Det. Eng. Weekly #87 - I'm downgrading the severity of the CUPS vulns
Only because no one has ever figured out how to print on a Linux desktop
Welcome to Issue #87 of Detection Engineering Weekly!
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
📣 Shameless Advisor Plug 📣
I've been advising a stealth-mode cybersecurity company focused on reducing toil and accelerating triage and investigation in security operations. They use a combination of data normalization, generative AI, and integrating with security stacks to make investigating less painful for analysts, which is a topic near and dear to my heart.
Their product is already live with a few early adopters, and they're looking to connect with interested security practitioners. I'd be grateful for folks who provide early feedback, validate their solution and positioning, or even be an early design partner. If you are in a SOC, work with an MSSP/MDR or want to kick the tires on how AI can help with investigations, they want to talk to you.
Shoot me an email techy@detectionengineering.net with your name/company/position and I'll forward your info over! Free stickers and a t-shirt for folks who connect and give them valuable feedback :)
💎 Detection Engineering Gem 💎
Tracking cloud-fluent threat actors - Part one: Atomic cloud IOCs by Merav Bar and Amitai Cohen
As the threat landscape evolves into the cloud, so should our defensive measures in the detection space. This is an excellent overview of how cloud environments such as AWS can offer different telemetry and indicators of compromise that we are not used to seeing in a pure host and networking world. Malicious tenants can establish a trust relationship with your cloud account, or a threat actor could be using well known tooling sold on the criminal underground to add a very obvious (at least to us blue team nerds) user that should not present in your account.
I also appreciated how Bar and Cohen talked about traditional indicators in a cloud context. Because this operating environment is so different, you need to incorporate the context of a production stack into things that may not be as high-signal in a "traditional sense," such as user agents.
🔬 State of the Art
Deconstructing Security Monitoring Antipatterns by Truls TD
Antipatterns can kill productivity, reduce trust and tend to breed more use of antipatterns. This concept is pulled from other areas of engineering and design, and there’s some funny posts from developers over the years describing their experience with them. Applying this same concept to threat detection, I’m sure you can come up with some scenarios where a single pattern has resulted in more cost than benefit in your org, which means you’ve probably found an antipattern.
Truls draws inspiration for this antipattern post from Microsoft's Cybersecurity Reference Architecture (MCRA), specifically a diagram in the MCRA that briefly describes antipatterns. They then go into a much deeper analysis of each and provide examples of why they are antipatterns to a SecOps and detection practitioner.
Hacking Kia: Remotely Controlling Cars With Just a License Plate by Sam Curry
On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate.
OK I can’t spoil this because it’s a great vulnerability writeup, and I want all those who read to bask in the glory of responsible disclosure combined with eye twitching product decisions.
Probing Slack Workspaces for Authentication Information and other Treats by Andrew Byford
This is a neat OSINT technique for finding ways to infiltrate or protect a Slack workspace. Slack has an unauthenticated API per workspace that when probed, can give you some information on how the owners configured that workspace. Two factor settings, auto provision settings for domains and join URLs can be just enough information for someone to socially engineer their way in, or as Byford hypothesizes, abuse the APPROVED_DOMAINS flag to gain access. Their tool can also authenticate to your Slack workspace and use the API to do all kinds of discovery of secrets, files and other data based on how you configure it.
Ping Storms at GreyNoise by David Schuetz
I have fond memories of doing David Schuetz's crypto puzzles at ShmooCon. I thought they had the right level of difficulty that, as a security n00b in the early 2010s, I could try to solve them. He was very helpful at the con if you were stuck. Well, it's cool seeing how the puzzle maker solves a puzzle because Schuetz cracked a puzzle that GreyNoise has been stumped on.
TL;dr, according to GreyNoise, Noise Storms have been making their way through the Internet since they've been tracking it in 2020. It looks like an unsolved riddle on what the hell they are, and an unsolved riddle is merely a puzzle, according to Schuetz :). It boiled down to a tooling and packet interpretation problem. Schuetz "cracked" the code and found a peculiar academic exercise performing some of these storms at the end of his investigation.
