CPUfu – It is strong

So there is a new model making the rounds on the interwebs as an update to the well known Cyber “Kill-Chain” recently. I think its a reasonable model and makes sense. Forgetting there is an underlying corporate message from Carbon Black here, the general notion that this is more of an iterative loop than a chain is a decent evolution in looking at something like this.

https://www.securityweek.com/cyber-kill-chain-reimagined-industry-veteran-proposes-cognitive-attack-loop

Link to PDF that most of these articles are based. (warning – Carbon Black landing page). I have used their products, but am not endorsing anything 🙂

https://www.carbonblack.com/wp-content/uploads/2019/06/CB-WP-Cognitions-of-a-Cybercriminal.pdf

So I have had this blog for 4+ years. Use it rarely as you can see. Going to give it another crack to put some random musings so I can find them again in a future existence 🙂 – feel free to enjoy or not. 

Going to start posting some stuff here again at times. Makes it easier to share with folks.

Will likely be improved upon quickly, but cannot help but laugh about how insecure IOT is and consumers go and buy these things, install them and leave them out there. Its going to get worse before it gets better..Millions of non-technical consumers connecting stuff because they can…..

https://github.com/jgamblin/Mirai-Source-Code/tree/6a5941be681b839eeff8ece1de8b245bcd5ffb02

 

Active exploits in the wild on this one and it impacts almost everyone. (yes you linux 🙂 )

 

PDF attached TLP:White that has CVE details – open article to get full link

 

Get details here

Probably prudent to pay attention to this. Somewhat narrow in scope but important.

https://www.openssl.org/news/secadv_20150709.txt

 

If you are here, you have likely heard about the news making the rounds in the last couple days about the “Equation Group”. Several sites have been giving high level reviews of the exploits and information.

Kaspersky Labs has published some details on what all this means… Rather than bore you with a recount of what was already reported, I am attaching the direct from the source info. So below is attached the 44 page Q&A whitepaper that outlines details, dates and info.

High level information that was interesting from an exploit standpoint

– The ability to infect Hard Drive firmware that survives reboots, formatting and reinstall of OS and carves out its own space.

– Zero day exploits of Firefox TOR browsing

– Interesting write up about PHP infection of web forums that only infect you once you are registered with the forum.

– Amount of time this has been going on (years)

Based upon the target list and rates, it sure seems pretty clear (in my opinion) that this is US sponsored activity…but who knows for sure.

Also a link to the Kaspersky Labs article that summarizes it as well.

Equation Group – Death Star of the Malware Galaxy

Equation_group_questions_and_answers – PDF with details

 

So be sure to tell your end users to again to practice safe computing. Don’t click on email links and simply open attachments, be careful what you surf to in shady corners of the Internet.

Appears that there is still some cryptowall floating around in this “3.0” ransomware trojan variant that has been detected.

The folks over at SANS Internet Storm Center have a nice analysis on the traffic.

Analysis and write up here

They also mention malwr.com which is a nice free analysis service where you can submit or get your hands on the code in question to test or analyze youself. (be careful). Additionally you can upload also….

Lastly one of the screen shots mentions a nice tool called security onion which is a linux distro that will give you some advanced tools (like security monitoring, intrusion detection, etc). If your enterprise is not doing this sort of proactive monitoring of your systems, then its something you need to consider.

 

NTP users and server admins – There are multiple vulnerabilities that are in the wild that are being exploited actively. If you have not been paying attention to security updates, attached is a consolidated report that will give you the resources you need to protect your infrastructure.

Take a few minutes to read and see if the version you are running needs updated.

NTP-details

Another Poodle related vulnerability has been reported in the wild in various channels. This time impacting TLS to a degree. So admin’s should take a moment and read up on it and keep current as its likely to continue developing over the next couple days/weeks as more vendors are likely determined as I am sure F5 was just the start.

As reported in the links below, about 10% of web sites operated are likely vulnerable, and F5 devices are vulnerable, and some others. Links below offer some handling details, testing, and it appears a CVE has been reserved, but is not fully populated just yet.

Mitre Page

Blog entry with further details.

Poodle Bites blog entry

Web server testing tool (same as original poodle article with enhancements)

SSL Labs testing page

Adam Langley – Google Security Engineer – Blog (Imperial Violet)

Imperial Violet Blog – Poodle Again

F5 security page about the vulnerability (lists models and details)

F5 models and vulnerabilities

 

 

 

I need to spend some quality time looking and testing this further. It appears to be something that I can use in production quickly and easily.

Good summary here

https://www.binarydefense.com/project-artillery/

Also Holisticinfosec has a good writeup on it.

http://holisticinfosec.blogspot.com/

and here

http://www.southbasecamp.com/blog/setting-up-a-honeypot-artillery/