Monday, October 31, 2022

CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multi-Factor Authentication

The Cybersecurity and Infrastructure Security Agency (CISA) released a released two fact sheets to give IT leaders and network defenders an improved understanding of current threats against accounts and systems that use multi-factor authentication (MFA), Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications.

 

 

 

 

 

Friday, October 28, 2022

Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity

 Here is a post from Microsoft that I feel you should know about


Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity. Our continuous tracking of Raspberry Robin-related activity also shows a very active operation: Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.

Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active. In July 2022, Microsoft security researchers observed devices infected with Raspberry Robin being installed with the FakeUpdates malware, which led to DEV-0243 activity. DEV-0243, a ransomware-associated activity group that overlaps with actions tracked as EvilCorp by other vendors, was first observed deploying the LockBit ransomware as a service (RaaS) payload in November 2021. Since then, Raspberry Robin has also started deploying IcedID, Bumblebee, and Truebot based on our investigations.

In October 2022, Microsoft observed Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950 (which overlaps with groups tracked publicly as FIN11/TA505). From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed in between the Raspberry Robin and Cobalt Strike stage. The activity culminated in deployments of the Clop ransomware. DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages.

Given the interconnected nature of the cybercriminal economy, it’s possible that the actors behind these Raspberry Robin-related malware campaigns—usually distributed through other means like malicious ads or email—are paying the Raspberry Robin operators for malware installs.

Raspberry Robin attacks involve multi-stage intrusions, and its post-compromise activities require access to highly privileged credentials to cause widespread impact. Organizations can defend their networks from this threat by having security solutions like Microsoft Defender for Endpoint and Microsoft Defender Antivirus, which is built into Windows, to help detect Raspberry Robin and its follow-on activities, and by applying best practices related to credential hygiene, network segmentation, and attack surface reduction.

In this blog, we share our detailed analysis of these attacks and shed light on Raspberry Robin’s origins, since its earliest identified activity in September 2021, and motivations which have been debated since it was first reported in May 2022. We also provide mitigation guidance and other recommendations defenders can use to limit this malware’s spread and impact from follow-on hands-on-keyboard attacks.

A new worm hatches: Raspberry Robin’s initial propagation via USB drives

In early May 2022, Red Canary reported that a new worm named Raspberry Robin was spreading to Windows systems through infected USB drives. The USB drive contains a Windows shortcut (LNK) file disguised as a folder. In earlier infections, this file used a generic file name like recovery.lnk, but in more recent ones, it uses brands of USB drives. It should be noted that USB-worming malware isn’t new, and many organizations no longer track these as a top threat.  

For an attack relying on a USB drive to run malware upon insertion, the targeted system’s autorun.inf must be edited or configured to specify which code to start when the drive is plugged in. Autorun of removable media is disabled on Windows by default. However, many organizations have widely enabled it through legacy Group Policy changes.

There has been much public debate about whether the Raspberry Robin drives use autoruns to launch or if it relies purely on social engineering to encourage users to click the LNK file. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART) research has confirmed that both instances exist in observed attacks. Some Raspberry Robin drives only have the LNK and executable files, while drives from earlier infections have a configured autorun.inf. This change could be linked to why the names of the shortcut files changed from more generic names to brand names of USB drives, possibly encouraging a user to execute the LNK file.

Upon insertion of the infected drive or launching of the LNK file, the UserAssist registry key in Windows—where Windows Explorer maintains a list of launched programs—is updated with a new value indicating a program was launched by Windows. 

This diagram shows the linear progression of earlier Raspberry Robin infections.
Figure 1. Attack chain of the original Raspberry Robin infections

The UserAssist key stores the names of launched programs in ROT13-ciphered format, which means that every letter in the name of the program is replaced with the 13th letter in the alphabet after it. This routine makes the entries in this registry key not immediately readable. The UserAssist key is a useful forensic artifact to demonstrate which applications were launched on Windows, as outlined in Red Canary’s blog.

Windows shortcut files are mostly used to create an easy-to-find shortcut to launch a program, such as pinning a link to a user’s browser on the taskbar. However, the format allows the launching of any code, and attackers often use LNK files to launch malicious scripts or run stored code remotely. Raspberry Robin’s LNK file points to cmd.exe to launch the Windows Installer service msiexec.exe and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.

Screenshot of command lines where Raspberry Robin uses the Windows installer service to connect to an external domain.
Figure 2. Examples of URLs connecting to an external domain

Once the Raspberry Robin payload is running, it spawns additional processes by using system binaries such as rundll32.exeodbcconf.exe, and control.exe to use as living-off-the-land binaries (LOLBins) to run malicious code. Raspberry Robin also launches code via fodhelper.exe, a system binary for managing optional features, as a user access control (UAC) bypass.

The malware injects into system processes including regsvr32.exerundll32.exe, and dllhost.exe and connects to various command-and-control (C2) servers hosted on Tor nodes.

In most instances, Raspberry Robin persists by adding itself to the RunOnce key of the registry hive associated with the user who executed the initial malware install. The registry key points to the Raspberry Robin binary, which has a random name and a random extension such as .mh or .vdm in the user’s AppData folder or to ProgramData. The key uses the intended purpose of regsvr32.exe to launch the portable executable (PE) file, allowing the randomized non-standard file extension to launch the executable content. 