Announcing LOLRMM: A Unified Approach to RMM Software Tracking by Michael Haag
RMMs are an extremely useful tool for threat actors to persist in an environment, and even use it for ongoing operations. Will Thomas has mapped dozens of these tools into ransomware gang and nation state usage. So why not store it on the lolfarm and make it free for everyone to use? Luckily, the good folks at Magicswordio did just that! LOLRMM is a database and website that stores all kinds of data on RMM tools, with associated artifacts and tools to help you with detection and hunting.
🎙️ Detection Engineering Media
If you want a breakdown of how MFA bypasses work in the modern age, this podcast episode by the Mandiant folks gives a great technical breakdown of infostealer and attacker in the middle tools that abuse the architecture behind MFA to bypass it. I'm glad that the guest, Josh Fleischer, went into detection opportunities at the network level because it only takes one a trip up to force a step-up author to kick an attacker out once they get past MFA.
In this Detection at Scale episode, Thijn Bukkems, who runs threat hunting at Grammarly, describes his approach to threat detection, hunting, and the organizational structures behind them. His emphasis on working backward from a response scenario into detection mechanisms was a nice "a-ha" moment for me because it focuses on the outcomes we want to drive when shit hits the fan rather than trying to piece together several detection strategies and hopes it works when an incident is ongoing.
☣️ Threat Landscape
Remote execution exploit chain in CUPS: Overview, detection, and remediation by Christophe Tafani-Dereeper and Nick Frichette
~ Note, I work at Datadog and Christophe/Nick are my colleagues ~
For the last three years, about once every three months, an insanely hyped, stress-inducing, and massively impact vulnerability has been dropped onto security teams across the globe. There's a fog of war associated with these vulnerabilities, with questions such as: "Is this a *4shell level of impact? Do I need to stay up all night to patch? Which vendor will email me first with some dumb ambulance-chasing headline?"
Without fail, these vulnerabilities both astonish and disappoint me. In the latest emerging vulnerability-du-jour, CUPS is the target, the service used for printing on Linux across a huge surface of kernel and distro types. My colleagues rushed to measure the surface and impact. They were amazed at the simplicity of the vulnerability (a malicious print job, essentially) but underwhelmed by its hype due to the exploit pre-conditions. This is a great synopsis of everything for a tl;dr and its effects on the cloud world.
Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate by National Crime Agency
NCA releases the hounds and publishes their research and indictments against more EvilCorp members, this time targeting a LockBit affiliate who was Yakubets' right-hand man. Ryzhenkov was one of the main developers of Evil Corp's ransomware strains, was part of LockBit, and also either operated or used the BitPaymer ransomware against several victims in the U.S.
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware by The DFIR Report
Yet another excellent intrusion writeup by friends at The DFIR Report. From initial access leveraging Nitrogen dropped in a fake tool download to ransomware 8 days later, it’s cool to see a full forensic analysis coupled with detection opportunities. The interesting tidbit here is the use of restic for exfiltration.
Three IRGC Cyber Actors Indicted for ‘Hack-and-Leak’ Operation Designed to Influence the 2024 U.S. Presidential Election by U.S. Department of Justice
The Justice Department has named and shamed the hack-and-leak actors who most likely stole documents from Roger Stone and other Trump campaign officials. It's nice to see how much we've learned from the 2016 DNC hacks and tried not to politicize this or call for arrests. I think an indictment this quickly is a result of all of those learnings.
🔗 Open Source
slack-watchman by PaperMtn
I linked PaperMtn's blog on Slack Watchman above, but this is essentially a Slack posture management and alerting tool. It leverages native Slack APIs to find secrets and sensitive attachments and hopefully helps reduce the OSINT footprint of your Slack workspaces.
WhoYouCalling by H4NM
This is a neat forensics and reversing tool that you point at a Windows binary and it’ll generate a full pcap and some ETW events for additional analysis.
NamelessC2 by trickster0
Yet-another-C2 but built in Rust and has a small footprint (<256kb). I like reading code from the smallest/unknown to the largest C2 frameworks because you start to see patterns in detection within the tools and across common implementations.
dockerhoneypot-logs by silascutler
Friend of the newsletter, Silas Cutler, just dropped a few years worth of docker honeypot logs. Really cool dataset for folks who want to track how Docker botnet and malware campaigns target this technology.