Detection Engineering Weekly #18 - 2000 subs and all we got was a lousy supply chain compromise
Remember the old Java ads that said "billions" of devices have Java? Well, imagine that but for VOIP phones
Welcome to Issue #18 of Detection Engineering Weekly!
MILESTONE HIT. 2000 SUBSCRIBERS! 🎉
I am so excited to announce that we have reached 2000 subscribers! I could not have done this without any of you. Thank you so much for your readership, patronage, and feedback. I, of course, couldn’t have done this without all the AMAZING CONTENT that many of my readers put out every week, whether on their personal or corporate blogs, Twitter or GitHub.
Seriously, thank you all.
So what’s next?
We keep going! I am spending more and more time on curation, using tools to organize my notes and references and talking with engineers and researchers in the field. My “email to the CEO” was a fun project that I started at 250 subscribers, and I want to keep that community engagement going. So, if you see something you like, or you write something, EMAIL ME! techy@detectionengineering.net
📣 A break from regular programming 📣
My dear friend Kenny Gould just published his first fantasy fiction book, The Castle of 1,000 Doors. It may not be threat detection related, but he pulled a lot of inspiration from fields we know and love, like statistics and data science. Also, there’s a talking spud :) Please consider buying his book on Amazon, reading it, and leaving a review!
Link to purchase: https://www.amazon.com/Castle-000-Doors-Progression-Toroth-Gol-ebook/dp/B0BXLTD9TY/
This week’s recap:
Hunting and detection with “weak signals” by Stairwell
Threat Informed Defense, OPSEC during attacker infrastructure mapping operations, and Meterpreter beats your favorite EDR
3CX gets pwned, publicly exposing a vulnerable service turns out to be a terrible idea, and yet-another (super interesting) open source detection and alerting system from Carta
Genesis Market gets nixed by the good guys, and hundreds of the thousands of stealer logs (and victims) get saved by law enforcement
🫵 Hey you! Do you have a blog post, social link, or open-source tool you want to see in this newsletter? How about a (tasteful) ad?
Leave a comment below or email me techy@detectionengineering.net
💎 Detection Engineering Gem 💎
Hunting with weak signals by Steve Miller
“A core piece of threat detection is managing for inevitable subterfuge.” This newsletter’s new byline is managing inevitable subterfuge, though I can’t say I coined it!
This gem of a post goes into not-so-common threat detection strategies if you assume collecting (almost) all of the telemetry that you can think of, rather than filtering on telemetry you think is bad. Mapped to the funnel of fidelity, weak signals may not be alerts but rather interesting events that warrant extra investigation. I enjoy Miller’s approach to “decorating” events and tagging them with weak signals as they progress through the detection pipeline. Eventually, these decorations paint an interesting enough picture that warrants an alert or investigation.
Miller provides examples of weak signal usage using APT29 as the test rat. By looking for “flip-flopped” strings that APT29 used for one Windows API, you expand the aperture for all kinds of interesting DLL’s used by malware authors to find additional signals in the wild. They use another example of finding stack strings decoded in payloads at runtime.
State of the Art
Threat Informed-Defense Ecosystem by Micah VanFossen
Introductory post to VanFossen’s Threat Informed-Defense website. The site has a ton of content geared towards folks who want to get started in threat detection and defense space, focusing on taking a “threat-first” approach. In my opinion, this is way more useful than a mind-map and has a curriculum that entails everything from threat hunting, intelligence, labs, and companies that perform “TID”.
OPSEC: The Wrong Way to "Reach Out and Touch Someone" by Greg Ake
You’ll see lots of 3CX content in this issue, and for good reasons! This post focuses on the research-fueled gold rush researchers fall victim to when mapping attacker infrastructure. Imagine the adrenaline rush of knowing that you might be one of the first people to disclose a C2 server owned by an alleged North Korean nation-state hacker? Well, have you considered the implications for your safety, your organization’s safety, and the safety of the research operation? Great advice all around from Ake here.
Building Better Detection Systems: Introducing KRANG at Carta by John Sonnenschein
I love that companies are publishing more and more of their internal threat detection systems! Readers of this newsletter have seen platforms built at Brex, Netflix, Palantir, and of course, the usual suspects at open-source players like Elastic and Splunk. Carta’s requirements with KRANG include: detection as code, ease of writing rules, and using standardized data models to easily integrate with other SIEMs.
Microsoft Sentinel — Get actionable Threat Intelligence from Twitter by Antonio Formato
Social media and chat apps have been fantastic sources of threat intelligence for my career. If you want to try something out: go to Twitter/Mastodon and type in #log4shell or #emotet , you’d be surprised by the number of IOCs shared daily. Formato sets up a system in this post that reads IOCs from Twitter like a traditional threat feed and pushes the list directly into Microsoft Sentinel.
CVE-2023–23397 Report by m0lt3n
Pwning someone via a calendar invite sounds like a modern Office Space plotline. This time, instead of beating up a printer and stealing pennies, you can beat up an Outlook mailbox and ransomware your boss. All of this made possible from a sound file path located on your very own SMB server!
