
Even if not used to actively test your Systems (bluescreen posibility), it's an excellent Chance to learn more About the "ghost of SMB3".
SMBGhost_RCE_PoC
RCE PoC for CVE-2020-0796 "SMBGhost"
For demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die.
Now that that's out of the way....
Windows Security Alert: Core System File Zero-Days Confirmed Unpatched
Davey Winder Senior
Contributor is reporting about 4 new 0-Days at Forbes
A core Windows system file called splwow64.exe, which is a printer
driver host for 32-bit apps. The Spooler Windows OS (Windows 64-bit) executable
enables 32-bit applications to be compatible with a 64-bit Windows
system. CVE-2020-0915, CVE-2020-0916 and CVE-2020-0986 all
impact that splwow64 Windows system file. All three are classified as high on
the CVE severity scoring system with a 7.0 rating.
[…]
The last of the
zero-day vulnerabilities publicly disclosed by ZDI does not have a CVE number,
only a ZDI one of ZDI-20-666.
This is another privilege escalation vulnerability, but this time within the
handling of WLAN connection profiles. An attacker would have to create a
malicious profile that would then enable them to disclose credentials for that
computer account, which can then be leveraged in an exploit. Although also rated
high by ZDI, this vulnerability was not determined to be severe enough for
fixing "in the current version" by Microsoft, which closed the case without
providing a patch.
| ID | action | mitigation | risk - "priv. escalation" | |
|---|---|---|---|---|
| CVE-2020-0915 ZDI-20-662 |
The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity. | Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. | This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |
|
The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity. | Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. | This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |
| CVE-2020-0915 ZDI-20-664 |
The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity. | Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. | This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |
| The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity. | Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. | This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | ||
| ZDI-20-666 | The specific flaw exists within the handling of WLAN connection profiles. By creating a malicious profile, an attacker can disclose credentials for the machine account. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of an administrator. | Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. |
|
Apple releases iOS 13.5 to the public with Exposure Notification API, Face ID enhancements, more
Chance Miller has written about the new release of iOS 13.5:
Apple and Google have been developing the Exposure Notification API with close guidance from public health officials. When a user enables the feature and has an app from a public health authority installed, the device will regularly send out a beacon via Bluetooth that includes a random Bluetooth identifier. From there, the Exposure Notification API will download a list of the keys for the beacons that have been verified as belonging to people confirmed as positive for COVID-19 and check against that list. If there is a match, the user may be notified and advised on next steps.
[my
personal conclusion]
Meaning, only once you agree to the use of the
API and have an certified app installed, you are giving away your
data.
On top, this release fixes the mail bug that existed in former versions of iOS.
Probe opened after mosques blare ‘Bella Ciao’ from minarets in Turkey’s west
The Italian resistance song "Belly Ciao" (in a Turkish version) was broadcasted from several mosques in the Izmir area on May 21st 2020, the Hurriyet reported.
İzmir Provincial Religious Directorate initially denied reports of such a broadcast by issuing a statement on its social media account, however, it later removed this post.
“According to our initial analysis, unidentified people sabotaged our central adhan [call to prayer] system in an illegal way,” the directorate said in a second statement.
Sourcecode: Corona-Warn-App Server
SAP is sharing it's alpha-state code of the Corona-Warn-App that might be made available for Germany. Have a look at the code and find out what and how it does with your personal data.
The goal of this project is to develop the official Corona-Warn-App for Germany based on the exposure notification API from Apple and Google. The apps (for both iOS and Android) use Bluetooth technology to exchange anonymous encrypted data with other mobile phones (on which the app is also installed) in the vicinity of an app user's phone. The data is stored locally on each user's device, preventing authorities or other parties from accessing or controlling the data. This repository contains the implementation of the server for encryption keys for the Corona-Warn-App. This implementation is still a work in progress, and the code it contains is currently alpha-quality code.
BIAS: Bluetooth Impersonation AttackS
Daniele Antoniole, Nils Ole Tippenhauer and Kasper Rasmussenhave discovered a flaw within the BT stack that allows an attacker to fake an already authenticated (paired) connection to be established with a new device by sniffing the traffic between two devices in the pairing process.
So be careful when pairing devices while sitting at public places. The sniffed data could be used to pair an unknown device without your knowledge as well.
easyJet Loses 9 Million Customers’ Data To Hackers
Our investigation found that the email address and travel details of approximately 9 million customers were accessed. These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed. Other than as referenced in the following paragraph, passport details and credit card details of these customers were not accessed.
[…]
There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.
Massive ssh attacks ongoing, so check your logfiles...
GOLEM, reported that high performance Computers have seen massive ssh attacks. So it might be worth monitoring your own ssh-connections to the outer world for such attacks as well.
In several European countries, high-performance computers have been temporarily switched off after hacker attacks. The Leibniz Supercomputer Center in Garching near Munich, the Hawk computer at the High Performance Computing Center in Stuttgart and the Jureca, Judac and Jewels computers at the computer center in Jülich are said to be affected by the incidents. Heise Security first reported on Thursday. Germany's fastest supercomputer Hawk was only put into operation at the end of February 2020.
Microsoft first shows DNS over HTTPS in Windows 10 Insider Preview Build 19628
We’re adding initial support for DNS over HTTPS, so that you can opt into using encryption when Windows makes DNS queries. Follow the instructions in this blog post to opt in as it will be off by default.
Cuckoo2GO: A VMWare install of Cuckoo using a nested VirtualBox to analyze
Have a look at the article I wrote within the Malware section of how to setup a VirtualBox analysis inside a Cuckoo running in VMWare:
Autopsy: One day online course for free (until 15th May 2020)
Thanks Autopsy for providing you one day Autopsy online course for free.
In deed a perfect way to spend Covid-19 time with something very
useful.
Although I used Autopsy a lot in the past, I still got (and get) new
things to learn from the course.
I've passed the GCFA Exam successfully.
… and won the trophy of
being part of the "best
group"
To support the community for the help I received, I've published my learning notes and writings within my "Self study" section.
Some cool Windows Usecases for Splunk
Found an excellent list of cheat sheets at the Malware Archaeology and took the Splunk sheet as source of compiling a list of a good starting point of usecases in Splunk. Although having a lot of them in use, this would dispose some critical information. But my page shows the cool stuf from MA.
Check the original cheat sheets from Malware Archaeology at:
Cheat Sheets to help you in configuring your systems:
- The Windows Logging Cheat Sheet
- The Windows Advanced Logging Cheat Sheet
- The Windows HUMIO Logging Cheat Sheet
- The Windows Splunk Logging Cheat Sheet
- The Windows File Auditing Logging Cheat Sheet
- The Windows Registry Auditing Logging Cheat Sheet
- The Windows PowerShell Logging Cheat Sheet
- The Windows Sysmon Logging Cheat Sheet
MITRE ATT&CK Cheat Sheets
