SecPro #45: Launching Weekly Insider Subscription, Examining Spring4Shell, Obfuscating your Data
Hey ,
Over the past eight months, we have turned the SecPro newsletter into a thriving community with an extraordinary 11,000 strong vetted community of leading security practitioners built on sharing experiences and peer community value. The support and feedback you’ve shared with us has been amazing, but we are also aware that many of you face the same challenges and pain points in your day-to-day life and career.
So we want to offer you a little something extra.
Starting next week, we will be starting a paid expansion in the SecPro newsletter. Weekly Roundup readers will still receive a free version of the newsletter with the latest industry analysis, News Bytes roundups, and Secret Knowledge tool recommendations every Monday, but for people who need a deeper understanding of the emerging threats and improving your security posture, we’ve got you covered!
The Weekly Insider is a club for battle-hardened cybersecurity professionals who need access to project-based tutorials, malware analysis deep dives, vulnerability breakdowns, Community Wisdom, and other features that we’re excited to include for only $4.99/month. For the price of a single cup of coffee, you get a newsletter that delivers technical analysis and tutorials which could be spread across four or five different books.
Not only that, but we are also offering a few special goodies to all paid subscribers:
- Exclusive, private community of serious security professionals focused on shared learning, challenges, techniques, and deep dives on topics.
- Opportunity to win Amazon vouchers and participate in reward programs.
- Choice of winning any two Packt ebooks or videos of choice every month.
If you’re interested in staying ahead of the game in the world of cybersecurity, head over to the new and improved SecPro website to see exactly how our team plans to answer the issues you face every day.
If you’re asking, “why should I subscribe?”, we are committed to creating a newsletter that cuts the noise and delivers more signal, context, and depth. You already know that we have used shared experiences and peer community values to give sensible, actionable advice from a vendor-neutral perspective. We do not rely on advertising money, so you know that the SecPro team only gives you advice that helps you get better at your job.
Cheers!
Austin
Editor-in-Chief
Exploit Analysis
Spring4Shell – Not Quite as Fictional as We First Thought
By Austin Miller
When another vulnerability with -4Shell caught my attention, I was a little suspicious. Could this seriously be as potentially damaging as the infamous Log4Shell? And the initial prognosis from the wider cybersecurity community confirmed my suspicions – it seemed to only affect a particular custom configuration of Java Spring Boot, meaning that most people would be safe.
Here we are a week later and there have been numerous exploits uploaded to GitHub showing exactly how the adversary can exploit systems running this vulnerable version of Spring. To make matters worse, these exploits have been leaked and anyone running this suspect Spring software is in danger of being exploited. For that reason, IT teams are now back on red alert. But how does Spring4Shell work and how can we check for this exploit in our own systems?
Want to find out more about Spring4Shell? Click the link below for the full article!
Threat Intelligence
Okta breach – a View of the Genesis Market Place
The Okta breach, without doubt, is InfoSec World’s number one breach of 2022. At least, for now. Although brilliant in terms of publicity that the breach generated for the Hackers, it wasn’t rocket science. Not even a master criminal or two at work to pull it off. Audacious of course, hacking one of the foremost Identity & Access Management Providers takes some nerve, if not ‘brass neck’.
Today I’m not going to focus on the actual attack or the various stages of it, but if you haven’t read the Intrusion Timeline here’s a quick summary; upon initial compromise, the attackers (literally) used a search engine to find a Privilege escalation tool then quickly followed by another Bing Search to find a Process Explorer tool. Process Hacker duly downloaded from GitHub and it was seemingly quite easy enough to stop the XDR agent from finally downloading Mimikatz used to escalate privileges. Off the shelf tools, Bing & GitHub – breach did.
As I said, Okta isn’t the real focus and not the moral of this story. What we know is that the group previously took the credit in a blaze of glory for breaching EA Games security and allegedly gaining access to game source code and other related internal tools. Some of the code for FIFA 2021, Battlefield, and tools for the Frostbite Engine. In all 780Gb of data was claimed to have been compromised with the sale of EA Proprietary Frameworks, SDKs. All of which was then advertised for sale in various hacking forum posts.
Want to find out more about the Genesis Market Place? Click the link below for the full article!
MITRE ATT&CK
T1027: Obfuscated Files or Information
By Austin Miller
Obfuscation, a word you will only ever find in cybersecurity documents. Obfuscated (or obscuring) malware allows various types of information to be covertly transmitted to systems, creating a Trojan horse to the adversary’s Troy-invading malicious files. As you would expect, a Trojan horse virus is a clear example of obfuscation but understanding other forms of trickery is key to effective cybersecurity work.
Hiding malicious files, code, commands, configurations, and other information was a key part of 13% of all malware samples analyzed by Picus and is a common tactic for defense evasion. Changing the form and size of data, hiding known malicious elements, and obscuring or removing indicators are all tools in the adversary’s kit, so understanding the various tactics they use is key to improving your security posture
Want to know how the adversary exploits obfuscated files? Click the link below for the full article!
News Bytes
Malicious APK setting up suspicious C2 server
It appears to be a bad week for Android users as yet another critically dangerous piece of malware has been found to be targeted attacks on the Google-owned software. This time, the malware installs a program named Process Manager and gains 18 permissions. This is concerning behavior on its own, but it also adds information about calls, the contact list, and other files before collecting all files on the device, saving information to the JSON files, and reporting to a C2 server.
At present, this Process Manager application is installed alongside the Roz Dhan: Earn Wallet cash application. At first appearance, this seems to be another case of hackers taking aim at cryptocurrency enthusiasts that are wanting to make some easy money with various attacks.
Want to catch up on some more news from the week gone by? Click the link below!
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
Smart Contract Security
- OpenZeppelin/openzeppelin-contracts: OpenZeppelin Contracts is a library for secure smart contract development.
- SmartContractSecurity/SWC-registry: Smart Contract Weakness Classification and Test Cases.
- ConsenSys/blockchainSecurityDB: The Blockchain Security Database is an open-source database created by ConsenSys Diligence to act as a repository of security information organized by projects.
Web Application Security
- espreto/wpsploit: WPSploit – Exploiting WordPress With Metasploit.
- RUB-NDS/WS-Attacker: WS-Attacker is a modular framework for web services penetration testing. It is developed by the Chair of Network and Data Security, Ruhr University Bochum (https://nds.rub.de/) and the Hackmanit GmbH (https://www.hackmanit.de/).
- wpscanteam/wpscan: WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.
Incident Response
- ReadyResponder/ReadyResponder: Local Incident Management System – This is used for tracking resources for Local Emergency Management.
- dastergon/wheel-of-misfortune: A role-playing game for incident management training.
- mitre/caldera: CALDERA is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. It is built on the MITRE ATT&CK framework and is an active research project at MITRE.