Welcome to Issue #96, the Sorry I’m Late Edition of Detection Engineering Weekly!
Sorry I’m late. I’ve had a ton of travel and got pretty sick after my re:Invent trip. I’ll be continuing this into next week for Issue 97 on December 18, and then will be taking a week off to spend time with family for the holidays. Issue 98 drops on January 1 (New Years!)
Catch me on BlueSky, how bout dat
For those on BlueSky, I made a “Starter Pack” for detection engineering. You press one button and can follow some of the best detection engineering and threat research minds on the new social network.
Check it out here → https://bsky.app/starter-pack-short/HenXJUR
⏪ Did you miss the previous issues? I'm sure you wouldn't, but JUST in case:
💎 Detection Engineering Gem 💎
The dark cloud around GCP service accounts by Dave Bogle
Some of my favorite research projects I've worked on started with the question, "Wait, why does this work?" You'd imagine it's the other way around, where something is broken, and you ask, "Why doesn't this work?" However, the former question allows you to challenge a singular assumption or hypothesis, which is among the most efficient ways to perform research.
I love this post because it goes from a weird GCP behavior that's a potential platform vulnerability to detection opportunities. The walkthrough is super practical and has you run through cloud commands to reach the same weird configuration setup that Bogle discovered. Basically, you can create an Access Token for a service account in Google, but revoking the certificate behind the token doesn't remove the token, making it a clever persistence and defense evasion technique.
Bogle did contact the GCP team to disclose. Their answer basically said new service account creation workflows should eventually solve this problem. IMHO, this is a weak response and doesn't solve the issue of the thousands of accounts created on GCP before the "fix" went in in May 2024.
🔬 State of the Art
Implementing TLSH Based Detection to Identify Malware Variants by Paul Hutelmyer and Ryan Borre
Babe, wake up, a new detection engineering and research post from the Target team just dropped!
No, but seriously, if you aren't familiar with Target's infosec team, it's one of the best in the business. So, when I saw a detection post leveraging TLSH, I had to link it here and talk about it. Malware research relies a ton on cryptographic hashing: it's one of the surefire ways to find samples within your environment. But cryptographic hashing has its uses and misuses; primarily, it's designed to achieve the avalanche effect. So if a pesky malware author pads a 0 or NULL at the end of a file, you lose out on detecting a variant.
This is where TLSH comes in. Hutelmyer and Borre discuss how locality similarity hashing, aka (does this look like something else?), is helpful with detection engineering. They walk through examples using cmd.exe on Windows and show how you can use their open-source tool Strelka to leverage TLSH in malware analysis and triage.
zizmor would have caught the Ultralytics workflow vulnerability by William Woodruff
This is the most unique Detection Engineering post you will read this year. Lots of our work focuses on finding badness in things people use the most: hosts and the cloud. But what about the in-between, like CI/CD environments? Is that the host, the cloud, or something different?
Well, it turns out, it’s something different. In this post, Woodruff explores a highly technical supply-chain attack against an ultra-popular Python package, Ultralytics. The attacker poisoned several versions of Ultralytics with malware and tried to steal secrets.
The crazy part here is the infection chain. The attacker targeted the GitHub CI pipeline of ultralytics via a “pwn request,” and used that access to poison a cache token on PyPi to skip the CI/CD step altogether and push new versions.
Woodruff has an open-source tool that helps identify vulnerabilities in these pipelines that I linked below in open source.
Workshop: Kusto Graph Semantics Explained by Fabian Bader
Bader's lab writeup for his DEATHcon training is live! This cool workshop has participants exploring using KQL for incident response and threat hunting. The associated workshop is in a YouTube video, so you can follow along or go through the writeup. He leaves some challenges for you to do. I particularly liked reading about the power of KQL to trace lateral movement via a graph representation instead of gnarly SQL statements.
Bitcoin Mixing Explained: Key Insights and Forensic Analysis Tips by Ervin Zubic
Have you ever wanted to launder money learn how threat actors use cryptocurrency mixing to conceal their spending habits? Zubic provides a fantastic introduction to this with lots of visual explanations and analogies. It's wild how deep mixing services can go to try to throw off investigators' trail. They end the blog with a helpful video on how to investigate a case involving mixing after a hack.
Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages by Ian Kretz
~ Note, I work at Datadog and Ian is my colleague! ~
I'm excited to see this go live! Datadog Security Researcher Ian Kretz has been working hard to make our open-source tool, guarddog, find a TON of badness in the package registry ecosystem. He wanted to take the capability a step further and wrap two very commonly used package managers, pip and npm, with guarddog so you can essentially block malicious installs of packages before they infect your computer, CI/CD pipeline, or production environment. It leverages our own open-source dataset of malware plus OSV to give users coverage over thousands of malware and potentially vulnerable packages.
🎙️ Detection Engineering Media
~ Note, this is me and my colleague at re:Invent! ~
If it isn't obvious, this is me presenting with my colleague Andrew at re:Invent. I went pretty deep on supply chain threats with some fun infection chains, so check it out! There is a product pitch here, but we didn't go too hard and stayed practitioner-focused.
This podcast is different from what Security Conversations puts out. Still, it's an important one for folks buying or building security products. RSA recently announced $5 million USD investments for each finalist in their Innovation Sandbox finalists. Not $5 million total, but EACH.
So how does that affect who chooses to join it or not, and how can investments work for these companies that have succeeded after the sandbox? Sid Trivedi gives a VC-insider look into this whole ecosystem, and Ryan does a good job asking tough questions to help us form our own opinion on it.
☣️ Threat Landscape
Supply Chain Attack Detected in Solana's web3.js Library by Sarah Gooding
Last week and this week were chock-full of supply chain security attacks. In this scenario, an actor managed to backdoor and publish malicious versions of the Solana web3.js library which has over 350,000 weekly downloads. The malware exfiltrated private keys and made about $130,000 USD in the attack.
Declawing Pumakit by Remco Sprooten and Ruben Groenewoud
This is an excellent writeup on a rather sophisticated Linux-based rootkit that Elastic researchers called Pumakit. According to Sprooten and Groenewould, it targets mostly older Linux kernels, since it isn’t leveraging kprobes, which makes you think if it’s looking for victims in embedded devices or critical infrastructure that can’t upgrade their kernels. Once the LKM is installed, you invoke it using the rmdir
syscall with a prefix of zarya
(yes, the one from Overwatch) plus a command. There’s lots of detection opportunities at the end, so big shoutout to Elastic :).
Nebraska Man Pleads Guilty in Multi-Million Dollar “Cryptojacking” Case by U.S. Department of Justice
I have availability bias here, but I think this is the first time I've seen a cryptojacking case going to someone in cuffs and pleading guilty. According to the statement, CP3O defrauded two cloud providers and made off with close to $3.5 million USD in proceeds doing cryptojacking. It's unclear whether they abused fraudulent accounts or hacked into victims, but I always thought cryptojacking would make you a few thousand. Maybe you can retire if you do it right!
Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft by Yehuda Gelb
Yet another supply chain attack, an intentionally malicious repository, was leveraged as an upstream backdoor. other malicious initial access vectors? Imagine this: you install a WordPress plugin, like in this case, which is intentionally built to install a malicious npm package that steals from your environment. This is like an N+1 supply chain attack because much like blocking a malicious domain, if you don't take down the C2 server itself, the threat actor can buy another domain and slap the C2 server behind it.
Krispy Kreme 8-K for material cyber event by Krispy Kreme
First of all, I'm so excited I just got to write "by Krispy Kreme." Second, I am not so excited that our beloved donut vendor just suffered a material breach. Not much else was disclosed, and in-person ordering is working, but there seems to be a ransomware-like event affecting online operations, so you have to order your donuts the old-fashioned way (ha).
🔗 Open Source
zizmor by woodruffw
Static vulnerability analyzer for GitHub Action pipelines. Used by Woodruff in his blog post about the ultralytics hack.
Malimite by LaurieWired
Open-source iOS decompiler built on top of Ghidra.
crxaminer by markkcc
Ruby on Rails app that scans Chrome extensions for security threats. Reminds me of CRXcavator but much newer.
BootExecuteEDR by rad9800
Yet-another-EDR-bypass, this time relying on NtProcessStartup, to execute whatever you need to before an EDR has a chance to hook into the system. Requires administrative privileges so you can flip a registry key and place a binary in System32, which I’m sure EDRs alert on!
superdeye by almounah
Another fun EDR-bypass technique. This pure Go implementation of HellHall uses indirect syscall techniques to evade any type of EDR detection.
Invoke-Stealth by JoelGMSec
Powershell script that automates obfuscating Powershell to evade those pesky SIEM vendors. According to the README, 5 separate techniques are baked into Invoke-Stealth, and you can use any number or all of them.