Screenshot of the contents of the RunOnce registry key where the value points to the randomly-named Raspberry Robin file.
Figure 3. Example of the contents of the RunOnce key

Entries in the RunOnce key delete the registry entry prior to launching the executable content at sign-in. Raspberry Robin re-adds this key once it is successfully running to ensure persistence. After the initial infection, this leads to RunOnce.exe launching the malware payload in timelines. Raspberry Robin also temporarily renames the RunOnce key when writing to it to evade detections.

Read the full article here

Wednesday, October 26, 2022

WiFi Exploitation Framework (WEF)

 A fully offensive framework to the 802.11 networks and protocols with different types of attacks for WPA/WPA2 and WEP, automated hash cracking, bluetooth hacking and much more.

Tested and supported in Kali LinuxParrot OS and Arch Linux.

 SUPPORTED ATTACKS:

  • Deauthentication Attack

  • Authentication Attack

  • Beacon Flood Attack

  • PMKID Attack

  • EvilTwin Attack

  • Passive/Stealthy Attack

  • Pixie Dust Attack

  • Null Pin Attack

  • WEP Protocol Attacks

  • Michael Exploitation Attack

  • Jamming, Reading and Writing bluetooth connections (Not finished)

  • GPS Spoofing with HackRF

 FEATURES:

☑️ Descriptives attack logs

☑️ WPA/WPA2, WPS and WEP Attacks

☑️ Auto handshake cracking

☑️ Multiple templates for EvilTwin attack

☑️ Check monitor mode and its status

☑️ 2.4Ghz and 5Ghz attacks

☑️ Custom wordlist selector

☑️ Auto detect requirements

To learn more and to install go here

NIST Releases Draft NIST IR 8408: Understanding Stablecoin Technology and Related Security Considerations

The initial public draft of NIST IR 8408, Understanding Stablecoin Technology and Related Security Considerations, is available for comment. Stablecoins are a type of cryptocurrency that aim to maintain a stable price relative to a specified asset (usually a fiat currency). Much has been written about how to use stablecoins and about the economic implications of doing so (specifically price variability), but little has been written on the technical mechanisms and architectures used and related security considerations. NIST IR 8408 addresses this by providing an evaluation of the technical design of different stablecoin architectures along with related security analyses.

The public comment period for this initial public draft is open through January 6, 2023. See the publication details for a copy of the draft and instructions for submitting your comments.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More



Adalanche Open Source a toll for understanding Active Directory

 Adalanche gives instant results, showing you what permissions users and groups have in an Active Directory. It is useful for visualizing and exploring who can take over accounts, machines or the entire domain, and can be used to find and show misconfigurations.

Active Directory security is notoriously difficult. Small organizations generally have no idea what they're doing, and way too many people are just added to Domain Admins. In large organizations you have a huge number of people with different needs, and they are delegated access to varying degrees of power in the AD. At some point in time, someone makes a mistake, and that can cost you dearly.

Download

Adalanche is an all-in-one binary - it collects information from Active Directory or from local Windows machines and can the analyze the collected data. If you're only doing AD analysis, just grab the binary for your preferred platform. Later you can deploy the dedicated collector .exe for your Windows member machines via a GPO or other orchestration and get even more insight.

Download either the latest release or the build of the latest commit from Releases. Usually running with the latest commit is fine, but there might be a problem here and there. Releases are considered stable and are for the less adventurous.


Go here to download from GitHub 

NOTICE this tool should be used only if authorized.

Is it dangerous to run adalanche?

No, it is not. Running adalanche requires nothing more than a regular user account, and works by connecting to Active Directory services and querying (reading) data from the LDAP object store, and by reading files from the SYSVOL file share (optional). This data is available to all users, and is also what attackers use to do initial reconnaissance.

PowerShell Training Info


800 XP

Introduction to PowerShell

Learn about the basics of PowerShell. This cross-platform command-line shell and scripting language is built for task automation and configuration management. You'll learn basics like what PowerShell is, what it's used for, and how to use it.

Learning objectives

After completing this module, you'll be able to:

  • Understand what PowerShell is and what you can use it for.
  • Use commands to automate tasks.
Start

Prerequisites

  • Basic familiarity with using a command-line shell like Command Prompt or Git Bash
  • Visual Studio Code installed
  • Ability to install Visual Studio Code extensions
  • Ability to install software on your computer, if you're not using a Windows operating system

This module is part of these learning paths


Other sites 

 1. PowerShell tutorial for beginners - https://lnkd.in/ezsh8qE6

2. Learn PowerShell in a month of lunches -https://lnkd.in/eDCN-av6

3. PowerShell.org’s YouTube - https://lnkd.in/eAs-zExH
4. The DevOps collective inc. - https://lnkd.in/e_4U6Da3
5. All things PowerShell by Shane Young - https://lnkd.in/e5eQz2Su
6. PowerShell for beginners - https://lnkd.in/eKJDJxC2
7. Coursesity- https://lnkd.in/eyvcdJgJ
8. Using Powershell in Cybersecurity - https://lnkd.in/eYsVz48K
9. PowerShell Masterclass Fundamentals - https://lnkd.in/eR8J6YHN
10. Essential Tools for Windows System Administrators - https://lnkd.in/ekSP6zch