DFIR — Windows Forensics by whoami
If you need practice on Windows Forensics and detection opportunities, whoami’s post stepping through a Let’sDefend challenge can get you started quickly. TIL that Windows RDP has a “Bitmap Cache” file that stores accessed images during the session. Amazing work, whoami!
Meterpreter vs Modern EDR(s) by Daniel Feichter
I’m all for the current infosec Twitter debate to move from OSTs (broke) to EDRs (woke). Especially since most of the OSTs, I see freely available on GitHub specifically mention that they are for educational use only. Like, come on, I’m fine with open-source red team tools, but you look more like a criminal adding THAT than writing the tool!
Anyways, Meterpreter is most likely all of our first loves when it comes to offensive security tooling. You graduated quickly from using it to more modern frameworks, maybe Cobalt Strike or Merlin? Well, turns out, Meterpreter can bypass even the most advanced EDR features through these few simple tricks!
Detection Engineering on Social Media
Threat Landscape
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers by Crowdstrike Research & Threat Intel
Alright, so this is the one. You’ve probably seen a bit of the news from last week: a massive VOIP/PBX provider was breached via a supply chain attack. The TL;DR is that a legitimately signed binary from 3CX was seen communicating with all kinds of C2 servers (Cobalt Strike) and Crowdstrike was the first to break the news. What was interesting about this disclosure is it first started with a Reddit post and then moved to this blog. 3CX seemed to have botched the situation even further with not-so-standard support instructions, and what’s even worse is that they charge per support ticket.
Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack by Georgy Kucherin, Vasily Berdnikov, Vilen Kamalov
*Puts on Tinfoil hat*
Okay, so an extremely clever supply chain attack happens against a massive VOIP distributor, right? And a public company attributes with high confidence to North Korea, right? Well, get this, it all ends up in North Korea.. stealing cryptocurrency? What if this was just a false flag, and we all were put on this path intentionally by best Korea?
*Slowly takes off Tinfoil hats and looks up into space as if someone is watching me*
Honestly, I am not too surprised to see an infostealer being deployed here. From a victimology standpoint, if this was indeed North Korea, this is a great entry point to find access to massive companies, some of them most likely being crypto-related.
15 million public-facing services vulnerable to CISA KEV flaws by Bill Toulas
It seems to be a weekly occurrence that I talk about CISA’s KEV Catalog, but I hope studies like this justify my persistence. According to the cybersecurity company Rezilion, a massive 15 million publicly accessible services are vulnerable to one of the hundreds of vulnerabilities listed by CISA. If I had to guess, many of these are honeypots, but probably not as many as you think.
Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities by Cara Lin
Speaking of exposed services, if you are running vulnerable versions of Cacti and RealTek on the internet, expect lots of traffic from actors deploying Moobot & Shellbot. The best part? That it’s written in some modern language like Rust or GoLang? Nope, perl!
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access by Jason Deyalsingh, Nick Smith, Eduardo Mattos and Tyler Mclellan
According to Mandiant, an ALPHV affiliate is targeting publicly exposed Veritas Backup Exec servers and is using not one but three different CVEs to gain initial access to victim environments. The low hanging fruit of known vulnerable services makes the startup costs a bit easier for affiliates, whereas other initial access methods include stolen credentials from other infections.
And the best section? Detection Opportunities!
Proxyjacking has Entered the Chat by Crystal Morin
I guess this newsletter issue is dedicated to exposed services! Morin and the Sysdig team found an infection from a vulnerable Log4j2 instance that led to the attacker dropping proxyjacking malware. Instead of using your computer for cryptomining, proxyjacking attacks use your computer to serve traffic via a proxy for monetary gain. A bit scary, given what kind of things can go through a proxy without you knowing.
Genesis Market, one of world’s largest platforms for cyber fraud, seized by police by Alexander Martin
Y’all. I tried. I tried not to post any more stories about infostealers besides one. They just come up in SO many feeds, stories, and fantastic blogs. But this one is a bit different. If you aren’t familiar with Genesis Market, many session cookies, passwords, and login tokens pilfered using infostealers end up on this criminal forum for sale. And not just a few thousand; I’m talking hundreds of thousands of “logs” being sold in just one spot.
Turns out, the FBI reads my newsletter, and they were so sick of my commentary on infostealers that they took down Genesis to get me to shutup. Congrats to all of those who worked on this case!
Open Source
krang by Carta
If you haven’t read Carta’s Medium post on KRANG, scroll up to the “State of the Art” section and check it out!
caOptics by jsa2
Open-source CIEM-like tool to look at Azure AD conditional access and reduce the complexity of managing IAM in Azure.
pyrdp by GoSecure
A bit older repo, but still a goodie when it comes to maintaining honeypots. Still very much maintained and does all kinds of amazing things, like watching attackers interact with your RDP session live!
fibratus by rabbitstack
I think observability and security products are converging, and the same tooling and techniques used to monitor massive fleets of production servers will also be used for security. Fibratus implements an eBPF-like “trap” system to collect system events for additional security analysis.